12 Operations security
12.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against malware.
12.2.1 Controls against malware
2638
Control 2639
Detection, prevention and recovery controls to protect against malware shall be implemented, 2640
combined with appropriate user awareness. 2641
Implementation guidance 2642
Protection against malware should be based on malware detection and repair software, information 2643
security awareness and appropriate system access and change management controls. The following 2644
guidance should be considered: 2645
a) establishing a formal policy prohibiting the use of unauthorized software (see 12.6.2 and 14.2.); 2646
b) implementing controls that prevent or detect the use of unauthorized software (e.g. application 2647
whitelisting); 2648
c) implementing controls that prevent or detect the use of known or suspected malicious websites 2649
(e.g. blacklisting); 2650
d) establishing a formal policy to protect against risks associated with obtaining files and software 2651
either from or via external networks or on any other medium, indicating what protective 2652
measures should be taken; 2653
e) reducing vulnerabilities that could be exploited by malware, e.g. through technical vulnerability 2654
management (see 12.6); 2655
f) conducting regular reviews of the software and data content of systems supporting critical 2656
business processes; the presence of any unapproved files or unauthorized amendments 2657
should be formally investigated; 2658
g) installation and regular update of malware detection and repair software to scan computers and 2659
media as a precautionary control, or on a routine basis; the scan carried out should include: 2660
1) scan any files received over networks or via any form of storage medium, for malware 2661
before use; 2662
2) scan electronic mail attachments and downloads for malware before use; this scan should 2663
be carried out at different places, e.g. at electronic mail servers, desk top computers and 2664
when entering the network of the organization; 2665
3) scan web pages for malware; 2666
h) defining procedures and responsibilities to deal with malware protection on systems, training in 2667
their use, reporting and recovering from malware attacks; 2668 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
i) preparing appropriate business continuity plans for recovering from malware attacks, including 2669
all necessary data and software backup and recovery arrangements (see 12.3); 2670
j) implementing procedures to regularly collect information, such as subscribing to mailing lists or 2671
verifying web sites giving information about new malware; 2672
k) implementing procedures to verify information relating to malware, and ensure that warning 2673
bulletins are accurate and informative; managers should ensure that qualified sources, e.g. 2674
reputable journals, reliable Internet sites or suppliers producing software protecting against 2675
malware, are used to differentiate between hoaxes and real malware; all users should be made 2676
aware of the problem of hoaxes and what to do on receipt of them; 2677
l) isolating environments where catastrophic impacts may result. 2678
m) The organization also considers the receipt of false positives during malicious code 2679
detection and eradication and the resulting potential effect on the availability of the IACS. 2680
Updates are scheduled to occur during planned IACS outages. The organization considers 2681
IACS vendor recommendations for malicious code protection. 2682
Other information 2683
The use of two or more software products protecting against malware across the information 2684
processing environment from different vendors and technology can improve the effectiveness of 2685
malware protection. The use of one malware product on a set of devices in the IACS environment 2686
and a different malware product from a different vendor on a different set of devices can improve 2687
effectiveness. 2688
Care should be taken to protect against the introduction of malware during maintenance and 2689
emergency procedures, which may bypass normal malware protection controls. 2690
Under certain conditions, malware protection might cause disturbance within operations. 2691
Use of malware detection and repair software alone as a malware control is not usually adequate and 2692
commonly needs to be accompanied by operating procedures that prevent introduction of malware. 2693
IACS devices should not be directly connected to the Internet to obtain updated malicious code 2694
definition files. For smaller systems, manual distribution and installation of updated malicious code 2695
definition files may be used. For larger systems, a centralized, dedicated distribution server for 2696
IACS devices is recommended. Malicious code definition updates shall first be deployed on a test 2697
system or single computer to ensure compatibility prior to full deployment.[JDG15] 2698
If the software that protects against malicious code cannot be deployed for technical reasons (e.g. 2699
as a result of a lack of vendor support or vendor approval or the impossibility of installing timely 2700
updates), the resulting risks should be identified and other types of countermeasures should be 2701
implemented that provide at least an equal degree of protection. 2702
Supplementary controls against malicious code include, among others: 2703
n) securing of all physical and logical data interfaces; 2704
o) network isolation and implementation of segmented network security zones that limit the 2705
impact of a malware incident; 2706
p) comprehensive system hardening measures to minimize the risk of malware incidents; 2707
q) the use of vendor qualified whitelisting solutions, which restrict the execution of non- 2708
approved software and code. 2709
r) The use of Host Intrusion Prevention System (HIPS) [JDG16]in monitoring mode (protection 2710
mode is not recommended). HIPS helps identifying network-based malwares and helps for 2711
early alerting about threats. 2712 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
s) Use of Network Anomaly Detection System (NADS) [JDG17]to identify anomalies in the 2713
network traffic especially when a workstation is compromised and tries to spread the 2714
infection to others. NADS can be configured to block the traffic that is not allowed to run 2715
between the systems themselves when integrated with the host antimalware agent.[JDG18] 2716
2717
In particular, the possible effects of malware incidents on equipment used for real-time process 2718
control and associated communications (e.g., through overload and disruption) should be taken 2719
into consideration and mitigated by implementing the appropriate controls. 2720
12.3 Backup 2721
Objective: To protect against loss of data.
