In the cybersecurity world we are used to the release of packages that fix vulnerabilities detected in business software. One of the releases that has established a periodicity and continuity to this process is what Microsoft has called “Patch Tuesday”. But it is not the only one.
Designating a specific day for the release of security updates is very useful for defence teams, who have a list to review which fixes to apply based on the criticality of the risk and the applicability to their systems. This practice is therefore considered a good reference for the market.
More cyber threats to industrial equipment
In this last year, where the industrial operations sector has been involved in a growing wave of cyber threats, it is essential for industrial cybersecurity teams to start adopting this type of practices that allow a more proactive management of the threats found in the equipment used in the industry.
Industrial sector have started to follow in the footsteps of the IT world in terms of publishing the threats detected in their different products or systems.
There are several governmental entities in the world that have portals where it is possible to find daily alerts on the weaknesses found. The most recognised in the industrial world is the CISA publication, but in Spanish, INCIBE has undoubtedly gained a lot of strength. Other sources that link IT and OT are VDE in Germany and ZDI in the United States.
This trend has meant that two large companies in the industrial sector have started to follow in the footsteps of the IT world in terms of publishing the threats detected in their different products or systems.
This publication is not something new for these companies, but they have adopted the good practice of making this publication jointly on a single day of the month, and following Microsoft, they took Tuesday as the ideal day for this publication.
The origin of “Patch Tuesday”
The first company in the industrial sector to adopt this practice was Siemens, which created a team called ProductCERT, which has been integrating all of the company’s security publications since 2011 and where on the second Tuesday of each month it publishes the vulnerabilities detected or updated in each month.
This practice began in the first months of 2021, consolidating itself as the publication expected by industrial security teams and which, on average, publishes 30 vulnerabilities each month, including new ones and updates. In July 2022, 34 alerts were published, of which 20 are new and 5 of these new ones are classified as critical risk.
The other company in the sector that has joined this practice is Schneider Electric, which has had its own security publication portal since the beginning of 2020, but which a few months ago started publishing vulnerabilities in a unified way on Tuesdays. In July 2022, they published 8 critical alerts on various devices.
These are not the only ones published. If a critical alert arises within the established period, it is published on the portal and announced in various ways on the Internet, which also ensures that the cyber defence teams of the companies have a clear understanding of the importance of the immediate application of these patches.
Conclusion
In conclusion, the best practices that have worked in the IT world are now being adopted by the OT world, although the approach to vulnerability management and remediation is completely different, being able to have this source of early warnings allows the incident recovery plan to be much more preventive than just reactive.
The industrial sector is rapidly migrating to systems and services that are increasingly similar to those traditionally used in IT, with several differences and particularities of the sector, but where the advantages of the good practices that have evolved in IT cybersecurity can be implemented and taken advantage of.
