Antivirus Protection for SCADA Security - A Silver Bullet?

Submitted by Eric Byres on Thu, 2011-09-15 09:30

A few weeks ago, I received an email from a user asking about antivirus protection for SCADA systems. Now I think antivirus is an essential tool for ICS and SCADA systems. However, this is what he wrote:

My security supplier tells me that attacks from Stuxnet (and next-Stuxnet like worms) can be avoided by protecting WinCC computers using an antivirus product. This will make the PLC perfectly safe, they tell me.

Antivirus Protection for PLCs – Not Enough on its Own

If any security expert claims systems can be secured by just using antivirus products on the Windows computers in a control system, they are crazy, irresponsible or both. Antivirus (AV) technology helps protect the plant floor, but it is not enough on its own.

For the most part, AV software only works if you have a signature, which is great for dealing with well known common malware like Conficker. Unfortunately, there is no signature for a worm using a zero-day vulnerability. Stuxnet proved that – it was in the wild for a year before there were any signatures available. Antivirus software did not spot the worm for that year.

But Stuxnet is far from the only example. Far less sophisticated attacks that completely bypass the AV software appear every week. For example, watch this video on do-it-yourself malware infections in SCADA plants. (The authors ask us to “please excuse the noise on the recording and our Brazilian English”). These attacks are against fully patched systems with current AV signatures. They succeed because of the ENCODING capability in attack tools like metasploit. These make the payloads look unique to the AV system.

Your Control System Deserves Better

No responsible IT group would think of only using AV technology and not bother with the firewalls in their network. Even a receptionist’s computer has both antivirus AND a personal firewall operating. This is the concept of defence-in-depth – no single solution can provide complete protection.

The typical PLC or DCS is a far more important asset than a receptionist’s computer. It is also a much easier target for attack. 99.99% of the control devices and protocols used today offer no robust authentication, integrity or confidentiality capabilities. They can be completely controlled by any individual or worm that gets a foothold on the network.

Nor can PLCs and DCSs be easily patched or have security features added to them, even when security vulnerabilities are discovered. For example, the Siemens S7-300 PLC vulnerabilities revealed 6 weeks ago by Dillon Beresford at Black Hat 2011 are still not patched. This leaves millions of legacy control systems open to attack from even an inexperienced hacker.

Of course, the ICS and SCADA user is limited in what is currently available to defend systems. For example, at this time PLCs and DCS CPUs can’t have antivirus software installed directly and none have built-in firewalls. But DCS vendors like Honeywell, Emerson and Invensys do supply firewalls to be installed directly in front of critical controllers.  In effect, these are acting like personal firewalls for PLCs and DCS devices.

On Windows computers, antivirus technology needs to be supplemented with white listing technology and a good patching strategy. Segregating groups of PCs into controlled security zones also really helps.

The Standards Are Clear

The IEC62443 and ANSI / ISA99 ICS security standards are very clear on this topic. So are the IT standards, like ISO 27001. A defense-in-depth solution is a standards requirement.

The bottom line is that you need to deploy a variety of technologies and procedures if you want a secure control system. Depend on a silver bullet solution and the only thing likely to be shot is your foot!

Related Content to Download

Note: you need to be a member of tofinosecurity.com and logged in to have access to the document below. Register here to become a member.

White Paper - "Effective OPC Security for Control Systems"

 

Even if you do not use OPC, this White Paper has a good discussion of Defense-in-Depth.

This White Paper was written in collaboration with MatrikonOPC.

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

4
Submitted by Andrew Wadsworth (not verified) on Thu, 2011-09-15 13:51

Eric,

Completely agree that defence in depth is essential. I believe there is a better solution than anti-virus software - whitelisting. My company (Amor Group) is a CoreTrace partner and approaching the end of the first wide scale implementation of Bouncer in the UK oil & gas industry on oil & gas production platforms.

Apart from not suffering from the Achilles Heal of anti-virus (not being able to stop anything it doesn't know about), it's key advantage is requiring no maintenance to stay effective and less risk from frequent updates of AV signatures.

Submitted by JGS (not verified) on Fri, 2011-09-16 00:27

Eric, it's true, agree with you. But there is a very very important thing to protect a plant : have a good security policy. Every operator, technician or engineer must agree with this policy. If there is only one person that do not comply with the cibersecurity policy then a combination of defense in depth cannot completely protect a plant.

Sorry my english :-) . Kind regards

Submitted by DJD (not verified) on Sat, 2011-09-17 01:06

Fully agree with both Eric and Andrew indeed, given this weeks latest releases from the italian 'security researcher' I believe it's clear that, if we're going to continue getting 0 day exploits released, then AV can't be assumed to provide much protection at all.

Submitted by Anonymouss (not verified) on Mon, 2011-11-21 09:46

I don't think we are heading the right way, sure, protection and security is vital but putting pressure on it won't improve things. The consumerization of technology is a growing domain, we should make sure we develop at the right rhythm.

Add new comment