Antivirus Protection for SCADA Security - A Silver Bullet?
A few weeks ago, I received an email from a user asking about antivirus protection for SCADA systems. Now I think antivirus is an essential tool for ICS and SCADA systems. However, this is what he wrote:
My security supplier tells me that attacks from Stuxnet (and next-Stuxnet like worms) can be avoided by protecting WinCC computers using an antivirus product. This will make the PLC perfectly safe, they tell me.
Antivirus Protection for PLCs – Not Enough on its Own
If any security expert claims systems can be secured by just using antivirus products on the Windows computers in a control system, they are crazy, irresponsible or both. Antivirus (AV) technology helps protect the plant floor, but it is not enough on its own.
For the most part, AV software only works if you have a signature, which is great for dealing with well known common malware like Conficker. Unfortunately, there is no signature for a worm using a zero-day vulnerability. Stuxnet proved that – it was in the wild for a year before there were any signatures available. Antivirus software did not spot the worm for that year.
But Stuxnet is far from the only example. Far less sophisticated attacks that completely bypass the AV software appear every week. For example, watch this video on do-it-yourself malware infections in SCADA plants. (The authors ask us to “please excuse the noise on the recording and our Brazilian English”). These attacks are against fully patched systems with current AV signatures. They succeed because of the ENCODING capability in attack tools like metasploit. These make the payloads look unique to the AV system.
Your Control System Deserves Better
No responsible IT group would think of only using AV technology and not bother with the firewalls in their network. Even a receptionist’s computer has both antivirus AND a personal firewall operating. This is the concept of defence-in-depth – no single solution can provide complete protection.
The typical PLC or DCS is a far more important asset than a receptionist’s computer. It is also a much easier target for attack. 99.99% of the control devices and protocols used today offer no robust authentication, integrity or confidentiality capabilities. They can be completely controlled by any individual or worm that gets a foothold on the network.
Nor can PLCs and DCSs be easily patched or have security features added to them, even when security vulnerabilities are discovered. For example, the Siemens S7-300 PLC vulnerabilities revealed 6 weeks ago by Dillon Beresford at Black Hat 2011 are still not patched. This leaves millions of legacy control systems open to attack from even an inexperienced hacker.
Of course, the ICS and SCADA user is limited in what is currently available to defend systems. For example, at this time PLCs and DCS CPUs can’t have antivirus software installed directly and none have built-in firewalls. But DCS vendors like Honeywell, Emerson and Invensys do supply firewalls to be installed directly in front of critical controllers. In effect, these are acting like personal firewalls for PLCs and DCS devices.
On Windows computers, antivirus technology needs to be supplemented with white listing technology and a good patching strategy. Segregating groups of PCs into controlled security zones also really helps.
The Standards Are Clear
The bottom line is that you need to deploy a variety of technologies and procedures if you want a secure control system. Depend on a silver bullet solution and the only thing likely to be shot is your foot!
Related Content to Download
Note: you need to be a member of tofinosecurity.com and logged in to have access to the document below. Register here to become a member.
White Paper - "Effective OPC Security for Control Systems"