Is anti-virus protection for you?

Dennis Brandl, BR&L Consulting -- Control Engineering, 11/1/2006

If the question is, “Should it run anti-virus software?” the answer is usually an easy “yes” when the applications are commercial databases, historian systems, or other non real-time control applications. However, if the applications involve real-time control or guaranteed response times, such as HMIs, DCS systems, or PC-based control systems, then the answer is not so easy.

There is a valid concern in control applications that anti-virus software may seriously impact performance, disrupt production, and void control system vendor support contracts. NIST (National Institute of Standards and Technology), Sandia National Laboratories, manufacturing companies, and control system vendors recently conducted a study on the impact of anti-virus software on industrial control systems. The study confirmed some fears but also points to a path forward for the additional protection offered by anti-virus software.

First the bad news: manual scans and scheduled full system scans will take up all available CPU cycles, pushing utilization to 100% for extended periods of time. This can seriously impact application performance. Reducing the priority of the scan reduces, but does not eliminate, the performance impact and increases the period of instability. Signature updates, where new virus signatures and sometimes new scan engines are downloaded, can also take up all of the available CPU cycles, but usually for less time than a full system scan. Even worse, signature updates may also require reboots.

The good news is that active scanning, which is the scanning of executables and libraries prior to execution, has minimal impact on industrial control systems.

Anti-virus software should be only one layer in a multi-layered defense. It is usually the last line of defense before your system is compromised. Anti-virus software supplements other layers, such as firewalls between business and control networks, separate user authentication controls for control networks, separate network access controls for control networks, network based intrusion detection systems, and strict control of installed applications.

Anti-virus software can be applied to industrial control applications but several rules should be followed. First, validate that the anti-virus software works with the system applications by testing in a separate system, and validate that the software will not void your vendor support agreement. System owners may have to test several anti-virus solutions and may need separate subscriptions for control system applications.

Second, disable scheduled full system scans. This will prevent an inadvertent scan at an inconvenient time, such as in the middle of the night during a rush order job. Initiate all full system scans manually on a regular basis at known down times, or when the impact of the scan will not affect safety or quality.

Third, use a local virus definition server and do not directly allow virus signature updates from the anti-virus vendor's systems. This allows system administrators to plan and schedule the updates at safe times; it removes a direct link from the control system to the internet; and it allows the system owner to test the impact of the new signature or scan engine prior to distribution.

Fourth, keep the application servers clean. This means uninstalling unnecessary applications, especially those that may come preinstalled on commercial servers. This reduces the number of files that must be scanned, removes hidden direct links between the application server and the Internet, and reduces the number of applications that can be infected.

Anti-virus software is often the last line of defense in secure systems and applying these rules allows anti-virus software to be run on control systems with minimal performance impact. However, support and diligence are needed to perform full system scans and signature updates under manual control.