According to a report issued this week from Trend Micro, the average time between disclosing a bug to a SCADA vendor to releasing a patch reaches up to 150 days. On the one hand, that’s better than the average time it takes leading enterprise software companies to plug holes, the report says. On the other, it’s an average of 30 days longer than it usually takes Microsoft or Adobe to release a patch. Edgard Capdevielle, CEO at Nozomi Networks commented below.
Edgard Capdevielle, CEO at Nozomi Networks:
“While some experts have suggested that air gapping protects SCADA systems, maintaining this type of isolation has proven problematic. Instead, a more pragmatic approach is to accept industrial control systems are increasingly connected to enterprise systems and the internet making network segmentation, firewalls and monitoring essential.
“When it comes to security the saying, ‘It takes a village’ rings true. We all need to work together to reduce the existence of vulnerabilities which in turn negates the need to patch them. Progress is being made on all fronts from original equipment manufacturers, computer emergency response teams, and SCADA operators who together have compressed the time to discover and remediate vulnerabilities so things are improving, but that must continue.”
Speaking to Trend Micro’s report’s finding that the average time between disclosing a bug to a SCADA vendor to releasing a patch reaches up to 150 days, Edgard adds:
“While 150 days for vendors to issue patches might seem a long time, it is just the first step. Once available operators need to plan how and when to implement which, within ICS, can be problematic as system upgrade cycles can in themselves be lengthy. If you need to stop the operation [i.e. power generators, manufacturing, gas and oil refining] for maintenance, this has to be planned well in advance. That said, operators can use automation and technology to speed the process by having the means to rapidly query industrial devices to determine if the affected equipment or version is present in the first instance. Also is the ability to determine the criticality of the affected system which, in turn, will determine the prioritization for applying the update. Real-time monitoring is also necessary to identify any anomalies or intrusions that might be attempting to exploit the vulnerability while waiting for the patch to be applied.”