Protecting industrial PCs: Early discovery and containment with CIFS monitoring
A large number of legacy industrial PCs (IPCs) are still deployed in active control and monitoring roles. Most of these IPCs are running older, out-of-support operating systems such as Windows 2000 or XP. Microsoft Windows 2000 support expired July 2010, and Windows XP support ends April 2014.
Although many vulnerabilities and flaws remain open, Microsoft is no longer providing patches or service packs for old and non-supported operating system versions. Microsoft has already admitted that there will be many “permanent 0-days” left in Windows XP once support ends. This leaves these PCs susceptible to worms, viruses and other malware. While a portion of these IPCs have some anti-virus installed, their level of protection is still low, as evidenced by the Stuxnet worm spreading through many industrial networks.
Traditional anti-virus (AV) operates on a “signature-based” system: the AV engine compares files and activities to a database of known virus signatures, and if it finds a match it deletes or quarantines the offending file and pops up a warning. This model has two flaws, especially as it relates to the industrial network world: first, each IPC must update its AV database frequently, to detect and protect against new viruses and worms; second, new “zero-day” malware is not detected at all by the AV, because they don’t have a “signature” in the database yet.
The first flaw makes it inconvenient and often impractical to update, as IPCs aren’t typically connected to the Internet, making signature updates difficult plus there is a need to test these updates to ensure they don’t hamper the availability of the control network. The second flaw is the reason that Stuxnet existed for a year in the wild, undetected and infecting Siemens-based control systems and Windows-based IPCs.
CIFS monitoring, based on the Common Internet File System protocol, is an alternative to traditional anti-virus and is a superior choice for monitoring and protecting industrial PCs for a number of reasons. CIFS monitoring works by first taking a baseline snapshot of some or all of your Windows or Linux filesystem. An industrial security device can do this remotely over the network, by “mounting” built-in default Window’s network shares or user-defined network shares and communicating via the CIFS protocol. After scanning the files and building the baseline, it stores hash information on the monitored files either locally on the device or remotely on a central server. Finally, the security device can be scheduled scan periodically, or run a scan on user-demand. If any of the monitored files have been modified or deleted, or if new files have been added to the monitored directory, an alert is generated in the form of an email, SNMP trap and/or log warning. At this point, corrective actions could be taken by the engineering, maintenance, or IT staff.
CIFS monitoring offers a number of advantages to the security-minded plant manager:
· Because CIFS monitoring works without needing a malware database or signature file provided by a third party, there is no need for update files, nor do the PCs being monitored need to have Internet connectivity for any reason.
· Since an alert is generated on any files that are modified, added, or deleted, and not those that “match a signature,” CIFS monitoring can detect unknown malware that traditional anti-virus would miss. Additionally, it can be utilized for change-control in a validated or audited system.
· CIFS monitoring can be used to monitor and protect any Windows or Unix system, regardless of the revision of the OS, its patch level and whether or not it is still vendor-supported. Anti-virus, on the other hand, is no longer being sold for old OS versions like Windows 2000, despite the still-widespread usage of these systems in critical infrastructure.
· CIFS monitoring can be done by a central appliance; there is only a single license needed to scan and protect multiple devices, not one per device (as in traditional security software), representing an economic benefit.
· The bulk of the “heavy lifting” in terms of CPU and memory utilization is done by the central security appliance, not the IPCs. Because the scans are done by mounting the monitored filesystem, the resource utilization on the IPC is mostly limited to disk utilization; generally not as critical to operations and real-time control as the CPU.
That is not so say there are not some drawbacks to CIFS versus other methods. The main disadvantage is that CIFS monitoring is reactive versus proactive protection. That is, CIFS will not prevent malware or unintended changes to be made to an IPC that it is protecting; rather it will alert the operations staff after detecting the changes at the next scan. It is incumbent upon the staff to act accordingly upon receiving the alert and to investigate how and why the filesystem was modified.
To summarize, there are a large number of PCs in industrial applications that are currently running older and unsupported operating systems; that number will jump significantly in April 2014 when Windows XP becomes officially unsupported. CIFS offers a number of technical and process-related advantages to monitor and protect these critical devices. It is particularly useful in protecting those devices that would otherwise be defenseless due to their OS level and those devices unable to run or keep updated traditional anti-virus or other security software.