What is Virtual Patching?
Virtual patching is a vulnerability-shielding tactic that protects assets by implementing layers of security policies and rules. These layered security measures prevent and intercept an exploit from taking network paths to and from a vulnerability. Virtual patching acts as an effective safety measure against threats that exploit known and unknown vulnerabilities while avoiding the need to apply the actual software patch or update, which may not even be possible.
Effective virtual patching solutions are multilayered, inspecting and blocking malicious activity from business-critical traffic. Virtual patching detects and prevents intrusions and thwarts attacks on web-facing applications, and it can be deployed on physical, virtual, or cloud environments.
Virtual patching is intended to augment existing security technologies and patch management policies. One of its most compelling advantages is the extra time it can buy security teams to assess a specific vulnerability and then test and apply a permanent patch. Virtual patching can help avoid unnecessary downtime, help maintain regulatory compliance, and provide security for legacy systems for which patches are no longer issued or are prohibitively expensive.
Virtual Patching in IT Environments
Virtual patching in IT networks functions just like a real software patch would, but without deploying the actual patch or modifying any existing applications. Operating on the theory that exploits will take identifiable network paths to and from application vulnerabilities, virtual patching implements protective network controls that prevent vulnerable servers from being attacked. In doing so, the vulnerability is ‘virtually patched’ until, if possible, a standard patch can be applied.
Virtual patching can protect IT environments by using security controls that intercept and neutralize threats before they can exploit known vulnerabilities. Automated tools can identify vulnerabilities in software, systems, or applications; as they do, specific rules or policies can be implemented in firewalls, IPS (Intrusion Prevention Systems), web application firewalls, or endpoint security solutions that mitigate the risk by recognizing and blocking inappropriate traffic.
Virtual patching in IT environments can protect against vulnerabilities in web applications, unpatchable legacy systems that are no longer supported, databases with known vulnerabilities, endpoints such as computers or mobile devices, servers, and cloud environments with services that are exposed to the internet.
Virtual Patching in OT Environments
Vulnerability shielding can be especially challenging in OT environments, where continuous operation is prioritized, and system downtime to install a patch is simply not an option in many cases. In OT settings, virtual patching can effectively protect ICS (industrial control systems), SCADA (supervisory control and data acquisition) systems, endpoints, and unsupported legacy devices for which patches are most likely unavailable.
Security assessments, vendor advisories, or threat intelligence feeds (data streams that carry information on potential threats and vulnerabilities) can help security teams identify vulnerabilities in OT environments. Once identified, the team can develop specific rules to incorporate into security devices, such as an IPS or IDS (intrusion identification system), that will filter or block malicious traffic to shield the vulnerability from attack.
Virtual patches are generally deployed at key points in the OT network, such as between different zones in a segmented network or directly in front of at-risk devices, such as PLCs (Programmable Logic Controllers) or HMIs (Human Machine Interface), where personnel access and operate the system. It’s at these and similar points, where traffic is continuously monitored and inspected, that the virtual patch enforces the protective security rules shielding vulnerable systems.
5 Applications of Virtual Patching
1. Rapid Response to Zero-Day Vulnerabilities
A zero-day vulnerability is a vulnerability in a system that is unknown to either the vendor or the developer and is, therefore, unpatched. Since the issue is unknown, a patch doesn’t even exist, and a zero-day vulnerability becomes extremely attractive to attackers. The time between the discovery of the problems and release of an actual patch is the period of greatest risk. Virtual patching then can provide a reasonably fast and effective defense.
When a zero-day vulnerability is discovered, often through threat intelligence that identifies the characteristics of the exploit, custom rules and policies that target those characteristics can be developed, tested, and deployed quickly. Since OT environments are often a mix of new and legacy systems and specialty hardware, virtual patches would have to be tailored to that specific OT environment. Deployment can be done through an IPS, IDS, firewall, or other tools, and it can be ready long before the vendor has time to develop, test, and distribute the actual patch.
