ICS-CERT Publishes Antivirus Update Advice

Yesterday the DHS ICS-CERT published a new ‘Recommended Practice’ covering the process of updating antivirus software in industrial control systems. ICS-CERT originally addressed this issue in their ICS-CERT Monitor in 2017 and published a short-lived version of this document in January of this year.

The latest version of this recommended practice is very similar to both of the previous ICS-CERT iterations. This version has been at least partially re-written, and the graphics have been updated. For example, the new network architecture diagram now includes a separate ‘Remote SCADA, DCS, or Hybrid System #2’ in the Cell/Area Zone.

Most of the changes in the new version are minor editorial changes. One significant change is the addition of an entirely new paragraph in the ‘Considerations’ section of the document. That new paragraph reads:

“The recommended secure network architecture diagram (Figure 1) depicts the AV/WSUS/ patch server as a single server hosting three separate applications. This increases the risk of a compromise of either the server’s operating system or the applications. If possible, these applications (AV/WSUS/patch) should reside on their own hosts, either physical or virtual, and the hosts hardened and traffic restricted.”

The other significant change is the complete re-wording of the standard disclaimer at the beginning of the document. Most of the wording change will only be of interest to lawyers, but the new document does specify that the document is being shared as “TLP/White”, the least restrictive of the Traffic Light Protocol sharing limits. Interestingly the TLP system is not included in the government's controlled unclassified information regulations so the legal status of the TLP restrictions is iffy at best, though that is certainly not an issue with TLP/White.

HR 4773 Introduced – AV for Federal Breaches

Last week Rep. Cartwright (D,PA) introduced HR 4773, the ANecessary and Targeted Impediment to (ANTI) Viruses Act. The bill would require the General Services Administration to acquire license to an antivirus computer product to give to people whose personal identifiable information was lost in a breach of a Federal computer system. Funding for the AV product would be provided by the agency [“derived from amounts made available to the agency for operating expenses {§2(d)} whose computer system was breached.

Moving Forward

Both Cartwright and his sole cosponsor {Rep. Norton (D,DC)} are members of the House Oversight and Government Reform Committee to which this bill was assigned for consideration. This means that it is possible that this bill could receive consideration in that Committee.

There is nothing in this bill that would engender significant opposition (beyond an obvious point that I will raise in the Commentary section below). Even the funding for the measure is unlikely to raise any serious discussion. Thus, it is possible that this bill could receive bipartisan support in Committee and on the floor of the House.

Commentary

Okay, the bar has been officially and substantially raised for when it becomes necessary to determine the silliest piece of legislation offered in the 115^th Congress. With almost a full year to go, I am pretty confident (and really very hopeful) that this bill will be the hands down winner.

There is nothing in the bill (no ‘findings’ section, for example) that would explain why Cartwright and Norton believe that it will provide any sort of significant relief to provide an individual with computer antivirus protection when their personally available information has been lost in the breach of any computer network. Even if we assume that network log-in information is among the data lost and further assuming that the individuals use the same log-in credentials on their home computer, an antivirus package is not going to stop someone from using that log-on information in accessing that home computer.

The only thing that could have made this more ludicrous would for the bill to have included a provision prohibiting the GSA from allowing Kaspersky Labs from submitting or being awarded a bid to provide the AV product. {Disclosure Note: I have been using the Kaspersky AV suite for quite some time now and do not see any reason to stop}.

One can only hope that Cartwright and Norton (and the Norton AV people cringe every time I mention her name in this post) a pandering to a specific segment of the technical ignorati in offering this bill for consideration. The only other thing that would explain this cyber-silliness is that neither of these two congresscritters (nor their staff) has any idea what an antivirus program does or how personally identifiable information is misused.

I wrote above that there was nothing in this bill that would engender any specific (‘active’ probably would have been a better work) opposition. What I meant is that there is no political, ideological or financial reason for this bill to draw opposition. The fact that there is no connection between lost PII and computer hacking (the other sequence certainly) so there is no need for providing people with AV protection is not sufficient to draw opposition to the bill.

Okay, I just thought of something. Maybe there is a useful purpose in this bill. Since the agency whose computer system was breached is responsible for paying for the AV product out of their operating budget, this bill would effectively be a fine on that agency for their lack of cybersecurity competency. This could end up being a sizeable financial incentive to have adequate cybersecurity in place. Of course, it could end up bankrupting an agency (Wouldn’t you just love to be the Bankruptcy Judge sitting on that case????) and in many cases that could be a good thing. But if that is the ‘purpose’ of this bill, please spend the money on something else; give the folks a tank of gas, or something else worthwhile, not an antivirus program.

Medical Malware – Detection Techniques

There is an interesting article over at TechnologyReview.com about cybersecurity and medical devices. A lot of it is a rehash of things we’ve been hearing out of the black hat community for a couple of years now and is reflected in the recent FDA draft guidance on cybersecurity. There are two interesting new items that I hadn’t seen discussed before; a new method of detecting medical malware and a discussion about the use of anti-virus software on medical devices.

Power Detection of Malware

The article contains a link to a journal article (in the Proceedings of USENIX Workshop on Health Information Technologies, 2013) about a power monitoring system (WattsUpDoc) that can be used to detect the unusual power consumption associated with a malware attack on a medical device. The authors noted that if one has an accurate history of a devices normal power consumption patterns that changes in those patterns could be used to detect when a device has been compromised by a cyber-attack. Their paper also claims to have validated the technique in an industrial scale SCADA system.

I’ll leave the technical evaluation of the technique to people with the appropriate expertise, but it would seem to me that this technique might be particularly valuable in safety systems because of the vary constrained outputs of those systems.

Medical Anti-Virus Problems

Sorry, I couldn’t resist that heading. 

The article explains that many medical devices cannot use commercial anti-virus software because they are running on proprietary operating systems. The ones that are using variations of a Microsoft OS might be able to use off-the-shelf AV software, but device manufacturers do not allow (or support) the use of third party software (or I suspect even the update of the MS-OS) because of the very real potential for unexpected conflicts with the device software.

This is not an unknown problem for many control systems, but a software lockup on ones’ pacemaker could be even more troublesome than the shutting down of a production line. But with the rise of hackers actively looking at medical device control systems, it seems to me that there is a significant need to come up with a workable solution to the AV problem.