Years ago, on this site, I remarked that keeping systems patched can be a headache. We've come a long way since...
then, though. It's hard now to find an organization that doesn't have automated patch management as a significant effort in its security strategy.
We have Windows Server Update Services (WSUS) and similar tools to keep our operating system patched. Network device management tools ensure that we have consistent and updated firmware deployed across the enterprise. We're even carefully thinking about managing application patches to avoid security vulnerabilities. Sure, you'll see the occasional headline about a preventable breach that occurred because an organization failed to apply an available patch, but, all-in-all, my impression is we're doing a pretty good job patching most of our systems.
Today, the internet of things (IoT) is changing the way that we think about computing and data. We're putting sensors everywhere you can imagine, ranging from HVAC systems and industrial processes to lightbulbs and toothbrushes. While IoT holds great promise for the future of analytics and automation, it also ushers in a new era of patch management concerns. After all, when was the last time you checked the firmware version running on your toothbrush?
It's time to start thinking about automated patch management for IoT devices.
Start automated patch management with an inventory
IoT devices are arriving on our networks every day. If we have any hope of maintaining control over their security configurations and patch levels, we must have a reliable inventory of those devices. Just as we tackled endpoint asset management over the past decade, we now must work with technical teams and business units to develop an inventory of our IoT devices.
Unfortunately, most of these platforms won't fit neatly into our configuration management systems. Take the time to figure out what is running on your network and understand the update mechanisms that they use. Automated patch management of IoT can't start without an accurate inventory.
Monitor your vendors
If you're lucky, you'll find that some portion of your IoT devices have automated update mechanisms. If that's the case, you can often just enable those mechanisms and simply monitor them to make sure that they're working.
More often, you'll find that security updates are buried deep on a vendor website, if they're available at all. Add information about the location of those sites to your IoT inventory, and assign someone the task of periodically checking for critical updates. At the same time, it would help the security community if you reach out to those vendors and urge them to develop an update mechanism to enable automated patch management or, at the very least, a mailing list to advise cybersecurity professionals of security vulnerabilities and patches.
Include IoT devices in your vulnerability scans
Cybersecurity is a belt-and-suspenders business. The defense-in-depth principle tells us that we shouldn't rely upon vendors to tell us about vulnerabilities and patches. Make sure to include IoT devices in your vulnerability scanning program. Most IoT devices run embedded operating systems that may contain vulnerabilities that have gone undetected. Don't be surprised when you contact a vendor with the results of a scan and find out that it's the first report the vendor received.
The internet of things poses new challenges for automated patch management, but it's nothing that the cybersecurity community can't handle. We just need to remain vigilant about new vulnerabilities and patches and stay on top of IoT vendors to take security updates seriously.