Configuration of Anti-Virus and Anti-Malware Software within an ICS Environment

April 28, 2018 by

John Henshell

Anti-virus/anti-malware (AV) software is a critical component or layer of protection in securing your Industrial Control System (ICS) from external intrusion. Effective policies and training, Windows 10 (or at least a recent version of Windows), hardware and software firewalls, and whitelisting software are the other basic components or layers. You have options for where the AV software fits in your system architecture.

Best AV Software Options

You probably already have AV software installed. If not, or you are considering switching, the first step is to consult with your ICS vendor. Some of those companies have done extensive testing of AV software with their systems and can make reliable recommendations. Some even support a particular program. The most effective solution, albeit the most expensive one, is AV software made specifically for ICS cyber-security. The alternative is off-the-shelf enterprise AV software. Those programs use a combination of definitions (also called signatures) and behavioral analysis called heuristics. Heuristics identify code that resembles malware code and flag it for cleaning or removal.

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Start Learning

Virus Bulletin and other third-party labs test AV software and publish results. Products from major vendors such as Kaspersky Lab, Symantec, Bitdefender, ESET, and Trend Micro consistently perform well in anti-virus testing. Check Point, Symantec (in partnership with Rockwell Automation), Kaspersky, and other companies make AV software for ICS.

The age of your hardware and operating system are important considerations for choosing security software. Some AV software consumes considerable system resources, causing slowing, and some works sluggishly on older hardware and/or older versions of Windows. AV software made for ICS is usually less demanding.

Where to Install AV Software

Many organizations use an ICS demilitarized zone (DMZ). The DMZ server has an Internet connection, but control network computers do not. The server is connected to the control network and possibly the organization's main server for in-house e-mail and other services. AV programs commonly update hourly, and Windows typically updates weekly. Other software is periodically patched. Isolation from the Internet prevents those updates.

A popular, but convoluted, workaround is called "sneakernet." Sneakernet is literally a manual method of installing updates. An employee copies the virus definition updates or other software updates onto a USB flash drive and manually installs them on each computer in the system. Sneakernet is inefficient, disruptive, and fraught with risks. However, it is better than using no AV software or outdated AV software.

A better, but slightly riskier, alternative is to have the server directly distribute software updates to the control network computers through its LAN. The server can use firewall rules to limit which programs can access the Internet.

The third option is to allow all computers Internet access and protect them with firewall rules and whitelisting software. These layers of security protect against almost all intrusions except malware coming directly and inadvertently from a software company. Given that MacAfee, Microsoft, and Kaspersky have all been hacked, no software company can be considered immune from infiltration. If you get an unintended "update," your AV software or firewall might block it.

Whitelisting software, also called secure application control software, only allows specific programs to access the Internet. The Windows Defender Firewall does this on a rudimentary level, but third=party software firewalls provide better protection. You can use whitelisting software to prevent all web browsers from accessing the Internet. It can block any program that isn't on the whitelist (approved programs) from executing. Malicious code will not be able to execute viruses or other malware. AV and whitelisting programs create logs of their activity, so you can monitor what has been blocked.

You can also add additional layers of protection, such as a network intrusion protection system (NIPS) and data loss prevention software. You can set your system to prevent the use of USB flash drives or other peripherals to protect against disgruntled employees. If control network computers do not need e-mail access, these layers of security should provide excellent protection.

AV Software Settings

Your AV configuration will depend on the age of your operating system and hardware. A combination of old equipment and off-the-shelf AV software may force you to adjust your AV settings so that the program does not interfere with critical system operations. On the other hand, if you are using AV software made for ICS, your hardware vendor or the AV software manufacturer will recommend the most appropriate settings for your specific environment.

One of the issues with off-the-shelf security software is that some programs are incompatible with other security programs. You can only run one AV program (other than Microsoft Windows Defender), but it may conflict with an anti-malware program from another manufacturer or even your proprietary software.

Immediately after installing AV software or a new version of existing AV software:

• Run a system scan
• Check for compatibility. Make sure your other security programs and proprietary industry software still work.
• Measure the performance hit. The Windows task manager will tell you the amount of RAM and percentage of CPU resources used. Free utilities can measure boot time, program opening times, and web page loading.

Settings vary among programs, but most have user-adjustable core settings. Manage these settings:

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Start Learning

• Schedule automatic scans. They can be daily or weekly. You want to pick a time when your system load is lowest. If your system cannot handle this taxing process, disable automatic scans.
• Choose drives, sectors, and documents to scan or exclude from scans. You always want to scan the boot sector, operating memory, and C drive. Everything else is optional. You may choose to exclude specific files, folders, or types of files (e.g., .docx) if you know they are unshared. Exclude proprietary software unless it can access the Internet.
• Accept automatic updates. Enable or disable them based on the updating process you have chosen.
• Phone home. AV software companies learn of new intrusions by having their programs report back to them. If you lack ample resources, disable this feature.
• Choose your methods of flagged-file handling and notifications. AV software can remove any software it deems malicious, but the risk of false positives is too great. Set the program to notify you and let you decide whether to clean, quarantine, or delete the alleged culprit.
• Enable manual scans. You want the option of scanning anything that is downloaded.
• Enable automatic scans of optical discs (e.g., DVDs), flash drives, external hard drives or SSDs, etc.
• Enable the host intrusion protection system (HIPS) if your program has it.
• Enable phishing protection on computers that can receive e-mail.
• Enable e-mail protection if the computer is set up to receive e-mail.
• Set the level of protection (old systems only). You may need to throttle your AV program to balance CPU resources. Some programs allow limiting of heuristic analysis.
• Decide who can adjust settings: administrator (you) only or any user.
• Do not let the AV program shut down an infected computer.
• Disable any gratuitous functions the program has. Although extra capabilities are more common in consumer programs, some AV software may have features you will not use and do not need.
• Enable saving of logs.

The key to these and other settings is to maximize protection without interfering with industrial processes. The NIST has a useful, but severely dated publication: Using Host-Based Antivirus Software on Industrial Control Systems: Integration Guidance and a Test Methodology for Assessing Performance Impacts.