Monta Elkins,
Hacker-in-Chief[i]
of FoxGuard Solutions, dropped me an email recently to point out a post
he’d written for the company’s blog regarding a problem I’d never heard of: “retropatches”.
This is a problem that wouldn’t arise at all were it not for a prescriptive
patching requirement like CIP-007 R2 (and I doubt such a prescriptive patching
requirement exists anywhere else in the known universe, although I can’t vouch
for any parallel universes).
I’ll let
Monte provide the details (the post is very easy to read, and provides very
compelling evidence), but in brief, Foxguard (one of whose businesses is
researching and providing available patches for ICS devices, meaning they can
be your close-to-one-stop-shop patch source) has discovered that vendors
sometimes release patches weeks or months after the official date of the patch[ii].
Of course, CIP-007
R2 requires that you, during an audit, be prepared to provide evidence that you
checked for new security patches every 35 days, and obtained the ones that were
applicable to software you have installed on devices in your ESP. This means it’s
very possible that an auditor will notice there were some months where you
documented that no new patch was available, yet when the auditor checks the
vendor’s website, they see there is a patch that was supposedly available on
the date you checked for it. The auditor might well ask why you didn’t download
this patch when you checked for patches in the month after it was released. And
you will reply, in best audit response mode, “Well, I…uh…hmm, I must have
missed that.” Then you get ready to give your boss some very unwelcome news.
I recommend
you read the post to make sure this doesn’t happen to you!
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – and especially on compliance
with CIP-013; we also work with security product or service vendors that need
help articulating their message to the power industry. To discuss this, you can
email me at the same address.
[i]
This title is very appropriate. If you’ve never seen Monte demonstrate how to
hack into an electric drill and get it to play the Darth Vader theme…well, I’ll
just say it should be on your bucket list.
[ii]
Monte points out that this doesn’t mean vendors are deliberately backdating
patches, just that they’re probably dating them by when they start building the
patch or something like that. He also points out that most vendors would never
dream this would cause a problem for customers – since they never dreamed (or “nightmared”)
that there would be a requirement which threatens a million-dollar-a-day fine
for not downloading a single patch. This is certainly understandable. I wouldn’t
believe it either, if I didn’t know it’s true.
No comments:
Post a Comment