Antivirus vs. Whitelisting

An ICS Security Professional's advice on using the right tool at the right time by Verve's VP Solutions Rick Kaun
Rick Kaun

I hate to pile on against security tools in general because in my opinion, people need to do more, not less. However, I am VERY outspoken about using the right tool for the job.

I have, on more than one occasion, pointed out that buying a specific tool for its unintended, and less than thorough, side effect is at least short-sighted if not entirely foolish. So I don't want to jump on the 'AV is dead' bandwagon but I must share some very real experience from some utility companies that we at Verve Industrial know quite well.

In essence, we have seen utilities get attacked by various forms of malware, or 'malicious software' as defined by NERC CIP 007-R3. What we usually see are clients trying mightily to keep up to date on AV signatures. This is a fallacy for a number of reasons but the two most obvious are the maintenance headaches and the effectiveness.

With respect to maintenance, especially in a regulated environment, the volume and frequency of updates required on AV protected systems is not trivial. The change management and testing of the signatures and the time/effort required to collect, test, document and deploy those signatures is significant. And in an environment that is generally quite static ('set and forget - OT!') why introduce a solution with significant churn?

The second, and most powerful, argument to switch to whitelisting from blacklisting is the effectiveness of the solution. The most dangerous versions of malware in the wild make use of 'zero day' exploits. Risks that not even the software or OS companies are aware of yet. This means the time and effort to build and distribute a protection (AV signature) has not even begun even though the risk is in the wild and infecting systems.

My favourite 'field guy' described it to me as follows: "The malware they had was a zero-day that their [corporate] AV had no signature file for and part of the reason it spread so wildly. I'm still getting alerts from [utility companies'] IT department about password changes and this all started about 2 weeks ago. If they would have had a product like bit9, that would have saved them at least 2 weeks of man time and system downtime. If you couple that with the carbon black package that integrates with bit9, they could have seen exactly where the malware came from (ie. usb, website, phishing email, malicious host, etc.)."

In other words, profile your static (OT) systems, lock them down to only that which they require to run and when something new, weird, and threatening comes along it wont be able to impact your system because the asset is locked down. Worried about installing/configuring whitelisting tools on OT systems? Very wise and prudent of you.

That is why we offer our professional services to those companies that are considering this type of technology. We have done the installation and configuration of this technology for years on thousands of assets representing hundreds of OEM systems. We know what you can, and can not, do to safely, consistently and securely deploy these into OT environments. So what are you waiting for? My 'favourite field guy' would love to share what he knows!

Contact Verve

Verve's Industrial Security Solutions
Verve Security Center Brochure

More Posts

Subscribe to Email Updates