Editor’s Note: This is an excerpt from Eric Byres’ blog at Tofino Security.
By Eric Byres
A few weeks ago, I received an email from a user asking about antivirus protection for SCADA systems. Antivirus is an essential tool for ICS and SCADA systems. This is what he wrote:
‘My security supplier tells me that attacks from Stuxnet (and next-Stuxnet like worms) can be avoided by protecting WinCC computers using an antivirus product. This will make the PLC perfectly safe, they tell me.’
If any security expert claims systems can be secured by just using antivirus products on the Windows computers in a control system, they are crazy, irresponsible or both. Antivirus (AV) technology helps protect the plant floor, but it is not enough on its own.
For the most part, AV software only works if you have a signature, which is great for dealing with well known common malware like Conficker. Unfortunately, there is no signature for a worm using a zero-day vulnerability. Stuxnet proved that – it was in the wild for a year before there were any signatures available. Antivirus software did not spot the worm for that year.
But Stuxnet is far from the only example. Far less sophisticated attacks that completely bypass the AV software appear every week.
No responsible IT group would think of only using AV technology and not bother with the firewalls in their network. Even a receptionist’s computer has both antivirus AND a personal firewall operating. This is the concept of defense-in-depth – no single solution can provide complete protection.
The typical PLC or DCS is a far more important asset than a receptionist’s computer. It is also a much easier target for attack. 99.99% of the control devices and protocols used today offer no robust authentication, integrity or confidentiality capabilities. They can be completely controlled by any individual or worm that gets a foothold on the network.
Nor can PLCs and DCSs be easily patched or have security features added to them, even when security vulnerabilities are discovered. For example, the Siemens S7-300 PLC vulnerabilities revealed 6 weeks ago by Dillon Beresford at Black Hat 2011 are still not patched. This leaves millions of legacy control systems open to attack from even an inexperienced hacker.
Of course, the ICS and SCADA user is limited in what is currently available to defend systems. For example, at this time PLCs and DCS CPUs can’t have antivirus software installed directly and none have built-in firewalls. But DCS vendors like Honeywell, Emerson and Invensys do supply firewalls to be installed directly in front of critical controllers. In effect, these are acting like personal firewalls for PLCs and DCS devices.
On Windows computers, antivirus technology needs to be supplemented with white listing technology and a good patching strategy. Segregating groups of PCs into controlled security zones also really helps.
The IEC62443 and ANSI / ISA99 ICS security standards are very clear on this topic. So are the IT standards, like ISO 27001. A defense-in-depth solution is a standards requirement.
The bottom line is that you need to deploy a variety of technologies and procedures if you want a secure control system.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of his blog.