Friday, August 3, 2018

ICS-CERT Publishes Antivirus Update Advice

Yesterday the DHS ICS-CERT published a new ‘Recommended Practice’ covering the process of updating antivirus software in industrial control systems. ICS-CERT originally addressed this issue in their ICS-CERT Monitor in 2017 and published a short-lived version of this document in January of this year.

The latest version of this recommended practice is very similar to both of the previous ICS-CERT iterations. This version has been at least partially re-written, and the graphics have been updated. For example, the new network architecture diagram now includes a separate ‘Remote SCADA, DCS, or Hybrid System #2’ in the Cell/Area Zone.

Most of the changes in the new version are minor editorial changes. One significant change is the addition of an entirely new paragraph in the ‘Considerations’ section of the document. That new paragraph reads:

“The recommended secure network architecture diagram (Figure 1) depicts the AV/WSUS/ patch server as a single server hosting three separate applications. This increases the risk of a compromise of either the server’s operating system or the applications. If possible, these applications (AV/WSUS/patch) should reside on their own hosts, either physical or virtual, and the hosts hardened and traffic restricted.”

The other significant change is the complete re-wording of the standard disclaimer at the beginning of the document. Most of the wording change will only be of interest to lawyers, but the new document does specify that the document is being shared as “TLP/White”, the least restrictive of the Traffic Light Protocol sharing limits. Interestingly the TLP system is not included in the government's controlled unclassified information regulations so the legal status of the TLP restrictions is iffy at best, though that is certainly not an issue with TLP/White.

No comments:

/* Use this with templates/template-twocol.html */