CNET reports on the electric power sector requiring more practical security advice than merely recommending patches likely unable to be installed:
More than 60 percent of vulnerability warnings said critical infrastructure could get hijacked, while 71 percent of reported vulnerabilities that year could disrupt a person’s ability to monitor systems, according to the report.
In these warnings, up to 72 percent of the advisories told IT teams only to patch their systems. Except “patch your system” means nothing for 64 percent of critical infrastructure, according to the report.
That’s because they were insecure to begin with — applying a security patch would be like putting a Band-aid on a broken leg. Applying patches is generally fine for the average person, who only needs to update a phone or a laptop. It’s different for factories, which might be running nonstop for 24 hours, said Reid Wightman, Dragos’ senior vulnerability analyst.
While you can afford to have your phone off for 10 minutes while it applies the security patch, factories and power plants don’t have that luxury. There are usually only one or two opportunities a year for critical infrastructure to shut down and get updates, Wightman said.
The electric power industry is concerned not only with the security of their infrastructure and IT assets, but the reliability and stability of the power supply as well. Often times it is impossible to patch on a whim, therefore a comprehensive, multi-layered, multi-faceted security strategy is what is vital in ensuring all of the above.
While, for example, data centers are concerned with reliability and uptime, virtualization generally allows network operations to continue unhindered while applying a patch on one system. Essentially, using standardized tools, it is easy to temporarily migrate a virtual machine to different hardware, apply security and operating system patches, then move the VM back. This is almost unheard of in the electric power industry.
It is going to take some time before this problem is solved, unless someone comes up with a unique yet useful idea overnight.