Malware Protection & Industrial Security
In the third part of our article series on anti-virus & malware defence, Industrial Security Cube Christopher Knöll illuminates the use of antivirus solutions for Windows based production systems in industrial environments.
Part one dealt with AV in the consumer sector, discussing the question whether anti-virus programs still make any sense or not. In part two, Next-Generation Endpoint Protection solutions in the professional segment were thoroughly tested.
What is common pracitce in todays Office-IT for Windows operating systems opens a world of troubles in the field of Operational Technology (OT) and production security: The virus scanner.
OT production systems should be fundamentally separated from the Office IT (network segmentation is key here). This presents us with some basic problems. For example, a conventional virus scanner requires regular signature updates to function properly. This in turn requires a separate server or direct online access to download said updates. Both are critical in practice, because direct connections of control computers to the Internet is a risk in itself.
In addition, the often unpredictable resource requirements of running a virus scanner on a client, especially during a detected malware incident can (and will) cause problems.
As the test by Markus Reiniger shows, especially the last point is a real show stopper – in the truest sense of the word: What in the Office-IT appears to the user as a bothersome forced tea-break can cause major disturbances in OT conditions – up to the standstill of production facilities when control applications no longer have sufficient resources to run.
In the worst case the facility can be permanently damaged.
Machines helping machines: Artificial intelligence
The next-generation endpoint protection solutions, which rely on mechanisms of machine learning and artificial intelligence instead of signature-based recognition, show a promising new approach. These solutions have the important advantage that they do not need signatures to detect malicious software, but specifically hunt for the core of malware for identification.
Return oriented Programming (ROP)) or Heap Spray are, for example, two of these core techniques. If such behavior or the associated program code is detected by the next generation endpoint solution, further execution is immediately blocked, thus directly preventing the attack. Even zero-day exploits hardly have a chance execute effectively.
Superior performance required
This approach not only shows significantly better recognition rates. It drastically reduces the resource consumption for next-generation solutions. This tackles the crucial problem with performance.
Important “known good” – thus trustworthy applications – can also be excluded by the whitelisting directly from scanning, which additionally improves performance.
Another important advantage is that production plants are often separated from the company network (and really they should be!) by segmentation and do not have the possibility to download AV signatures directly from the Internet or via the AV management server. Since modern malware protection solutions get along without signatures, a permanent connection of this kind is no longer necessary.
Often maintenance work on control systems must be carried out, sometimes even by third-party engineers. Thus malware can be distributed, eg via infected USB sticks, to control computers even without online access. This problem is countered by the fact that next-generation endpoint solutions have the intelligence for detection integrated into the agent.
How can malware protection be integrated?
In order to protect the production, two scenarios should be considered. On the one hand there is the danger through direct, targeted manipulation (hacking). On the other hand ther is the disturbance caused by non-targeted scattering attacks (such as Ransomware). Both are countered by the implementation of two basic strategies:
Strict segmentation – all incoming and outgoing connections must be strictly limited (e.g. to a few select users) and monitored. The incoming connections are checked in order to prevent malware infections entering the host as far as possible in advance. Outgoing connections are interesting for the identification of attacks that somehow made it through. ( e.g. detecting Command and control connections (CNC), as they are typically set up by malware to receive instructions).
The use of jump hosts as the exclusive secure access points to the control computers themselves – These jump hosts act as “bouncers” and must be shielded especially against malware and unauthorized logins.
Advance the attackers with modern technology
To implement these mechanisms, modern tools such as Next Generation Firewalls are required, which, unlike traditional firewalls, not only analyze data packets at network level, but also understand concepts such as authenticated users and applications. In this way, both the data traffic to the jumphost and the connection between it and the actual control unit can be regulated with precision.
Concepts such as Threat Intelligence also play a role in securing the connections (for example, to detect and prevent connections to known malware-infected pages on the Internet, or CNC servers). However, these mechanisms must already be running globally in the network in order to function effectively (integration into the SIEM (Security information and event management)).
In this setup, it is useful to equip the Jumphost with a current endpoint defence in order to avoid the risk of an infection spreading to the control computer of the production plant. Although resources are much less a problem on the jump host, the significantly improved detection rate should be reason enough.
As a last line of defence, the use of a similar protection solution on the control system itself is recommended. of course the goal is to bring down the number of attacks that actually reach this point in the first place. Equipping two systems with the same malware protection does serve a purpose under these conditions, for example because encrypted SSL traffic (e.g. for remote connections) can hardly be scanned on the jumphost without potentially compromising the security of the connection.
Conclusion: production loss would be much more expensive
The resource consumption of Next Generation Endpoint Protection Solutions is minimal, since there is less active scanning, which would require valueable processor time at the expense of the I / O performance. Nevertheless, maximum protection against malware is given so important processes can continue undisturbed. As a result, they are predestined for use in segmented or completely encapsulated production networks. When additionally enforcing strict segmentation a very high degree of security can be reached.