Another Opinion on the Patch Management Question

Last week, I posted about the implications of Microsoft’s Spectre/Meltdown patch for CIP-007 R2 patch management compliance. At the end of the post, I discussed (in item 9) a possible issue in the case where your HMI vendor doesn’t mandate using a particular antivirus software vendor, but the vendor you are using won’t support the patch.  I further stipulated that it wouldn’t be easy to replace your A/V vendor, for some reason. In this case, I stated in the post that it seemed clear to me that, in this case, you would need to deem the patch applicable to your HMI; since you wouldn’t be able to install it, you would need to develop a mitigation plan.

However, on Friday I got an email from a longtime friend and a very knowledgeable CIP expert, Joe Garmon, Senior Manager of Safety and Security Manager at a G&T coop in Florida (who emphasized that his opinions were solely his own). He pointed out that, for the patch to be applicable, it would have to work in the current software configuration – you shouldn’t have to take extra measures like replacing your A/V vendor in order to get the patch to work. Given that the patch would only work if you replaced your antivirus vendor (as in the case we’re discussing), then it’s not applicable. Moreover, even if in the future you replace your A/V vendor with one that will support the patch, you’re not obligated to go back and install this patch.  This peculiarity is due to CIP-007 R2.2, which only requires that you review patches for applicability released since the last evaluation, and per R2.3 you only have to install or mitigate patches that are applicable.

Of course, having said the above with his compliance hat on, Joe put on his security hat. Then he said that it would obviously be a good security practice to take other mitigating steps if you couldn’t deploy the patch; and if in the future you do replace your A/V vendor, you should certainly try to install the patch then (although, since MS patches are cumulative, you would only have to install the most recent patch available at the time).

Of course, Joe said he expects that an auditor who came across this situation – where the entity had not installed the patch but not taken any mitigation measures - would issue an Area of Concern to the entity, indicating they should mitigate the threat addressed by the patch. But this shouldn’t be a matter of compliance with CIP-007 R2.

The views and opinions expressed here are my own, and do not reflect those of any organization I work with. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.