compensating controls

Compensating Controls

In patching, the smartest investments are a layered defense in depth controls and topology
Rick Kaun

This securing infrastructure article focused on the challenges patching poses to the operational security realm was well-written from the perspective that since patching is so hard and so slow relative to risk, you should probably have real time threat hunting tools as a compensating control. The article provides real world examples as support for the thesis. It also acknowledges that other tools are also required to enable owner/operators to react. But there is a huge opportunity to make a larger case for proactive security in OT environments.


Software Patching is Hard

Yes, patching is difficult, but not to the extent the article makes it out to be. Patching support from OEMs is a bit behind, but they have arrangements with major vendors like Microsoft and Adobe to get copies of upcoming released patches in advance so the OEM testing and certification cycle runs in parallel. The OEM supported patch is usually, if at all, only a couple days behind the MS one. The premise that deployment of software patches takes too long for a small, understaffed OT cyber security team supporting multiple OT assets is fair if you follow old school 'sneaker-net' practices. There are many more automated and OT safe options that significantly change the OT patching process. 


Software Patching and Monitoring are Reactive

Alarms, monitors and alerts are key components of a robust security program, but an alarm means something has already happened (or at least, is happening or about to happen). This is far too late to allow for a fast enough, yet OT safe response. If an OT environment does not patch, and does not apply other compensating controls in advance, when risk (targeted or unintended) comes along, it will wreak havoc within the OT environment.


Be Proactive in Compensating Controls

The most responsible thing an OT owner/operator can do is invest in the fundamental building blocks of a layered defense of critical assets. This includes practices like securing network segmentation, limiting and monitoring access control. Privilege concepts through system hardening opens the deployment of security control tools like Whitelisting and Antivirus.

A mature, responsible owner/operator will have robust backup and restoration capabilities, incident response playbooks, monitoring and reporting of real time asset specific risk. The ability for an OT cyber guard to be see his list of assets, the criticality to safe operations, security controls, and inherent risks (from missing patches perhaps) allow the practitioner to take measured, reasonable actions to protect, detect and respond.


Threat hunting is an advanced and valued component in the cyber security maturity stack, but if you try to stop the threat without minimizing the impact, you will be very sorry.


Learn more
OT cyber security expertise, trends and best practices to protect your industrial systems
Verve Security Center Brochure

Recent Blogs