Do You Really Need Software Support?

With factories investing in software to start their Digital Transformation journey, we see many of them questioning if they really need software support. What is often forgotten when deciding is how software support is often used to protect your investments and enables your factory to have a better Industrial Cyber Security strategy.

Have you ever heard these famous last words?

“I don’t use Tech Support often, so I don’t need Software Support.”

“I don’t see any value in paying for support, so I don’t see the value of having it.”

“We’re not connected to the Internet, so we’re not worried about security patches.”

Etc. etc. etc…

As you think about these statements, I want you to think of this rather famous proverb, “An ounce of prevention is worth a pound of cure.” But what exactly does that mean? The key idea here is “prevention” before the need for a cure or remedy. It’s plausible that in many cases, the decision not to have support may be due to either:

• A failure to do a proper business risk assessment to understand the potential cost of not having support.
• Not understanding what the support provides beyond technical assistance.
• Not truly understanding the value the support brings to the business.

Sadly, when many organizations decide not to renew their software support, it’s usually the wrong person making the decision, erroneously thinking that they are helping the organization save a few dollars. Not thinking about or understanding the business consequences of not having support. But enough with the rambling, let’s explore this idea of software support and why its continued presence in your overall business strategy is essential to your continued success.

So, what about Software Support

Many customers have made substantial and strategic investments in their operations. These investments often come in the form of people, processes, and technologies. All with the goal of using these investments to be more profitable or to provide service to their customers. Sure, some may say we’ve made these investments to be more efficient, cost-effective, etc., but in the end, it all boils down to the bottom line, profits and losses, and, importantly, customer satisfaction.

To protect those investments, you know, those things that give the organization the ability to keep being profitable, that’s where software support comes in. You can view it as a type of additional insurance for the business. Would you own a home without some form of homeowner’s insurance? Hopefully not.

In general, a comprehensive software support program should include things such as:

• Access to top-notch technical support staff, that can assist with problems that may arise during day-to-day operations.
• Access to software updates, patches, and upgrades. This enables the organization to stay on top of technology enhancements, virus and security vulnerabilities, and new capabilities.
• A comprehensive knowledge base with a self-help system that allows for quick access to software, technical articles, and general help.
• Training programs for new and existing personnel.

You can see that software support is geared to assist the organization in more than just providing a help desk.

Software Support and Industrial Cyber Security (ICS)

Now let’s get to the main topic. As mentioned, software updates are necessary for any software support program. As technologies advance, so does the need to update the software to take advantage of those advances. Updates are required to keep OT systems running smoothly.

According to NIST.SP.800-82 Rev 2 (Guide to Industrial Control Systems Security), deploying security patches as expeditiously as possible after testing them under field conditions is an integral part of protecting individual Industrial Control System components. Unpatched software represents one of the greatest vulnerabilities to a system.

A good patch management plan is critical to an effective Industrial Cyber Security strategy for any organization. A good ICS strategy is to have a policy that specifies that all computers and systems only run supported software and operating systems for which security patches are made available promptly. Please note just because a patch is available for an Industrial Control System, that does not mean that it should be automatically applied. All currently available security patches should be evaluated via an assessment for relevance and risk associated with the current operational environment and then, if necessary, be applied on a schedule appropriate to the severity of the risk they mitigate.

Security is the number 1 reason to update software. Vulnerabilities in software are constantly being discovered. Software vulnerabilities can enable cybercriminals to access your control systems (i.e., your critical investments). The exploitation of vulnerabilities in software can lead to the following:

• Institutional data and personal data breaches.
• Data loss or modification.
• Compromised systems and the use of those compromised systems to launch further attacks.
• Denial of Service (DoS) attacks, rendering services unavailable.

Effective patch management requires a process to identify vulnerable software, evaluate available patches, test and deploy those patches, and confirm their successful installation. Most Industrial Control System software vendors include updates, hotfixes, service packs, and patches as part of a comprehensive software support agreement. Without such a support plan any industrial cyber security plan or strategy will have a noticeable hole.

The Risk and Cost of Not Patching

According to a study conducted by the Ponemon Institute, 57% of cyberattack victims reported that their breaches could have been prevented by installing an available patch, and sadly 34% of those respondents were already aware of the vulnerability before they were attacked.

There is a term among security professionals called “patch regrets,” which reflects the general sentiment among professionals who knew that patching would have saved some grief.

Ensuring systems remain protected requires security professionals to constantly be aware of the latest software updates and threat intelligence related to an organization’s Industrial Control System applications. This can only be efficiently accomplished by having a support agreement with the software vendor.

But what about the cost? To answer that question, here are some examples of organizations that failed to take heed:

Rackspace: Mitigation over patching was the wrong choice

In December of 2022, the Play ransomware group attacked cloud service provider Rackspace, which exploited CVE-2022-41080, a known zero-day flaw in Microsoft’s Hosted Exchange email environment. Microsoft, aware of threat actors actively exploiting the vulnerability, released a patch in early November and urged customers to install the updates immediately.

For Rackspace, concerns about service disruption and a decision to rely on a mitigation strategy trumped the importance of applying the patch. That decision allowed Play to access the personal data of 27 Hosted Exchange customers, which, in turn, caused service outages for Rackspace customers – the very thing the company was trying to avoid. Rackspace hasn’t said whether a ransom was paid, but the company’s reputation certainly took a hit.

Equifax: Unpatched app leads to one of the biggest payouts

In 2017, US credit reporting agency Equifax experienced a data breach that exposed the personal and sensitive information of approximately 147 million consumers. A patch for the vulnerability, known as CVE-2017-5638, was released in March 2017. Equifax failed to deploy it in time, allowing the hackers to exploit the vulnerability beginning in mid-May through its discovery in July.

The incident led to significant public scrutiny, severe reputational damage, and multiple investigations. Ultimately, Equifax  settled with the FTC, the Consumer Financial Protection Bureau, and 50 US states, which included a payment of $425 million to compensate affected consumers.

Uber, the SEC, and the Department of Homeland Security also reported they had been affected by the same vulnerability.

The Red Cross: A vulnerability and vulnerable people

Nothing demonstrates the depravity of threat actors more than when they go after humanitarian agencies like the International Committee of the Red Cross and steal the personal data of over 515,000 vulnerable people. In this attack, hackers exploited an unpatched vulnerability (CVE-2021-40539) in Zoho’s single sign-on tool. Then they gained access to the Red Cross’s contact database using offensive security tools, which made the threat actors appear legitimate.

The sophistication of the attack and the obfuscation techniques used to avoid detection are only known to a handful of Advanced Persistent Threat (APT) groups, leading many in the security community to believe it was a state-sponsored attack. In line with that, the data stolen belongs to missing people, detainees, and others displaced by armed conflicts, migration, or natural disasters. As no ransom was demanded, and no data was deleted, the threat actors appear to have copied and exported the data for their use.

Trying to save on operational costs is a laudable exercise for any organization concerned about its bottom line. However, failing to support your critical infrastructure adequately is a significant risk to that bottom line. A comprehensive software support package is one sure way of mitigating the risk to the business and easing the anxieties of personnel when things inevitably go wrong. There is nothing worse than being an employee with a problem to solve, only to find out that there is no support to help solve the problem. Software support is like having insurance for your critical software investments. What would the department head say if there was a problem with a simple fix, but you decided not to have the support that would’ve prevented or resolved the issue quickly? Would you be seen as a hero or a zero? One has to wonder.