There have been many talks and debates about the issues of patching like is it safe to patch or not. Also there are many guides on how to patch and when to apply it. This is a very sensitive topic in OT security. Availability and uptime is a very important in OT . There are many industrial organizations that prohibit patching because it could lead to rebooting the system causing downtime which can leave a huge financial impact.
This issue is available in MS Windows operating systems in general. Updates in Microsoft (MS) windows often require rebooting. Many ICS vendors develop their products that work only on MS windows. It would be great if MS implements new features that solves the reboot issue and makes hot/live updates without rebooting. On the other hand Linux has solved this issue. Linux kernel has implemented features that enable this “reboot-less patching” , they are :
- Kernel probes (Kprobes)
- Function tracing (Ftrace)
- Livepatching (livepatch)
Some Linux distributions have enabled these features. Also there are technologies that were built around these features. The distributions are:
- Arch Linux (livepatch, kpatch-git tool)
- Debian (unknown, maybe Debian 9?)
- Gentoo (kpatch or ksplice)
- Oracle Linux (ksplice)
- Red Hat Enterprise Linux 7 (kpatch or ksplice)
- SUSE (kGraft)
- Ubuntu 16.04 and higher (livepatch)
So what if ICS vendors support Linux and develop their products that work in Linux. This could help solve or even reduce the current issues. What if they also implement Linux features in their ICS hardware (eg. PLC) , this could be done by embedding Linux in these products. This is worth considering by the ICS community . There are also many security advantages when switching to Linux. One of them is elimination of the Anti-Virus rabbit hole. As you know, viruses and malware had been a pain for ICS vendors. I’m not going to discuss the pros and cons here. I think the idea of developing “Live patching” that doesn’t affect the availability and functionality of OT devices is important.
Resources: