• No results found

VIRUS PROTECTION

In document Network and Security Planning Guide (Page 43-49)

6.1 Supported antivirus software

Refer to the Experion LX Software Change Notice on how to get more information on antivirus software supported for Experion LX.

6.2 Installing antivirus software on process control nodes

Install antivirus software on every node in the process control network must include:

In a Experion LX system:

Experion LX Stations

Experion LX Server, eServers;

Other nodes:

Process History Database (PHD) servers;

Advanced control nodes;

Honeywell and third party application nodes;

Non-Windows nodes;

Subsystem interface nodes (for example, tank gauging).

Honeywell recommends that you set up special servers for the controlled distribution of

antivirus signature files to the process control network (PCN) as outlined in "Distributing

Microsoft updates and virus definition files."

6. Virus Protection

6.3. Configuring active antivirus scanning

6.3 Configuring active antivirus scanning

Honeywell recommends that you adopt an active virus scanning strategy.

The recommended strategies include ensuring that:

Virus scan reports are regularly reviewed;

Antivirus software is configured to:

Scan the boot sectors of all floppy disks;

6. Virus Protection 6.4. Tuning the virus scanning for system performance

Move infected files to a quarantine directory and notify the user that an infected file was found. The user must be allowed to clean up the infection.

6.4 Tuning the virus scanning for system performance

In formulating your virus scanning strategy you may also need to take into account the potential impact on critical system resources.

For example, if your Experion LX is experiencing problems due to low system resources, you may need to:

Ensure that antivirus software (and other third party applications) is run only when system resources on the node are adequate to meet system needs.

Consider limiting the system resources that are used by antivirus software during scanning. Honeywell has tested anti-viral software successfully on extremely large systems by limiting the CPU utilization of anti-viral software to as low as 10%.

To find the proper balance between server performance and virus protection you may need to make configuration choices such as disabling scanning on reading of files and changing the default process-based scanning to per-process scanning.

For more information about virus scanning and system performance, refer to "About virus scanning and system performance.”

ATTENTION

Do not automatically schedule full system scans on any Experion LX node as this can result in severe degradation of performance, and could therefore:

• Impact the ability of operators to respond to a situation

6. Virus Protection

6.5. Ensuring frequent updates to antivirus signature files

Directories that can be excluded from scanning

Experion LX creates many files during normal operations and the system resource overhead of scanning each of these files for viruses is extremely high. Honeywell tests anti-viral software with the following directories excluded from scanning:

\ProgramData\Honeywell\

\Program Files\Honeywell\<ProductLegacy>\Engineering Tools\system\er

About virus scanning and system performance

The Experion LX system requires a certain amount of system resources (including CPU, memory, disk access), in order to perform reliably. Shortages of these resources may lead to decreased system performance.

When tuning antivirus software, consider balancing performance against risk. On some systems, the high performance of the server node is balanced against the performance of the scanning engine. Some antivirus scanners allow you to set maximum CPU usage. The default installation of antivirus software will generally meet the demands of most

customers. However, for systems with extremely high CPU usage and input/output demands, the default installation of antivirus software may impose system limitations.

Refer to your antivirus software documentation for specific procedures on how to limit CPU utilization.

If your system is experiencing continued resource-related performance problems, there are further steps that you can take to limit the resources consumed by antivirus software.

6.5 Ensuring frequent updates to antivirus signature files

Non-directed virus and worm attacks are common attacks on a control system. A virus that is deemed low risk for corporate systems may pose a high risk to a control system if it causes a denial of service. It is therefore essential to update antivirus signature files frequently by:

Subscribing to the updates of your antivirus software vendor(s);

Leveraging enterprise antivirus policies and practices.

Where it is not practical to do this daily, it is worth monitoring those websites which publish information about new virus attacks so that the system can be isolated if a specific threat appears.

For recommendations on distributing antivirus updates, refer to "Distributing Microsoft

updates and virus definition files.”

6. Virus Protection 6.6. Testing the deployment of antivirus signature files

6.6 Testing the deployment of antivirus signature files

It is important to test antivirus signature files offline before deploying them. This helps to ensure that the signature file does not break the antivirus software or cause problems on the computer. For example, you could first test the signature files on:

A staged test system

One or two nodes

In line with the best practice of minimizing communication between the business network and the process control network, Honeywell recommends that updates to antivirus signature files be distributed from a server located in a DMZ as outlined in

"Distributing Microsoft updates and virus definition files.”

When implementing the automatic deployment of signature files, it is also important to:

Stagger automatic deployment to eliminate the potential for common cause failure.

For example, deploy to no more than three or four nodes per hour;

Follow the recommendations of your antivirus software vendor for distribution server/services;

Stage the distribution on a test system.

6. Virus Protection

6.7. Prohibiting email clients on the process control network

6.7 Prohibiting email clients on the process control network

Do not install email clients on any node connected to the process control network.

Honeywell does not support email clients on the process control network.

Viruses and email

Many viruses and similar malware propagate via email. Not only do these viruses cause damage to the computer, often rendering them inoperable, they also cause significant network traffic by mass mailing to other addresses, which may prevent the timely delivery of controls and alarms.

Instant messaging

An emerging trend is the use of instant messaging (IM) as a transport mechanism for malware. Targeting MSN clients in particular, the malware sends messages to all contacts on an infected machine, thereby increasing network traffic uncontrollably. This message itself, apparently from a trusted source, usually tells the recipient to browse to a malicious website, which will then download more serious malware, opening back doors or otherwise allowing takeover of the machine. It is possible that IM will replace email as the prime carrier of malware in the near future.

Honeywell strongly advises against supporting instant messaging on nodes within the process control network (PCN).

6.8 Handling common threats posed by Spyware

An increasingly common threat is that posed by spyware, also known as "bots." These are typically small modules that do not in themselves cause damage, but record keystrokes and other user actions, and then transmit this information to a remote host, where passwords, account, and other information can be extracted.

Conventional antivirus checkers do not look for spyware. Like viruses and other

malware, spyware can be propagated via email or inadvertently downloaded in the course of Internet access.

Note that Honeywell does not support internet and email access from the PCN.

In document Network and Security Planning Guide (Page 43-49)