In-brief: news from incumbent endpoint protection firms Symantec and Kaspersky Lab that they are ramping up efforts to sell their wares into industrial control systems environments suggests that the death of anti virus may have been greatly exaggerated.
The conventional wisdom for much of the last decade has been that security for the Internet of Things will be very different than security for the Internet of (Microsoft Windows) PCs. In other words: “You’re not going to have anti virus running on your toaster!” In fact, I believe I have said that very thing on numerous occasions.
A couple of announcements in the last week, however, make me wonder if rumors about the coming death of anti malware technologies might have been “greatly exaggerated,” as the saying goes. Specifically: news from incumbent endpoint protection firms Symantec and Kaspersky Lab that they are ramping up efforts to sell their wares into industrial control systems environments.
On Wednesday, for example, Symantec announced that it was partnering with Rockwell Automation to secure industrial control systems (ICS) environments from malicious attacks. As part of the deal, Rockwell has qualified Symantec’s Embedded Security for Critical Systems Protection (SES: CSP) for use with Rockwell Automation software products in ICS environments. (PDF)
The SES:CSP product is an endpoint protection agent that uses a combination of features, including application whitelisting, sandboxing and file integrity monitoring to prevent installation and execution of unwanted or malicious software.
The news followed reports from the Russian firm Kaspersky Lab that it was launching a new Industrial CyberSecurity product to secure industrial control system assets including HMI (human machine interface) panels, engineering workstations, PLCs (programmable logic controllers) and other devices.
Kaspersky has long been interested in the space, publishing original research on industrial systems and even promising a new, secure operating system for industrial devices.
Awareness of the security issues facing industrial control systems is growing both within industry and the government, said Marty Edwards, the Director of the Industrial Control System Computer Emergency Response Team (CERT) at DHS said at the S4 Conference in January. “There’s a general awareness that these systems that operate critical infrastructures (have) weaknesses and vulnerabilities, but that’s about all,” Edward said. DHS experts on industrial control system security often need to explain the notion that malware infections on support systems like HMI panels shouldn’t lead to the catastrophic shut down of infrastructure.
Edwards said that private industry has taken the lead in exploring information security issues in industrial systems, but that too often that research picks low hanging fruit, and is of little utility. “They might buy a device on eBay,” he said. “It’s much harder to get a control system that’s of significant value and used in half the refineries in the US.”
Software-based threats to industrial control systems have been growing in recent years. The Department of Homeland Security has observed an uptick in attacks on industrial firms, while ICS-CERT has warned that “HMI” (or Human-Machine Interfaces) products from vendors including GE, Advantech/Broadwin and Siemens may have been infected with variants of the BlackEnergy malware.