< Back
cyberthreat news

Tags:

Quick links:

10 February 2025

Risk-based patching makes security complexity manageable

By Eric ten Bos, co-founder & technical lead of the Thales Cyber OT Convergence Center (OTCC)

With the introduction of the NIS2 directive, the requirements for cybersecurity in Europe are becoming much stricter. Organizations that do not keep their systems up to date are vulnerable and face significant risks. How do you ensure that your systems are up to date and that patch management is in order, especially in complex IT and OT environments?

October 17, 2024, was an important date for everyone involved in cybersecurity. On that day, the NIS2 directive had to be transposed into national legislation by EU member states. To recap: the Network and Information Security Directive 2 is a tightening of the NIS directive. More organizations will fall under this legislation, which also imposes stricter requirements on the security of networks and information systems. The goal is to better ensure the cybersecurity of essential services and digital infrastructures. The new legislation will push companies and institutions in the right direction to strengthen digital resilience against cyberattacks.

Patch management 

An important component of this is patch management. Patching means keeping software or firmware up to date by applying security updates and optimizations. Organizations designated under NIS2, and soon under Cbw, must therefore have robust procedures for timely patching of their systems. This helps to close identified security gaps in a timely manner, at least before cyberattacks can exploit them.

Looking at NIS2, there are several angles from which you as an organization can give patching more priority and attention. The directive provides guidelines to map out risk management and requires you to report incidents. If the patch policy is not in order, you run more risks and will have to report incidents. The IT landscape is vast and diverse, making patching challenging and time-consuming. Automation is an obvious solution, and tools are available for this purpose. While this ensures more efficiency and less human intervention, it is not the ultimate solution.

Complexity of the IT infrastructure 

Patching is not as simple as it may seem. The complexity of the IT infrastructure has increased. Many organizations still have legacy systems, which are difficult to patch. When attempts are made, compatibility issues can arise. Finally, many organizations struggle to allocate enough manpower, putting timely patching under pressure. Due to the workload that patching adds, the desire to automate patching is understandable. However, as seen in the CrowdStrike case, an automatic update in live environments can have disastrous consequences. Organizations must always keep in mind that patching can have implications for the hardware.

Patching in the OT environment 

The challenges around patching are even greater in the Operational Technology (OT) environment. OT systems, such as those in production, energy, and other critical infrastructures, run 24/7 and cannot be taken offline for maintenance or updates without consequences. A short interruption can lead to production disruptions, loss of revenue, or safety risks. Shutting down these systems for patching must therefore be carefully planned, which is rarely possible in the short term in practice. As a result, patching is postponed, which carries significant risks.

Additionally, many OT environments have legacy systems that were developed without security considerations. Lastly, many OT systems are located in isolated areas, sometimes with limited or no internet connectivity, making remote patching difficult. Operators or IT engineers must physically visit the hardware to perform the work, which takes time, especially when aiming to keep cyber attacks at bay.

Risk-based patching 

We cannot eliminate the complexity of patching in OT with a single measure. However, we can ensure that patching can be done much more effectively by taking a risk-based approach. This concept has two dimensions:

  • Dimension 1: Identify the most critical assets in the infrastructure: applications, networks, production facilities, etc. The focus should be on patching hardware, software, or machines that are indispensable for business continuity. 
  • Dimension 2: Patch systems based on the level of risk that a specific vulnerability or threat poses to the organization. Instead of blindly applying all available patches, this risk-based approach considers which vulnerabilities pose the greatest potential danger. 

Patch management is a crucial component of NIS2 and requires a risk-based approach to set the right priorities in a complex IT and OT environment. Organizations must now take steps to optimize their patch policies and identify risks. Do not wait until the Cbw comes into effect in the Netherlands, but start working with the mentioned dimensions.