Anti-malware inspection
The list of security incidents in industry is growing longer all the time: Stuxnet, Industroyer, TRITON, or WannaCry are examples of malware/ransomware which attacked SCADA systems, safety controllers etc.
While anti-virus/anti-malware software is common and widespread on IT systems, OT components are often still unprotected. Often, the corresponding tools for OT components are not available or are more complicated or, depending on the component, cannot be installed at all.
Components to be protected
All system components for which anti-malware software is available should be protected with a modern (next generation) malware prevention tool. These system components include:
- Plant management systems/server.
- Patch management systems/server.
- Engineering systems (PCs, tablets).
Malware could modify or destroy controller/PLC applications developed on an engineering PC with an engineering/programing system. If not detected, infected or malfunctioning applications could be written to the controller/PLC. In addition, malware could use debug/remote control functions of the engineering software to take control of connected controllers/PLCs (change the operating mode, stop the controller etc.) - Parameterization/configuration systems for network/field devices (PCs, tablets).
Malware could modify or destroy device configurations/parameter sets. If not detected, wrong parameter/configuration data could be written to the network devices. - Visualization and HMI systems (PCs, tablets).
Malware could modify or prevent the visualization display. In addition, malware could use HMI control functions to take control of connected controllers/PLCs (change the operating mode, stop the controller etc.) - Logging and monitoring systems (PCs, tablets).
Malware could modify or delete log data or prevent external monitoring. - Data backup systems and media, including cloud storages
Malware could modify, delete or encrypt data backups.
Configuration/operation rules for anti-malware tools
- Access to the configuration settings of the anti-malware software should be restricted to specially authorized persons (administrator).
- The configuration settings as well as the results of the scans should be documented and logged.
- Configure the installed anti-malware software to achieve the best possible balance between security and availability of your plant. Especially for time-critical applications, a system scan must not affect the performance of the system.
- After the initial installation and configuration of the anti-malware software, run a full system scan. Make sure that the signature database is up-to-date.
- Configure regular automatic scans. When partial or full scans can be done depends on your application (workload, performance).
- Manual scans (especially complete ones) should only take place outside regular production operation (e.g. during shutdown, maintenance or setup operation) to avoid causing performance problems.
- Any access to data and applications should trigger an automatic scan (in addition to regular automatic scans). Take other appropriate protective measures if such continuous scanning on access is not possible due to performance reasons (refer to the next section).
- If you include network drives in the scanning process, make sure that they are not scanned by multiple instances of the anti-malware software and that no performance problems can occur (e.g. due to network overload).
- Update the anti-malware software regularly, in the shortest possible intervals that your application or production process allows.
- Update your anti-malware systems (e.g., virus signatures databases) automatically and from a central location (e.g., via a local update service in the DMZ). Never download updates directly from the Internet.
- Take into account the possibility that updating the anti-malware software (for example, due to an incorrect signature database) may cause problems in the application. Therefore, divide the systems into "update groups", assigning redundant systems to different groups. Then update the databases of the groups in sufficient time interval. This allows you to respond (without complete system downtime) to problem-causing updates.
Alternative measures if no anti-malware tools can be installed
Especially on controllers or smart field devices, anti-malware tools may not be available. Even on computer systems, application-related scenarios are possible in which only limited malware protection is possible (for example due to performance problems or lack of possibility for regular updates). The following measures should then be taken as an alternative:
- Separation of the affected component into a separate zone.
- Application whitelisting.
- Regular scanning of the affected component from a connectable device (e.g., laptop with installed anti-malware tool).
Next generation anti-malware software
Next generation anti-malware tools offer improved endpoint protection compared to traditional antivirus programs. They not only detect known file-based malware using a signature database and heuristic methods, but also protect against unknown malware (zero-day attacks, file-less non-malware attacks). They are also able to detect malicious behavior and respond to TTPs (Tactics, Techniques, and Procedures) from unknown attackers.
Thanks to new technologies, next generation malware protection programs are able to respond to previously unknown threats. For this purpose, comprehensive data is collected on attacks that have taken place. This data provides information on how the threat originated, other potential points of attack in your plant, how to potentially recover affected areas, and how to close the vulnerability. Furthermore next generation anti-malware tools may support machine learning and cloud-based, configurable behavior detection. Ideally, these tools will be able to share information gained in this way with other entities in your company or community.
Especially in networked systems (zones and conduits), it can be crucial that the malware protection program is able to immediately stop network activities for the affected zones or processes, isolate (quarantine) and clean affected systems in the event of an attack.