Monta Elkins, Hacker-in-Chief[i] of FoxGuard Solutions, dropped me an email recently to point out a post he’d written for the company’s blog regarding a problem I’d never heard of: “retropatches”. This is a problem that wouldn’t arise at all were it not for a prescriptive patching requirement like CIP-007 R2 (and I doubt such a prescriptive patching requirement exists anywhere else in the known universe, although I can’t vouch for any parallel universes).
I’ll let Monte provide the details (the post is very easy to read, and provides very compelling evidence), but in brief, Foxguard (one of whose businesses is researching and providing available patches for ICS devices, meaning they can be your close-to-one-stop-shop patch source) has discovered that vendors sometimes release patches weeks or months after the official date of the patch[ii].
Of course, CIP-007 R2 requires that you, during an audit, be prepared to provide evidence that you checked for new security patches every 35 days, and obtained the ones that were applicable to software you have installed on devices in your ESP. This means it’s very possible that an auditor will notice there were some months where you documented that no new patch was available, yet when the auditor checks the vendor’s website, they see there is a patch that was supposedly available on the date you checked for it. The auditor might well ask why you didn’t download this patch when you checked for patches in the month after it was released. And you will reply, in best audit response mode, “Well, I…uh…hmm, I must have missed that.” Then you get ready to give your boss some very unwelcome news.
I recommend you read the post to make sure this doesn’t happen to you!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – and especially on compliance with CIP-013; we also work with security product or service vendors that need help articulating their message to the power industry. To discuss this, you can email me at the same address.
[i] This title is very appropriate. If you’ve never seen Monte demonstrate how to hack into an electric drill and get it to play the Darth Vader theme…well, I’ll just say it should be on your bucket list.
[ii] Monte points out that this doesn’t mean vendors are deliberately backdating patches, just that they’re probably dating them by when they start building the patch or something like that. He also points out that most vendors would never dream this would cause a problem for customers – since they never dreamed (or “nightmared”) that there would be a requirement which threatens a million-dollar-a-day fine for not downloading a single patch. This is certainly understandable. I wouldn’t believe it either, if I didn’t know it’s true.