Application of Antimalware Technologies in OT Environments

As we mentioned in this entry, the ENISA (European Union Agency for Network and Information Security) organization publishes in its report “ENISA Threat Landscape 2014” that the appearance of specific malware or malware that uses vulnerabilities associated with CPS (Cyber Physical Systems) systems to achieve its objectives, is in first place among emerging threats. Considering this context, it seems advisable to carry out policies, procedures and standards that help mitigate, minimize and, if possible, eliminate this type of threat.

On the other hand, the incorporation of technologies that support the application of these procedures is a good practice. Among these technologies are antimalware solutions. These are programs that can be installed on hosts, servers or firewalls, which detect viruses and malware by comparing the files stored on these computers with a database of signatures (which is often updated hourly) in which all known viruses and malware are collected. In addition to detecting, these systems proceed to eliminate and/or quarantine infected files.

What happens when we want to use this type of technology in OT environments? We must be aware of the idiosyncrasies of these environments so that the incorporation of these solutions does not affect the availability and optimal functioning of the production process. In particular, it should be considered that in OT environments there are systems or CPS (as indicated in the ENISA report) that:

• Are critical and in many cases cannot be stopped or restarted to perform updates.
• Have become obsolete and no longer have support from the antivirus manufacturer.
• Are isolated and cannot be updated over the network.

Are there non-invasive antimalware solutions that do not degrade the performance of critical systems? The answer is yes.

In those computers that for security reasons cannot be connected to the Internet (not even through a server located in a demilitarized zone where the updated signatures are downloaded); the installation of anti-malware software is not allowed because the OS is no longer supported (remember that in OT environments the most widespread OS is XP without support from Microsoft) or because the system manufacturer itself HMI, SCADA, OPCServer, Historian, MES advises against its installation, the solution involves performing offline protection.

Some manufacturers provide the possibility of scanning different computers, using a “portable antimalware” for this purpose. This antimalware is installed on a USB drive that is connected to the computer. Without installing any type of library or file, the malware is scanned and subsequently cleaned.

Another option for performing this “offline” protection is the installation of agents that allow carrying out what is known as application “whitelisting”, or “lockdown”. In this case, the agent maps all existing executables on a certain computer (.exe, .dll, etc…), it is determined that these are the programs that can be launched/executed from this computer and from the moment the blocking or “lockdown” is performed, any application that wants to be installed or any malicious executable that wants to be deployed will not be able to do so, since it is not an authorized application to do so.

To conclude, by way of conclusions:

• The security of OT environments can be affected by the effect of different types of malware and APTs.
• Solutions that protect against these threats should be incorporated, but taking into account the idiosyncrasies of the industrial and infrastructure sectors (in particular avoiding the degradation of system performance).