Updating antimalware solutions in industrial control systems

How can we keep antimalware solutions up to date without compromising the ICS environment?

As we all know, to fight the latest cyberthreats, an antimalware solution needs to be up to date. Usually no questions arise about updating office endpoints — they have direct Internet connections, and the updating process is automated. However, in industrial automation infrastructure, common air-gapped conditions or limited connectivity complicate updates. How can we keep those systems up to date without compromising ICS environments?


One of the most popular strategies is using what is known as the “sneakernet” method. That is, someone downloads updates from the antimalware vendor servers to a dedicated host, writes them to removable media, and walks that media around to update each node in the ICS network. This method obviates direct communication between vendor update servers and the nodes inside the industrial facility.

The sneakernet method’s main drawback is that it requires on-site administrators to implement it correctly — and regularly. It is both labor intensive and time-consuming, which is why many ICS networks rely on outdated antimalware signature databases. Sadly, we regularly find this is the case when carrying out ICS security assessments.

The method requires discipline to work, as well as an endpoint solution with the ability to get updates on removable media. Implementing it means repeatedly fetching manual updates for all operating systems, control systems, and device software. And that requires a yet-unseen collaboration of ICS suppliers and vendors.

True Cybersecurity

What you really need is a technically advanced endpoint solution that can receive updates from a centralized, on-premise update server; it’s much simpler and faster to deliver updates to a single point. That’s why we recommend a security solution that supports updates from a single, trusted source, such as a local management server installed inside an industrial network segment.

An AV engine on its own is unlikely to protect ICS network endpoints from malware and other threats adequately. Rather, a multilayered approach is needed, with all endpoints receiving comprehensive protection to avoid infection from new malware. Instead of relying solely on database updates, it must include non-signature-based means of protection, such as specialized anti-encryption technology that can handle new ransomware attacks; lists of allowed application; and device usage control (to restrict the use of memory sticks and dongle modems). Those will significantly harden your defenses and can function without updates for a long time

At the same time, ICS endpoint protection must be lightweight and specifically adapted for applications in ICS environments: tested with ICS software, having support for legacy OSes and low resource consumption, with optional monitoring (nonblocking) modes of protection, and able to be updated locally. A final ICS-environment consideration, endpoint protection should be able to operate for a long time without rebooting.

For protecting industrial network that use PLCs and IEDs, other methods are a need, not an option; it is not possible to install endpoint protection software on them. Rather, we recommend tools that allow network security monitoring and configuration or logic integrity monitoring.

It’s important to understand that endpoint solutions are still not enough to detect advanced industrial attacks. Only the collaborative work of an industrial network anomaly detection solution and specialized endpoint protection can ensure security against generic cyberthreats and detection of advanced attacks and fraudulent actions.

Recently, our colleagues over at NCCIC/ICS-CERT published a document called “Recommended Practice: Updating Antivirus in an Industrial Control System” that contains comprehensive guidelines for antivirus update strategies, which can help ICS companies manage their security updates.