The Patching Paradox: Security Challenges in Distributed Internet of Things Environments

Patching vulnerabilities is one of the core best practices of modern cybersecurity management. Deploying patches to critical systems closes down potential attack pathways, limiting options for attackers seeking to compromise networks or move laterally to achieve their goals. Patching vulnerabilities has never been easy or simple, however, with IT and security teams needing to balance deploying patches against taking systems the business uses offline. 

The rise of Internet of Things (IoT) devices, however, has made patching even more complicated. This is for a host of reasons, not least of which is that IoT device patches are infrequently and irregularly available. The available patches may not be easy to deploy either, with IoT devices often lacking the interfaces that allow teams to access them. 

This blog post will cover the challenges that security teams face in patching IoT devices and provide key best practices for how to manage vulnerabilities when patching isn’t an option. 

Scheduling IoT Patching Poses Risks 

One of the most significant decisions to make with patching IoT devices, particularly for multi-device fleets is what approach to take. Do you patch them all at once to have fleet consistency?  Or one first then wait a few days to see if the patch creates new issues with that device? 

Applying software patches is complicated even in traditional IT. With IoT devices, that complexity becomes even greater. Connected equipment often lacks direct user interfaces or an easy way to deploy the patch at scale. In a worst-case scenario, each device must be physically accessed via a local port with the patch deployed from a standard device like a Windows PC. This makes it challenging to efficiently scale cybersecurity best practices in IoT fleets. Organizations face a few barriers beyond the technical, including: 

• Downtime – IoT devices have to be taken offline to be updated. They are not typically built with extra processing power or memory to keep functioning during updates. An army of iPhone engineers did not make your IoT patch workflow. Taking devices offline may not always be feasible, depending on the device’s criticality, and can limit the ability of security teams to effectively deploy the patch. Even then, downtime typically has to be scheduled to have the least impact on the business possible. 
• Credential Management – Security teams need to ensure that they have the right credentials to apply patches to IoT devices. Credential distribution can become a challenge on its own. 
• Vendor Management – Security teams need to track the vendors who built their IoT devices to understand who has deployed patches and when. Part of this is operating a functional inventory solution that identifies vendor and model numbers to simplify keeping track of when patches are released. 
• Time commitment – Deploying patches on IoT devices is a major time commitment, especially as the number of devices in the average enterprise continues to rise. As IoT becomes more prominent, it takes more and more time to perform this work. 
• Deploying the same patch at scale – IoT devices can be deployed in significant numbers, such as remote environmental sensors or distributed temperature measurement equipment. Deploying the same patch repeatedly in high numbers adds complexity to the process of ensuring that all issues are resolved, and means that there’s a possibility for error. 
• Localized patching challenges – Depending on the IoT device, technicians may need to be sent to remote locations to ensure the patch is deployed. This adds time to the process of patching vulnerabilities and creates risks for a device to be missed as part of the site visit. 

These are not the only challenges facing security teams as they seek to patch IoT devices, but they are vital to consider as patch management strategies are built. 

Best Practices in IoT Patch Management 

When creating a patch management strategy for IoT devices, organizations need to follow the patch management policy they’ve already created for traditional IT. Integrating IoT into the existing patching policy and schedule can simplify the workload of security teams and ensure adherence to existing security plans. 

Beyond leveraging the existing patching policy, security teams also need to: 

• Automate patch deployment to ensure full coverage of IoT devices – For the increasing proportion of IoT devices that can be remotely patched, automation is an option. In fact, it is vital to ensure that all patches are applied quickly and efficiently.  This bulk patching capability can make short work of even large numbers of device patches.
• Collaborate with vendors – Tightly collaborating with IoT manufacturers can ensure timely access to patches. This can be vital in terms of securing connected devices, allowing security teams more time to work with patches and test them for any issues. 
• Learn about new patches quickly  – Monitoring for new patches can ensure that security teams understand the potential risks and how to resolve them quickly. Understanding the vulnerability landscape also ensures that defenders know how to best defend IoT systems. An additional complication is knowing which devices need which patches, within a fleet.  What if in a prior patching exercise, only 90% of patches were deployed correctly; would you know which ones were not?  Or if they could be safely patched to the latest version without first updating to the prior version?
• Schedule wisely –  Every device has a different role. Some might be best patched during business hours when there are more people around to avert potential disasters from a “patch-to-crash” scenario.  Other times, the middle of the night is safest when few users would be affected.  

Patching IoT systems is a complicated effort, fraught with challenges unique to resolving the issues with fixed-function devices like connected equipment. Security teams would do well to acknowledge the reality of patching these systems and apply core best practices to ensure that vulnerabilities are resolved quickly and efficiently. 

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.