Module 2: Energy-Specific Controls

Malware Protection for OT

18 min
+75 XP

Malware Protection for OT

Malware protection in operational technology environments requires different approaches than traditional IT antivirus. ISO 27019 provides guidance for protecting process control systems from malicious software while maintaining operational reliability.

OT Malware Challenges

Why Traditional Antivirus Doesn't Work

Performance Impact

  • Signature scans consume CPU resources needed for real-time control
  • Scheduled scans can cause system slowdowns during critical operations
  • Memory usage impacts deterministic timing requirements
  • Network traffic from signature updates can saturate OT networks

Compatibility Issues

  • Legacy Windows versions (XP, 2000, embedded) no longer supported by AV vendors
  • Custom OT software may be flagged as malicious
  • AV software can interfere with control system communications
  • Updates and reboots disruptive to 24/7 operations

False Positive Risks

  • AV quarantining critical control files
  • Legitimate OT protocols flagged as suspicious
  • Vendor software updates blocked
  • System instability from AV conflicts

ISO 27019 Malware Protection Approach

Application Whitelisting (Primary Defense)

Allow only authorized applications to run:

How It Works:

  • Inventory of all legitimate applications
  • Whitelist based on file path, hash, or digital signature
  • Block execution of any non-whitelisted application
  • No signature updates required
  • Minimal performance impact

Implementation:

  • Windows AppLocker or third-party solutions
  • Start in audit mode to identify all legitimate applications
  • Build comprehensive whitelist
  • Switch to enforcement mode
  • Maintain whitelist through change control

Advantages for OT:

  • Prevents zero-day malware
  • No signature updates needed
  • Minimal resource consumption
  • Deterministic behavior

Antivirus (Secondary Defense)

When antivirus is used, adapt for OT:

Configuration for OT:

  • Disable real-time scanning during critical operations
  • Schedule scans only during maintenance windows
  • Exclude control system directories from scanning
  • Use centrally managed signatures (no internet updates from OT systems)
  • Test extensively before deployment

Vendor Coordination:

  • Verify AV compatibility with control systems
  • Get vendor approval before deploying AV
  • Document exclusions and scan exceptions
  • Include AV in system testing

Defense-in-Depth Strategy

Layer 1: Prevention

Network Segmentation

  • Isolate OT from IT networks
  • Limit malware spread between zones
  • Unidirectional gateways where possible

Removable Media Controls

  • Disable USB ports where not needed
  • USB whitelisting (authorized devices only)
  • Scan all removable media on isolated system before use
  • Vendor laptop quarantine and scanning

Email and Web Filtering

  • Control systems should not have internet access
  • Engineering workstations with restricted web access
  • Email attachments stripped or scanned in DMZ
  • Block executable attachments

Layer 2: Detection

Network Monitoring

  • ICS-specific intrusion detection
  • Baseline normal traffic patterns
  • Alert on unexpected protocols or connections
  • Detect known malware signatures in network traffic

System Integrity Monitoring

  • File integrity monitoring for critical files
  • Alert on unauthorized changes
  • Configuration baseline monitoring
  • Registry monitoring (Windows systems)

Behavioral Analysis

  • Monitor for unusual process execution
  • Detect lateral movement attempts
  • Alert on unexpected network connections
  • Track user behavior anomalies

Layer 3: Response

Incident Response for Malware

  • Procedures for isolating infected systems
  • Playbooks for OT malware incidents
  • Decision tree for operational continuity vs. containment
  • Recovery procedures maintaining safety

System Restoration

  • Known-good backups of control system configurations
  • Documented rebuild procedures
  • Validated restore processes
  • Testing before returning to service

Specific OT Malware Threats

Historical OT Malware

Stuxnet (2010)

  • Targeted Siemens PLCs in Iranian nuclear program
  • First publicized OT-specific malware
  • Spread via USB, modified PLC logic
  • Lesson: Air gaps alone insufficient

Industroyer/CrashOverride (2016)

  • Designed to control power grid equipment
  • Spoke native ICS protocols
  • Targeted circuit breakers
  • Lesson: Attackers developing OT-specific tools

TRITON/TRISIS (2017)

  • Targeted safety systems (SIS)
  • Attempted to modify safety logic
  • Goal was catastrophic failure
  • Lesson: Safety systems are targets

Modern Ransomware Risks

  • Colonial Pipeline forced to shut down despite IT-only infection
  • Ransomware spreading from IT to OT
  • Encrypted engineering workstations cripple operations
  • Recovery complicated by backup limitations

Implementation Guidance

Phased Deployment Approach

Phase 1: Assessment

  1. Inventory all OT systems and software
  2. Identify critical vs. non-critical systems
  3. Test malware protection solutions in lab
  4. Engage vendors for compatibility guidance

Phase 2: Pilot

  1. Deploy on non-critical systems first
  2. Monitor for operational impact
  3. Refine whitelist and configuration
  4. Document lessons learned

Phase 3: Production

  1. Deploy to critical systems during maintenance windows
  2. Maintain fallback/rollback capability
  3. Monitor closely after deployment
  4. Adjust as needed based on operations feedback

Compensating Controls

When malware protection cannot be deployed:

Enhanced Network Security

  • Stricter network segmentation
  • More aggressive network monitoring
  • Reduced connectivity to other systems
  • Increased physical security

Operational Controls

  • More frequent integrity checks
  • Stricter change control
  • Enhanced vendor management
  • Regular system reviews

Maintenance and Operations

Whitelist Management

  • Change control for whitelist updates
  • Test all changes before production
  • Document all authorized applications
  • Regular reviews of whitelist accuracy

Signature Updates (If Using AV)

  • Centrally managed signatures
  • Test updates in non-production environment
  • Scheduled deployment during maintenance
  • Rollback plan for problematic updates

Monitoring and Tuning

  • Review alerts for false positives
  • Tune detection to reduce noise
  • Investigate all malware detections
  • Update response procedures based on lessons learned

Vendor and Supply Chain Considerations

Vendor Software

  • Only install software from trusted vendors
  • Verify digital signatures
  • Use checksums to verify downloads
  • Maintain software inventory

Vendor Access Controls

  • Scan vendor laptops before connection
  • Dedicated vendor network segments
  • Monitor vendor activities for anomalies
  • Require vendor security attestations

Next Lesson: Managing the unique challenges of patching operational technology systems.

Complete this lesson

Earn +75 XP and progress to the next lesson

Previous

Remote Access Security

Next

Patch Management Challenges