Last week, I
wrote a post
on an interesting CIP-007 R2 patch management compliance question, related to
the Spectre/Meltdown patching issue. I had guessed that, in a particular case
described in that post (in item 9 near the end), the Microsoft patch would be
deemed applicable and the entity would still be required to develop a
mitigation plan, even though they couldn’t actually install the patch. Shortly
thereafter, I received an email from a good friend, Joe Garmon, disputing my
statement that the patch would be applicable in this case. You can read my
summary of Joe’s argument in this
post.
I thought
this matter was settled, when an auditor wrote in to dispute Joe’s assertion. I
have quoted his email verbatim below. I do want to point out that I’m not doing
all of these posts because I think there are a lot of organizations that will
be in the same situation as the hypothetical entity I described in my first
post; in fact, I’d be surprised if there were any NERC entities at all in that
situation. I’m doing this because I think the discussion provides good insight into
an important question about CIP-007 R2 – just what the word “applicable” means.
Here are the auditor’s words:
“Respectfully,
Joe is incorrect. Joe has confused applicability with
installability. The two concepts are distinctly different.
The patch is
applicable to the operating system (Microsoft, Linux, etc.). The patch is
incompatible with the installed anti-virus software. The patch,
therefore, cannot be installed. But that does not mean the vulnerability
has magically gone away and it does not mean that the patch is no longer
applicable. Were the anti-virus incompatibility not to exist, Joe would
be installing the patch, assuming there were no other reasons to mitigate
instead.
And
therefore, as the patch remains applicable (and needs to be mitigated until
such time as the patch can be installed), Joe’s observation that he would not
have to go back and apply the patch once he changed out his anti-virus software
with something that is compatible is also incorrect. Again, the
vulnerability is addressed with a patch to the operating system, not to the
anti-virus software. It would not be applicable only if Joe was not
running a version of the operating system for which the patch can be installed
(e.g., a Microsoft Windows 7 patch would not be applicable to Windows 10 nor
Linux).
Taking all
this into consideration, Joe is incorrect on one last point. The auditor
will not give Joe an Area of Concern. Joe will receive a Potential
Non-Compliance finding.
Now, here is
the real nuance. The patch is applicable if and when the identified patch
source announces the patch. So, if his patch source is the operating
system vendor or a commercial third-party patch provider (and there are many),
then the patch will pop up on radar and it will be deemed applicable. If,
however, Joe’s patch source is his SCADA/EMS vendor and, for some reason, the
vendor’s very poor practice is to not announce the availability of an operating
system patch that is incompatible with its SCADA products, then Joe is off the
hook from a compliance perspective. That is a scenario where Joe might
receive an Area of Concern. But don’t assume the vendor’s practice is
that poor. Most SCADA/EMS vendors, if not all, will advise their clients
that the patch is available but cannot be installed. And a vendor that
simply hides the incompatible patch is really doing a major disservice to its
clients."
The views and opinions expressed here are my own, and do
not reflect those of any organization I work with or for. If you would like to
comment on what you have read here, I would love to hear from you. Please email
me at tom@tomalrich.com.
No comments:
Post a Comment