For years, the cyber world has been plagued by constant threats from malicious programs, such as malware. To counter these threats and try to minimize the impact on end-users' systems, a type of software called antimalware started to be developed.
The main task of anti-malware programs is to prevent any infection. This can be done in different ways, but the main methods of detection and prevention are:
- Scan before downloading a file or executable. In case it is malicious, the download is blocked.
- Scan all or part of all files on the computer for malware. If a malicious file is detected, it is quarantined for later deletion.
- Block malicious actions on a computer. Given today's knowledge about malicious executions by some malware families, it is considered necessary to use all types of current technologies to prevent such executions.
Different anti-malware software can combine multiple forms of detection and prevention to detect this type of cyber-attacks, including other methods not included in the list above, to obtain an increasingly accurate result.
As both computer attacks and the malware developed by attackers are becoming increasingly sophisticated, new vulnerabilities are being found every day. This makes it necessary for anti-malware software to be updated with the latest possible information in order to be able to detect all threats.
Antimalware software in ICS environments
Just as malicious software or malware exists for home and office computing environments, it also exists for industrial environments, having a high criticality on the computing devices that control industrial machinery, because a failure could cause from multi-million money losses to the company, to putting at risk essential elements for humans.
However, industrial environments have presented a peculiarity that has posed a challenge for antivirus programs. These environments, for the most part, used to be isolated from the corporate network and had no connection to the Internet, so updating their intelligence was a complex task.
Updates and patches in ICS environments
Antimalware software vendors are aware of the problems in industrial environments and have been working for years to find a solution. Nowadays, there are different anti-malware products focused on this type of environment, which have a different way of working in terms of updates. We are going to analyse the two most common and established in the market, which are the portable solutions and the one known as "Sneakernet".
Another solution to this problem is to make use of portable antimalware software, i.e., software that does not need to be installed on the computer. This type of solution works in such a way that the antimalware software is on a removable drive which, after connecting it to a device, starts working without the need to install anything on the computer. In this way, every time a software update is required, the only thing that needs to be done is to replace the connected USBs with others that have the updated software.
To solve the challenge of installing updates to anti-malware solutions within industrial environments, an approach has been implemented that consists of downloading the update patches to a host specifically designated for this purpose. These patches are transferred to a removable drive, which is then used by an operator with physical access to the industrial environment who will apply the updates to the appropriate devices. This method avoids direct communication between the vendor's update servers and the nodes in the industrial facility, thus providing an additional layer of security.
But this method also has its drawbacks since it requires on-site administrators to perform this update process correctly and with some regularity. Due to the high cost in time and dedication this requires, there are many companies that do not apply patches regularly enough, so they have outdated or obsolete malware databases, making them vulnerable to the latest malware. Unfortunately, this is the case for many companies, since in order to correctly perform this method, a robust update policy must be developed and applied, following procedures in an optimized manner.
Every day we become more and more aware of the number of people with malicious intentions that can be found on the Internet. These people are skilled and knowledgeable enough to be able to develop malicious software and have no qualms about spreading it on the Internet. In order to combat this, there is no doubt that software dedicated to preventing, detecting and eliminating a malware-type cyberattack is a basic and essential tool for any company. But it is not enough to have it installed; it is also necessary for the program to be constantly updated if we want it to work properly.
It is true that in IT environments it is much easier to update this software, because in many cases it is even updated automatically, but the industrial environment must not be neglected, even if it is more costly. If the infection of a device in an IT environment with malware can set off all the alarms in a company because of the consequences it can have, a malware infection in a device in an industrial environment can have much more serious consequences because it could affect critical infrastructures.