I hate to pile on against security tools in general because in my opinion, people need to do more, not less. However, I am very outspoken about using the right cyber security tool for the job.
On more than one occasion, I have pointed out that buying a specific tool for its unintended, and less than thorough, side effect is at least short-sighted if not entirely foolish. I don't want to jump on the 'AV is dead' bandwagon but I must share some very real experience from some utility companies that we at Verve Industrial know quite well.
In essence, we have seen utilities get attacked by various forms of malware, or 'malicious software' as defined by NERC CIP 007-R3. Clients try to keep up to date on AV signatures. This is a fallacy for a number of reasons but the two most obvious are the maintenance headaches and the effectiveness.
Maintenance of Antivirus Signatures
With respect to maintenance, especially in a regulated environment, the volume and frequency of updates required on AV protected systems is not trivial. The change management and testing of the signatures and the time, as well as effort required to collect, test, document and deploy those signatures is significant. In an environment that is generally quite static ('set and forget - OT!') why introduce a solution with significant churn?
Effectiveness of Antivirus Signatures
The second and most powerful argument in favor of switching to whitelisting from blacklisting is the effectiveness of the solution. The most dangerous versions of malware in the wild make use of zero day exploits. These are risks the software or OS companies are not even aware of yet. The time and effort to build and distribute a protection (AV signature) has not even begun even though the risk is in the wild and infecting systems.
My favorite 'field guy' described it to me as follows: "The malware they had was a zero-day that their [corporate] AV had no signature file for and part of the reason it spread so wildly. I'm still getting alerts from [utility companies'] IT department about password changes and this all started about 2 weeks ago. If they would have had a product like bit9, that would have saved them at least 2 weeks of man time and system downtime. If you couple that with the carbon black package that integrates with bit9, they could have seen exactly where the malware came from (ie. usb, website, phishing email, malicious host, etc.)."
In other words, profile your static OT systems, lock them down so they require to run and when something new, weird, and threatening comes along, it wont be able to impact your system because the asset is locked down. Worried about installing or configuring whitelisting tools on OT systems? Very wise and prudent of you.
That is why we offer our professional services to companies considering this type of technology. We have successfully deployed, installed and configured this technology for years on thousands of assets representing hundreds of OEM systems. We know what you can, and can not, do to safely, consistently and securely deploy these into OT environments. So what are you waiting for, ask us what we know.