What lessons should OT/ICS professionals learn from CrowdStrike?
Written by Leor Fishman , Co-Founder and CTO of Axilon
There are a few different lessons an industrial asset operator or cyber professional could take from the outage of this morning—a global outage to Windows Server systems, caused by an interaction between a bad CrowdStrike patch and the Windows kernel.
The first "lesson" is in some ways the most obvious, but in other ways the most useless: critical systems should not be allowed to update over-the-air when they touch the kernel.? On the one hand, this is in some ways straightforwardly true. On the other hand, anybody who wasn’t air-gapped already is going to remain so due to their architectural constraints, and not having updates over-the-air just decreases the speed of an outage, not its potential damage.? Someone still needs to be the first person to apply an update. So the first lesson isn't really an actionable one.
领英推荐
The second would-be lesson is one that might prove attractive to people in the OT space, but is ultimately more harmful than good. Some will see today's disaster as a reason for being slow to deploy patches, or to wait for patch deployments until maintenance windows.? While this would have solved the CrowdStrike problem, it’s overall a negative for security patches, as this approach can lead to leaving critical zero day vulnerabilities or similar software issues unfixed in the environment for months on end.
The final lesson is an actual one, and it is the most important: CrowdStrike demonstrates why organizations need to have secondary environments they can use either to test patches, or to run off of in the case a bad patch requires a rollback.? Organizations can no longer afford to trust vendor testing or to wait for maintenance windows. However, direct-to-primary deployments risk significant downtime.? Resilience-based models for change management are critical but underutilized.
At Fortress Labs, we are developing technology to ensure that primary industrial control systems remain resilient – whether to cyber attack, human error, or bad patches.
In case you missed this on Friday, please check out Fortress Labs' post on lessons learned from the #CrowdStrike incident. Fortress is thinking hard about how to make sure that primary systems remain resilient – whether to cyber attack, human error, or bad patches. Their approach that puts #availability 1st by having a failover platform that is secure by design and isolated from a cyber attack.
OT security specislist bij Vitens
7 个月Good conclusion, there is a lot to learn from this. For vital and critical OT infrastructure, it is important that these types of updates are implemented as quickly as possible with in mind.. in a controlled manner (OTAP), step by step, and independently of cloud service policies. Recovery plans are accurate and ensure that recovery can take place within the specified period. Never equate IT and OT, and ensure correct network segmentation, a DMZ, and its own domain authentication.