December Monthly SCADA Security Check-Up: Anti-Virus
Malware is one of the most common causes, according to Eric Byre’s Incident Database and other sources, of cyber security incidents in control systems. Malware is introduced via laptops, administrator remote access, vendor remote access, unauthorized connections, and other sources. Your anti-virus provides important protection - - hopefully.
Too often we see the description of anti-virus protection in policies and interviews does not match reality.
This month perform an audit to insure your control systems servers and workstations have anti-virus installed and running. Verify active scanning is turned on and the anti-virus signature files are current.
Ideally, you are leveraging a management system and are quickly verifying this on at least a weekly basis. If you are not, this month may also be a good opportunity to review your anti-virus management.
The SCADA security community has largely moved past the fears of anti-virus and warnings that it cannot be deployed. SCADA vendors commonly certify the leading anti-virus solutions for use on their systems, and some even provide configuration guidance.
If anti-virus is causing a performance problem, take a look at your computer hardware platform. How old is it? Workstation and Server replacement is typically scheduled for two to three years for proactive IT organizations. Maybe you can squeeze five years out of a SCADA computer, but make sure you have included plans to refresh your computers periodically in the budget.
Author: Dale Peterson
Posted: December 3rd, 2006 under Monthly Security Checkup.
Comments: 4
Comments
Comment from Landon Lewis
Time: December 4, 2006, 12:03 am
Another tip relating to antivirus and monthly security checkups.
We often reference http://www.virustotal.com when working with suspicious files that windows machine’s anti-virus may have trouble detecting. Virustotal offers a free scanning engine incorporating over 25 of the major anti-virus vendors. The scanning process works by simply emailing the suspicious files or uploading the file on the web interface.
However what is very interesting and makes me think more folks should move towards HIDS/HIPS…. is this chart.
http://www.virustotal.com/vt/en/estadisticasx?detection_failures
Read what is says closely…
“Blue: Infected files detected by all antivirus engines.”
“Red: Infected files not detected by at least one antivirus engine.”
Comment from Jake Brodsky
Time: December 4, 2006, 8:27 am
Hmm. To do a virus checkup, we’d need to take the computer offline. Another, less invasive method, is to use tools such as the Process Explorer, Autostart utility, and rootkit detector from SysInternals (recently purchased by Microsoft) to identify any processes or programs that don’t belong.
Ultimately, it’s not the viruses that make me lose sleep. It’s the worms. Thanfully, there are far fewer of the latter than the former..
Comment from Dale Peterson
Time: December 4, 2006, 6:07 pm
Jake - you don’t need to take a computer offline to check the anti-virus signature file and config. In fact, I did it today at a large electric utility.
Although sysinternals are some great utilities.
Comment from Jake Brodsky
Time: December 4, 2006, 9:02 pm
Dale, we’ve had some problems in the past with certain valid software modules being mistaken by anti-virus software for a real virus. We were very concerned when we first encountered this. We did a stone cold install of all software including the OS from distribution sources. It still came up.
I’m not sure what happened. Perhaps we had a signature collision. Ever since then, we’ve been very cautious about anti-virus software. False alarms can be very costly. We’ve found that effective use of the SysInternals tools has worked just as well for us.
Write a comment