Home / Blog / Antivirus issues in industrial environments

Antivirus issues in industrial environments

Posted on 06/11/2015, by INCIBE
Antivirus issues in industrial environments

In the industrial world, in which the availability and continuity of production takes precedence, it is difficult to find deployments of certain security tools, such as antivirus software, firewalls, etc., due to these tools can generate latencies, communication cuts or small delays in control system applications.

 

The deployment of antivirus software in these environment is a challenge that should consider at least the following aspects:

  • Antivirus software in an ICS should not shut down a computer if there is a risk of losing control of the production process or if a backup cannot restore the system to a safe state, even if it is infected with a virus.
  • When antivirus software runs an analysis, the response times must be taken into account, since in the screens that guide operators (HMI - Human Machine Interface) data is displayed from field devices that may have suffered some delay, which also slows down the operator’s response.
  • It should be possible to disable the option to send automatic reports to vendors when a virus is found, so that the security operator is responsible for sending the report at a time of low system load.
  • Project files, such as databases, that are infected with a virus, should not be moved, blocked, or deleted automatically if these actions prevent the relationship between the process data from being correctly established.

 Centralised antivirus diagram

- Centralised antivirus diagram -

The difficulties generated by security tools in control systems are mainly because their deployments are done following guidelines used in corporate systems.
It is necessary to fulfil certain requirements in order to deal with these issues. For antivirus software, to operate properly in industrial settings, the following must be applied: 

  • Many antivirus programs include security options in addition to the virus search, such as a firewall service, active navigation protection or scanning e-mails for viruses. The installation should allow the user to disable all options that exceed the functional scope of conventional antivirus software, that is, antivirus installation must be performed with care and it is advisable to only leave the analysis option active.
  • It should be possible to disable automatic virus signature distribution from the central antivirus server to the consoles so a signature update process does not block or interrupt other control processes of the process in the target computer.
  • In an architecture with centralised antivirus software should be available options to organise and configure antivirus clients through groups. As such, critical computers can be separated from those that are non-critical and, in this way, actions such as updating signatures at different times, can be performed in accordance with the use of the computer or its dependence on the stability of the process.
  • It should be possible start manually the scan of files and/or of the system inside defined groups, allowing the security operator to take advantage of stoppages or times with no impact on the process for start it.
  • Network drives must be analysed directly by the antivirus software installed on shared file servers. Workstation antivirus software must only analyse locally.
  • The scanning configurations for clients should only be possible for new files that are on the computer, based on the assumption that all local data have already been analysed at least once.

Security tools update processes are usually associated with the downloading of content from the Internet, normally from the vendors or distributors of the products. This method is not valid in control systems, where downloading contents from the Internet is usually not permitted, with it being necessary to always use middleware PCs in DMZ networks intended for this function.
Updating process of antivirus signatures in the control systems is also different from the traditional procedure followed in corporate environments. The process should take the following steps into account:

  • The server in which the antivirus central node is installed should be responsible for collecting the virus signatures, so it can subsequently distribute them to the clients, depending on the group in which they are found. As such, the central node will be in charge of connecting to the antivirus provider to download the signature updates, thus avoiding all control network computers needing to have Internet access.
  • The central signature update node must consider the possibility of presenting redundancy in order that it may be able to continue operating in the event of failure and be able to download and distribute the signatures transparently for clients.
  • Signature updates must be carried out in pre-production environments. If time has passed without failures, the antivirus vendor has not reported compatibility issues, and the process has not been affected, the updates can be uploaded in production.
  • If compatibility issues are not detected with the virus signatures in a defined period, the signatures can also be uploaded to other computer groups.

Updating of signatures through centralised antivirus software

- Updating of signatures through centralised antivirus software -

As well as the considerations in the installation and configuration or updating operations, the action method or working method of the security tools in control systems should also follow certain considerations. In line with antivirus systems, the action of these tools in the control systems when there is a positive detection should take into account the following recommendations: 

  • After a virus detection, it should be possible to generate an alert or notification without it forcing an action or the virus treatment (deleting, blocking or moving the file to another route).
  • It should be possible to save all messages, notifications and alerts generated in a log server.
  • After a virus or threat detection, warnings that can cover or hide important information in the control applications, even it is for a short time, should not be shown to the operator.

In addition to all of the above, which follows the general guidelines, it is necessary to bear in mind the specific characteristics of each software used in the control systems and the specifications that each provider can offer for the installation of security solutions jointly with their industrial solutions.