Thursday, November 30, 2017

ICS-CERT Publishes Latest Monitor – Sep-Oct 2017

Yesterday the DHS ICS-CERT published the latest version of the ICS-CERT Monitor. Long time readers of this blog will no doubt understand that I have become less than enamored with this periodical in recent years. It has become more of a corporate selfie than a real communications tool, but occasionally there is an information gem that is worthy of note.

Selfie Components

The Monitor starts with a Trumpian, “look how great I am”, article on a recent training program conducted by ICS-CERT in Japan. It then goes on to announce the publication of a 2-page, color glossy ‘fact sheet’ looking back at last year’s “Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies” update.

There is one page dedicated to ICSJWG news, including an announcement of the Spring meeting dates; April 10–12 in Albuquerque, NM. Unfortunately the ICSJWG web site still does not include an agenda for the fall 2017 meeting, nor is there any mention of the rumored announcement that was made about the reorganization/abolishment/fusion of ICS-CERT.

Finally, we have the standard elements that we have come to know and ignore:

• ICS-CERT Assessment Activity;
• Recent Product Releases;
• Coordinated Vulnerability Disclosure; and
• Upcoming Events

The Gem

Okay, this may be more of a sparkler than a true precious stone, but there is an interesting and worthwhile full-page article on updating of antivirus software in ICS systems. The core assumption in this article is found in the second paragraph:

“The recommended secure network architecture for ICS (Figure 1) places the antivirus, Windows Server Update Services (WSUS), and patch server(s) in the control center LAN DMZ. In this architecture, each level should only send or receive traffic to any directly adjacent level, which precludes the antivirus/WSUS/patch server from communicating directly with either the vendor antivirus servers or the organizational antivirus servers.”

This, of course, leads to the need for downloading the daily AV signature update onto removable media, checking that media for malware, checking the hash, running the update on test environment, and finally, updating the AV on the appropriate ICS systems. All very neat and tidy, and security compliant; I wonder how many folks actually do this. Or is this really the reason that so many folks are starting to talk about how outdated/useless AV is?

Of course, the same process would be required for updates for all Windows OS, control systems, and device software. Again, does this explain the apparently widespread practice of overlooking/ignoring system updates?

No comments:

/* Use this with templates/template-twocol.html */