Yesterday the DHS ICS-CERT published the latest version of
the ICS-CERT
Monitor. Long time readers of this blog will no doubt understand that I
have become less than enamored with this periodical in recent years. It has
become more of a corporate selfie than a real communications tool, but occasionally
there is an information gem that is worthy of note.
Selfie Components
The Monitor starts with a Trumpian, “look how great I am”,
article on a recent training program conducted by ICS-CERT in Japan. It then
goes on to announce the publication of a 2-page, color glossy ‘fact
sheet’ looking back at last
year’s “Recommended Practice: Improving Industrial Control System
Cybersecurity with Defense-in-Depth Strategies” update.
There is one page dedicated to ICSJWG news, including an
announcement of the Spring meeting dates; April 10–12 in Albuquerque, NM. Unfortunately
the ICSJWG
web site still does not include an agenda for the fall 2017 meeting, nor is
there any mention of the rumored announcement that was made about the reorganization/abolishment/fusion
of ICS-CERT.
Finally, we have the standard elements that we have come to
know and ignore:
• ICS-CERT Assessment Activity;
• Recent Product Releases;
• Coordinated Vulnerability
Disclosure; and
• Upcoming Events
The Gem
Okay, this may be more of a sparkler than a true precious
stone, but there is an interesting and worthwhile full-page article on updating
of antivirus software in ICS systems. The core assumption in this article is found
in the second paragraph:
“The recommended secure network
architecture for ICS (Figure 1) places the antivirus, Windows Server Update
Services (WSUS), and patch server(s) in the control center LAN DMZ. In this
architecture, each level should only send or receive traffic to any directly
adjacent level, which precludes the antivirus/WSUS/patch server from communicating
directly with either the vendor antivirus servers or the organizational
antivirus servers.”
This, of course, leads to the need for downloading the daily
AV signature update onto removable media, checking that media for malware, checking
the hash, running the update on test environment, and finally, updating the AV
on the appropriate ICS systems. All very neat and tidy, and security compliant;
I wonder how many folks actually do this. Or is this really the reason that so
many folks are starting to talk about how outdated/useless AV is?
Of course, the same process would be required for updates
for all Windows OS, control systems, and device software. Again, does this
explain the apparently widespread practice of overlooking/ignoring system
updates?
Posts
No comments:
Post a Comment