Thursday, January 25, 2018

An Auditor Weighs in on the Patch Management Question


Last week, I wrote a post on an interesting CIP-007 R2 patch management compliance question, related to the Spectre/Meltdown patching issue. I had guessed that, in a particular case described in that post (in item 9 near the end), the Microsoft patch would be deemed applicable and the entity would still be required to develop a mitigation plan, even though they couldn’t actually install the patch. Shortly thereafter, I received an email from a good friend, Joe Garmon, disputing my statement that the patch would be applicable in this case. You can read my summary of Joe’s argument in this post.

I thought this matter was settled, when an auditor wrote in to dispute Joe’s assertion. I have quoted his email verbatim below. I do want to point out that I’m not doing all of these posts because I think there are a lot of organizations that will be in the same situation as the hypothetical entity I described in my first post; in fact, I’d be surprised if there were any NERC entities at all in that situation. I’m doing this because I think the discussion provides good insight into an important question about CIP-007 R2 – just what the word “applicable” means. Here are the auditor’s words:


“Respectfully, Joe is incorrect.  Joe has confused applicability with installability.  The two concepts are distinctly different.

The patch is applicable to the operating system (Microsoft, Linux, etc.).  The patch is incompatible with the installed anti-virus software.  The patch, therefore, cannot be installed.  But that does not mean the vulnerability has magically gone away and it does not mean that the patch is no longer applicable.  Were the anti-virus incompatibility not to exist, Joe would be installing the patch, assuming there were no other reasons to mitigate instead.

And therefore, as the patch remains applicable (and needs to be mitigated until such time as the patch can be installed), Joe’s observation that he would not have to go back and apply the patch once he changed out his anti-virus software with something that is compatible is also incorrect.  Again, the vulnerability is addressed with a patch to the operating system, not to the anti-virus software.  It would not be applicable only if Joe was not running a version of the operating system for which the patch can be installed (e.g., a Microsoft Windows 7 patch would not be applicable to Windows 10 nor Linux).

Taking all this into consideration, Joe is incorrect on one last point.  The auditor will not give Joe an Area of Concern.  Joe will receive a Potential Non-Compliance finding.

Now, here is the real nuance.  The patch is applicable if and when the identified patch source announces the patch.  So, if his patch source is the operating system vendor or a commercial third-party patch provider (and there are many), then the patch will pop up on radar and it will be deemed applicable.  If, however, Joe’s patch source is his SCADA/EMS vendor and, for some reason, the vendor’s very poor practice is to not announce the availability of an operating system patch that is incompatible with its SCADA products, then Joe is off the hook from a compliance perspective.  That is a scenario where Joe might receive an Area of Concern.  But don’t assume the vendor’s practice is that poor.  Most SCADA/EMS vendors, if not all, will advise their clients that the patch is available but cannot be installed.  And a vendor that simply hides the incompatible patch is really doing a major disservice to its clients."



The views and opinions expressed here are my own, and do not reflect those of any organization I work with or for. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com

No comments:

Post a Comment