12.3.1 Information backup
2722
Control 2723
Backup copies of information, software and system images should [ENH19]be taken and tested regularly
2724
in accordance with an agreed backup policy. 2725
The organization shall identify an alternate storage site and initiates necessary agreements to 2726
permit the storage of IACS backup information. 2727
(1) The organization identifies an alternate storage site that is geographically separated from 2728
the primary storage site so as not to be susceptible to the same hazards. 2729
(2) The organization configures the alternate storage site to facilitate timely and effective 2730
recovery operations. 2731
(3) The organization identifies potential accessibility problems to the alternate storage site in 2732
the event of an area-wide disruption or disaster and outlines explicit mitigation actions. 2733
The frequency of IACS backups and the transfer rate of backup information to alternate storage 2734
sites (if so designated) shall be consistent with the organizationโs recovery time objectives and 2735
recovery point objectives. 2736
(1) The organization selectively uses backup information in the restoration of IACS functions 2737
as part of contingency plan testing. 2738
(2) The organization stores backup copies of the operating system and other critical IACS 2739
software in a separate facility or in a fire-rated container that is not collocated with the 2740
operational software. 2741
Implementation guidance 2742
A backup policy should be established to define the organization's requirements for backup of 2743
information, software and systems. 2744
The backup policy should define the retention and protection requirements. 2745
Adequate backup facilities should be provided to ensure that all essential information and software 2746
can be recovered following a disaster or media failure. 2747
When designing a backup plan, the following items should be taken into consideration: 2748
a) accurate and complete records of the backup copies and documented restoration procedures 2749 should be produced; 2750 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
b) the extent (e.g. full or differential backup) and frequency of backups should reflect the business 2751
requirements of the organization, the security requirements of the information involved and the 2752
criticality of the information to the continued operation of the organization; 2753
c) the backups should be stored in a remote location, at a sufficient distance to escape any 2754
damage from a disaster at the main site; 2755
d) backup information should be given an appropriate level of physical and environmental 2756
protection (see 11) consistent with the standards applied at the main site; 2757
e) backup media should be regularly tested to ensure that they can be relied upon for emergency 2758
use when necessary; this should be combined with a test of the restoration procedures and 2759
checked against the restoration time required. Testing the ability to restore backed-up data 2760
should be performed onto dedicated test media, not by overwriting the original media in case 2761
the backup or restoration process fails and causes irreparable data damage or loss; 2762
f) in situations where confidentiality is of importance, backups should be protected by means of 2763
encryption. 2764
Operational procedures should monitor the execution of backups and address failures of scheduled 2765
backups to ensure completeness of backups according to the backup policy. 2766
Backup arrangements for individual systems and services should be regularly tested to ensure that 2767
they meet the requirements of business continuity plans. In the case of critical systems and services, 2768
backup arrangements should cover all systems information, applications and data necessary to 2769
recover the complete system in the event of a disaster. 2770
The retention period for essential business information should be determined, taking into account any 2771
requirement for archive copies to be permanently retained. 2772
The frequency of IACS backups and the transfer rate of backup information to the alternate storage 2773
site (if so designated) are consistent with the organizationโs recovery time objectives and recovery 2774
point objectives. 2775
Availability of up-to-date backups is essential for recovery from IACS failure and mis-configuration. 2776
Automating this function ensures that all required files are captured, reducing operator overhead. 2777
An organizational assessment of risk guides the use of encryption for backup information. While 2778
integrity and availability are the primary concerns for system backup information, protecting backup 2779
information from unauthorized disclosure is also an important consideration depending on the type 2780
of information residing on the backup media and the ๐๐ ๐ฆ๐ ๐ก๐๐ ๐ก๐๐๐๐๐ก level.
2781
12.4 Logging and monitoring