2.Legacy System Protection
Legacy systems — and the security vulnerabilities they are infamous for — are found throughout the OT world. Lacking support from vendors or regular updates, their weaknesses make them extremely attractive targets. A plan for protecting them is basic to any robust OT security regime.
Virtual patches are generally deployed at the network level using security devices such as an IPS, firewall, or specialized OT security gateway. Once the virtual patch is deployed in these devices, they monitor and filter network traffic, using rules that block attacks well before they get as far as the legacy system. By placing the virtual patch in the network path, security teams can shield legacy systems without modifying the software or firmware. Virtual patches can be customized to protect proprietary or outdated protocols that modern security patches probably don’t support.
Virtual patching of legacy systems offers a number of significant advantages. It’s non-intrusive, leaving the software untouched, and since it’s deployed externally, the operational integrity of legacy systems remains intact. If necessary, virtual patches can be deployed within hours and without shutting down operations in the process.
3. Temporary Protection for Critical systems
When a vendor patch is unavailable for a critical system or production downtime is not possible, virtual patching is an extremely practical approach to providing temporary protection for critical systems.
Virtual patches can be deployed as an intermediate security layer almost immediately after a vulnerability in a critical system is discovered, which is crucial in situations where delays may risk unacceptable consequences. The virtual patch can block known attack vectors or suspicious traffic patterns to keep potential threats far from the critical system being protected.
As with other virtual patching, temporarily protecting critical systems will use firewalls or IPS/IDS appliances to monitor and filter network traffic before it can reach its intended target. Deployment can be achieved without shutting down or rebooting the system, and the virtual patch can be customized to match the specifics of the threat and the environment. Solutions can also be integrated with existing security infrastructure.
4. Protection for Third-Party Software
Third-party software can introduce a range of vulnerabilities to OT environments capable of compromising the security, safety, and reliability of the network. If the third-party software is not regularly updated or patched, it can have unaddressed security flaws for attackers to exploit. This is especially problematic in OT environments, where systems may be difficult to update due to their critical nature and the difficulty of shutting down systems.
Problems common to third-party software include weak or outdated communication encryption protocols, unencrypted data, weak default user names that no one changes during setup, backdoors that provide easy access, and end-of-life software that’s no longer supported.
Legacy Windows systems that cannot be upgraded are an excellent example. In this case, virtual patching can mitigate vulnerabilities by monitoring and blocking malicious activity in real time, effectively patching the vulnerability without modifying the actual system.
Virtual patching can be a viable solution to protect all third-party software from cyber attacks. In fact, if vendors are slow to release patches or no longer support certain software, it may be the only solution. In those cases, it’s an immediate and effective stopgap that provides critical protection.
5. Compliance Requirements
OT environments operate under various regulations requiring robust security practices to protect critical infrastructure, ensure operational continuity, and safeguard sensitive data. Failure to comply can lead to substantial fines, even more so if they cause a breach and data loss or impact critical infrastructure.
The speed at which virtual patches can be deployed is a major advantage. Virtual patches allow for rapid responses that provide immediate protection if a vendor patch is not quickly forthcoming, especially in the case of a zero-day vulnerability. Because regulations often require the identification, assessment, and mitigation of security risks as part of a thorough risk management process, virtual patching can help security teams quickly address any vulnerabilities found during that process. The implementation of those patches can be easily documented, allowing OT managers to demonstrate the use of virtual patching as part of their cybersecurity strategy during regulatory audits.
Virtual patching also helps companies meet industry-specific regulatory requirements in mission-critical industries such as energy, transportation, healthcare, and water treatment. These virtual patches will become part of an audit trail that documents security actions the company has taken.
Best Practices for Virtual Patching
Regular Monitoring and Updates
Regular monitoring and updates are essential in OT environments because they ensure that virtual patches remain effective and relevant as threats evolve. Continuous monitoring systems such as SIEM (security information and event management ) tools or IDS and IPS (intrusion detection and prevention systems) can spot attacks or suspicious activities. They can also identify threats for which no virtual patch has been deployed.
