Yesterday the DHS ICS-CERT published
a new ‘Recommended
Practice’ covering the process of updating antivirus software in industrial
control systems. ICS-CERT originally addressed this issue in their ICS-CERT
Monitor in 2017 and published
a short-lived
version of this document in January of this year.
The latest version of this recommended practice is very
similar to both of the previous ICS-CERT iterations. This version has been at
least partially re-written, and the graphics have been updated. For example,
the new network architecture diagram now includes a separate ‘Remote SCADA,
DCS, or Hybrid System #2’ in the Cell/Area Zone.
Most of the changes in the new version are minor editorial
changes. One significant change is the addition of an entirely new paragraph in
the ‘Considerations’ section of the document. That new paragraph reads:
“The recommended secure network
architecture diagram (Figure 1) depicts the AV/WSUS/ patch server as a single
server hosting three separate applications. This increases the risk of a
compromise of either the server’s operating system or the applications. If
possible, these applications (AV/WSUS/patch) should reside on their own hosts,
either physical or virtual, and the hosts hardened and traffic restricted.”
The other significant change is the complete re-wording of
the standard disclaimer at the beginning of the document. Most of the wording
change will only be of interest to lawyers, but the new document does specify
that the document is being shared as “TLP/White”, the least restrictive of the Traffic Light Protocol sharing limits.
Interestingly the TLP system is not included in the government's controlled
unclassified information regulations so the legal status of the TLP restrictions
is iffy at best, though that is certainly not an issue with TLP/White.
Posts
No comments:
Post a Comment