In May 2016, Microsoft announced a change to how updates for Windows 7 and 8.1 systems would be offered. That change made available "Monthly Rollups" that allow all previously released non-security updates to be installed in a single installation update. This week, Microsoft announced a revision to the previously reported plan in that the "Monthly Rollups" would now address both security issues and reliability issues in a single update with each month's update superseding the previous. This will essentially be a cumulative update for security and non-security updates in a single installation package.
According to this latest announcement, beginning in October 2016 they will also begin providing a separate monthly "Security-only Update" that will include all of the security patches developed in that month only. This will not be a traditional cumulative update and will require installation of all previous monthly updates individually as applicable. Nathan Mercer, a Microsoft TechNet employee responding to a question about the change, confirmed "Individual patches will no longer be available after October 2016."
On the surface this sounds great as it addresses lots of issues that enterprise IT support teams have struggled with for a long time - specifically having to identify, download, install and track literally hundreds of patches. The fragmented approach often resulted in similar systems being at different patching levels depending on when they were installed.
Both the "Monthly Rollup" and the monthly "Security-only Update" will be an issue for any enterprise if a component of the cumulative update conflicts with a critical application or causes some other operational issue. However, these changes have the potential to create a huge security and compliance problem for NERC Registered Entities needing to comply with CIP-007-6 R2 Security Patch Management requirements.
Windows 7 is still in wide use throughout the electric industry so it's easy to imagine the very likely scenario of a particular update including a component that is either not approved by a system vendor or otherwise known to cause operational issues. NERC Registered Entities would be forced to not install the entire update package that may actually include other components that are applicable and would otherwise be approved for installation. This will force entities to develop and track mitigation plans for known vulnerabilities which can't be patched because of the unavailability of individual patches. The result will be a patchwork (pun intended) of mitigation implementations that may never provide the same level of vulnerability management as would be provided by installing the actual patch.
I urge NERC Registered Entities with Microsoft Enterprise Agreements to contact their sales and support representatives to strongly request that Microsoft continue to make available the individual patches to entities that need the flexibility to pick and choose which patches to install. Hopefully, Microsoft will reconsider their position and appreciate the increased complexity that their new patch approach creates for entities trying to secure the electric grid and maintain compliance to the NERC CIP standards.
Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute and co-author of SANS ICS456 - Essentials for NERC CIP. Ted was most recently the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO) where he was responsible for compliance to NERC 693 and CIP standards and the support of the related operations technology systems. He has over twenty-five years of experience working in the electric utility, information technology, and manufacturing industries.
Follow Ted on Twitter @Gutierrez_Ted