Because threats are always evolving, a virtual patch cannot be considered a one-and-done solution. Virtual patching rules need to be updated as new threats arise and changes are introduced in the operational environment they are protecting, such as a new network configuration or an OT system update.
Updating virtual patches should take place according to established protocols. Updates to the OT network should be coordinated with IT to ensure minimal disruption and detailed records should be kept. With continuous monitoring and regular updates to virtual patches, companies can reduce the risk of downtime, improve their security posture, and remain compliant with security regulations.
Integration with Patch Management Systems
Virtual patching should be integrated into a company’s centralized patch management system so that the organization can maintain a cohesive, well-managed, and coordinated approach to network protection.
By integrating virtual patches into the central system, virtual and standard patches can be managed from one platform with greater visibility. It allows for the tracking of all vulnerabilities, whether they are addressed through standard or virtual patches. Integration supports better synchronization with regular patching cycles, as well as comprehensive tracking and reporting for compliance and auditing readiness.
Integration also allows security teams to automate workflows so that virtual patching and regular patch management can be coordinated. For instance, if the system detects a new vulnerability, it can deploy a virtual patch automatically while simultaneously scheduling the installation of the permanent version. Overall, integration can help streamline operations, improve the organization’s security posture, and reduce the risk of conflict or redundancy with permanent patches.
Testing and Validation Procedures
Before any patch is applied in an OT environment, it must be tested to ensure it works as designed and doesn’t disrupt operations or have other unintended consequences.
If possible, set up a test environment that mimics the production environment. Make sure that all configurations are applied and that the patch addresses the targeted vulnerabilities. Run standard operational scenarios to ensure the patch doesn’t block appropriate traffic or disrupt the system’s functions. Testing should also ensure that the virtual patch successfully shields the vulnerability it’s trying to protect.
The next step in the process is post-deployment validation. Closely monitor the patch after it’s deployed in the live environment to confirm it’s performing as anticipated. Look for any unusual behavior, system performance issues, or security alerts.
Regression testing should be conducted as part of the validation process. Regression testing implies re-running functional and non-functional tests to ensure that any previously developed software is still performing as expected. It should reveal if the patch is causing problems or failing in its protective mission. Virtual patches should be retested periodically to ensure they remain effective. If the patch is updated due to changes in a vulnerability, it should also be revalidated.
Granular Access Control
To prevent unauthorized actions, whether naive or malicious, granular access control ensures that only those individuals who need access to virtual patching processes and related systems have the necessary permissions.
OT engineers, IT or OT security teams, system administrators, and auditors would all need some level of access. Applying the principle of least privilege, permissions are clearly defined and granted according to the specific tasks each role performs. In an OT environment, for example, a system administrator would have a high level of access to apply or modify virtual patches. The OT engineer, however, might only have permission to view patch status and logs.
MFA, or multifactor authentication, provides additional access protection by requiring at least two verification methods. The general nature of OT environments can make them inhospitable to MFA in many situations. Still, it might be more feasible for the roles that actually install, modify, or remove patches, virtual or standard. While granular access may present occasional inconveniences, it will also enhance security, reduce the risk of error, assist with regulatory compliance, and improve accountability by tracking attempts to access the system.
Scalability and Flexibility
OT environments can change over time, expanding, modifying processes, and adding new assets with new vulnerabilities. Patching must be scalable enough to grow with the site and flexible enough to handle updated technologies, threats, and regulatory changes without needing a complete system overhaul.
Scalable architecture, including modular design and capacity planning, will help ensure the patching solutions are prepared for growth and change. With a modular architecture for the virtual patching solution, components can be added, removed, or upgraded independently, allowing the system to accommodate new devices, add new locations, or integrate with other systems. Capacity planning ensures the performance and capacity of virtual patching solutions can scale to handle additional patches, new and complex network configurations, and the growing volume of data to analyze.
Flexible deployment can meet the needs of typically diverse OT systems by ensuring that solutions can be deployed across the wide range of legacy systems, industrial controls systems (ICS), and the varying network configurations found in many OT environments. Solutions should also be flexible enough to handle changes in the network’s architecture as new segments or communication protocols are added.
Documentation and Reporting
It’s extremely important that administrators maintain a clear, accurate record of all virtual patching. Documenting all activities serves several priorities, including transparency, auditing, and meeting regulatory requirements. It also provides an all-important reference to guide for future patching requirements.
Every virtual patch that’s applied should have a detailed log that includes the date and precise time of deployment, the systems or devices patched, the vulnerabilities the patch is intended to address, and the personnel who handled the deployment. Any changes, such as modifications, updates, or the removal of the patch, should also be fully documented. Include why the change was made, its anticipated impact, and the outcome. Such detailed documentation can help track a patch’s effectiveness and provide a historical understanding that aids in dealing with future issues. It also creates the required audit trail.
If a virtual patch is created in response to a specific security incident, a detailed incident report can assist in post-event analysis and improve future responses. The report should identify the vulnerability and include the rationale for a virtual patch, the testing and validation details, and the outcome.
Continuous Improvement
An effective continuous improvement plan can help organizations assess their current program and enhance and refine it as the threat environment continues to evolve. While a comprehensive program can be a very expansive undertaking, these are some basic steps that organizations can take to improve their virtual patching process.
Start by defining KPIs and baseline metrics that can track the effectiveness of the team’s efforts. These reference points can track KPIs such as the speed at which virtual are developed and deployed, the response time if the patch is in reaction to an incident, the patch’s impact on system performance, and its effectiveness, measured in the success rate in preventing security breaches or exploit attempts.
Regular reviews can extract value and understanding from the historical record and should be conducted quarterly, between annual in-depth audits, which should also be conducted. After a security incident occurs and the incident report is filed, it should be reviewed in detail to help prevent the next occurrence.
Ongoing training that keeps teams updated on the latest and greatest threats, responses, defense technologies, and new virtual patching techniques is one of the most important elements of an effective continuous improvement program. Training is also a chance to get OT and IT teams together in the same room and on the same page as they share insights and experiences from their respective domains.
These are just a few elements of a thorough, effective continuous improvement program, and further examination of best practices is strongly encouraged. Perhaps the most important thing to remember is that while the organization develops its program, threat actors have their own continuous improvement programs, and they are constantly refining their techniques.
Virtual Patching Challenges
While virtual patching has many advantages, it also has some challenges and limitations. For one, virtual patches don’t fix the underlying vulnerabilities or software flaws that necessitated the patch in the first place. In the best case, they are a temporary solution. (Although , some may become more permanent due to either the lack of a viable solution or an immediate need while other issues compete for attention.)
OT environments often combine legacy and modern systems and are equipped with specialty devices that lack secure design. Securing such a diverse environment can be time-consuming and resource-intensive, yet still leave gaps in the protective layers.
System availability and performance can also be put at risk from virtual patching if not fully tested in a safe environment before deployment. Even then, there are no guarantees that the patch will not impact a critical industrial system sensitive to changes.
Other challenges may include a shortage of skilled personnel, a lack of knowledge of virtual patching techniques and technology solutions, difficulty coordinating between OT and IT teams, and the evolving threat landscape
Leverage TXOne’s Comprehensive OT Security Solutions for Enhanced Protection
With long expertise in the world of OT cybersecurity, TXOne has developed a suite of OT-native security solutions to meet the very specific needs of industrial customers. TXOne believes in a multi-layered, defense-in-depth strategy, combining physical security to protect the site and its assets from physical attack, access control, network segmentation to limit the impact of an attack, intrusion prevention systems, endpoint solutions, employee training, and more.
TXOne sees virtual patching as an essential part of any comprehensive OT cybersecurity program, and its EdgeIPS (Intrusion Prevention System) appliance can play an important role without any disruption to operations. EdgeIPS slips right into your network without disturbing pre-existing configurations, and deployment can be optimized for capability, complexity, architecture, or budget.
EdgeIPS is one of a number of TXOne OT-centric security solutions. Learn about all of TXOne’s products and solutions at TXOne.com.
