The cybersecurity landscape is continuously evolving, especially within OT (operational technology) environments, where the stakes are exceptionally high. Asset owners often must provide network access to third-party vendor laptops for daily operations.
Relying on traditional antivirus live scanning as a fundamental security measure is no longer sufficient for protecting critical OT infrastructure against sophisticated cyberthreats. This observation does not suggest that live antivirus scanning should be discontinued, but rather highlights the security gaps that need to be addressed with advanced solutions to secure your critical infrastructure.
Why Traditional Live Antivirus Scanning Isn’t Enough
- Detection Rate Limitation: A single antivirus engine has a detection rate of only about 45.6%, according to OPSWAT research. Enhance coverage and reduce risk by adopting multiscanning technology.
- Scan Area Coverage Limitation: Live antivirus scanning provides limited detection capabilities, focusing primarily on specific areas of the target device, such as user space, while leaving critical areas unscanned, such as the kernel/OS, UEFI/BIOS, and device hardware.
- Inability to Scan Encrypted Disks/Files: Traditional live antivirus scanning cannot scan encrypted disks or file systems as it relies on the running OS to decrypt them.
- Impact on System Performance: Live antivirus scanning, especially when performed in real time, can significantly hinder the operation of critical infrastructure. According to NIST SP 1058, antivirus software may negatively impact the time-critical control processes of an ICS.
- Risk of Network Propagation: Since live antivirus scanning is performed while the device is still running, malware could potentially spread inside the OT air-gapped network before it is detected and mitigated.
- Defenseless Against Unknown Threats/Sophisticated Malware: Live antivirus technology scans while the operating system is running, making it vulnerable to advanced threats like GRUB BootHole, Petya/NotPetya, TDSS/TDL-4, and various rootkits that can evade traditional antivirus detection.
Scanning Transient and Stationary Devices in OT Cybersecurity with OPSWAT’s MetaDefender Drive
To fortify your defense-in-depth strategy, organizations should focus on addressing the known vulnerabilities of live antivirus scanning. OT environments have unique characteristics and require specialized anti-malware solutions to protect critical networks from threats posed by transient cyber assets and stationary devices. OPSWAT’s MetaDefender Drive comprehensively gets between those threats and an organization’s critical infrastructure.
Secure Boot Bare Metal Scan
Scan target devices without any software installation, detect malicious content undetectable by traditional antivirus, and scan for malware in hidden areas such as the Master Boot Record (MBR) and Partition Boot Sector (PBS) at the hardware level. Protect against boot sector viruses like Michelangelo, Petya/NotPetya, and TDSS/TDL-4, and rootkits using Secure Boot to defend against GRUB BootHole, as advised by the NSA in its July 30 advisory
Multiscanning Technology
Improve detection rates with multiple, leading anti-malware engines.
Inoperable OS Recovery
Recover inoperable operating systems by booting from MetaDefender Drive’s built-in OS
Minimal Impact on OT Operations
Reduce OT device performance issues while ensuring that critical operations are not impacted.
Reduced Risk of Propagation
Offline scanning, performed before a device connects to the network, minimizes the risk of detected threats propagating to other parts of the OT system.
Compliance with Regulatory Mandates
Offline scanning helps support compliance with regulatory mandates such as NIST SP 800-53, NIST SP 800-82, ISO/IEC 27001, U.S. Executive Order 14028, NIST FIPS 140-2, CIP-003-7, CIP-010-4, and ANSSI by ensuring that transient and stationary devices are safe to use before connecting to the OT network.
For more in-depth insights on effectively securing your OT environment, download our whitepaper, which debunks common misconceptions about live antivirus scanning and highlights the security risks under current protocols. Explore the benefits of adopting a comprehensive security approach to secure transient and stationary devices now.
