Antivirus is one of those things that is a standard recommendation on almost any assessment you’ll find, but maybe this is something we need to start rethinking.  We all know that for the most part the current AV model is an arms race that’s not very functional, and I think it may be even more broken for control systems than it is for other computer systems.

Let’s look at what AV is really good at doing, scanning inputs for known virus signatures, some have fuzzy analysis features built in to detect unknown viruses, but we’ve seen in things like Defcons race to zero, and other research that these are relatively easy to defeat.  The problem I see in relation to control systems is that the things that AV is really good at doing mostly are in response to actions by the user, receiving an email, browsing to a website, loading up a file from a thumbdrive… things which I think most of us can agree don’t really have a place on the control systems/SCADA network.

So the “active” protection portion of AV, while it isn’t useless, probably doesn’t have a lot to offer a properly segregated/firewalled/etc control system.  So the only other part really left is the system scan to find nasty bits that are hiding on the system.  The question here is, are the signature sets and heuristic algorithms going to be reasonably updated to provide meaningful results?  I’ll go out on a limb and say probably not.

Lastly let’s think about the increased risk that AV software might have on the control system.  A properly locked down SCADA system should be running the minimum number of services required to get the job done, and given the things we’ve already touched on this might increase the attack surface and risk profile much more than it reduces them.  Vulnerabilities in AV products are relatively common, they parse everything and get it wrong on occasion, and that may be just the foothold someone would need to get into the control system network.  Software has vulnerabilities, and adding more software to a system increases the risk to that system.  That’s why using the “install everything” option on a new Linux system is probably a bad idea.

Vulnerabilities in security products can be especially dangerous since exploits are commonly written for them, and this might allow for a much less skilled attacker to cause some mischief.  Speaking of attacker skill it’s important to remember that AV, for the most part, only works against known threats and any significantly targeted attack is going to be invisible to it and that’s probably the type of attacks we should be most concerned with in control systems.

This isn’t to say that AV is completely useless or that it doesn’t have a place in SCADA systems, of course these systems need to be checked on a regular basis to ensure that integrity has been maintained and that some aggressive botnet infection isn’t going to start randomly deleting files after it can’t reach its master for X number of days, but maybe we should look at other solutions besides AV installed on the host itself.  Perhaps more effort should be put into antivirus at the perimeter and at logical connection points between network segments and possibly Nessus type credentialed AV scans of the systems?  It’s an interesting situation, and one that has a lot of variables depending on the way the control system is setup/managed, with little hope of a one size fits all solution.  How do you approach the larger problem of deciding whether or not the increased functionality of a piece of software is worth the increased risk?