Blue Coat ICS PROTECTION Scanner Station Version USB Malware Defense for Industrial Computers User Guide, version 5.3.1
Contents Contents 1. ABOUT... 3 1.1. About this Guide... 3 1.2. System Requirements... 3 1.3. Help and Support... 3 2. INTRODUCTION... 4 2.1. Blue Coat Shark ICS Protection... 4 2.1.1. What is ICS Protection?... 4 2.1.2. What is the Scanner Station Version?... 4 2.1.3. What is the ICS Protection Workflow?... 4 2.1.4. Blue Coat SandBox Technology... 5 2.1.5. Internet Update... 5 2.1.6. Decompression Supported File Formats. 5 3. USING ICS PROTECTION SCANNER STATION... 7 3.1. Functional Overview... 7 3.2. Scan Removable USB Device for Malware... 8 3.2.1. Case 1 USB Validated... 10 3.2.2. Case 2 USB Infected... 11 3.2.3. Case 3 USB Partially Validated... 13 3.3. Create Portable Malware Cleaner... 14 3.4. Create ICS Protection Driver Package... 14 www.bluecoat.com Page 2
About 1. About 1. About this Guide This manual is intended for users and service providers of Industrial Control Systems who utilize portable USB devices to access ICS devices such as Windows-based HMI computers and engineering workstations. This manual assumes no technical knowledge on the part of the reader. 2. System Requirements The Blue Coat ICS Protection Scanner Station contains all of the necessary hardware, software, and connectivity needed to protect industrial control system computers against malicious files from portable USB devices. 3. Help and Support The Blue Coat ICS Protection Scanner Station is an intuitive, easy-to-use anti-malware solution designed to perform a limited number of functions repeatedly across a wide range of industrial environments. Please see the companion manual, Blue Coat ICS Protection Scanner Station Administrator Guide, for instructions on how to install and configure the appliance and how to upgrade licensed software. Support Resources http://www.bluecoat.com/support/ Figure 1 ICS Protection Scanner Station protects Windows-based HMI computers and engineering workstations from USB-borne malware www.bluecoat.com Page 3
Introduction Blue Coat ICS Protection Introduction 2.1. Blue Coat ICS Protection 2.1.1. What is Blue Coat ICS Protection? Blue Coat ICS Protection stops malware from entering ICS environments and comes in two versions: ICS Protection - Network version ICS Protection - Scanner Station version By combining both versions in one, you will get a comprehensive protection of your ICS environment. This document covers only the usage of ICS Protection Scanner Station version. 2.1.2. What is the Scanner Station Version? The Scanner Station version of ICS Protection is a new technology from Blue Coat providing protection for ICS infrastructure. ICS Protection scans and cleans USB devices for malware, and provides the option to technologically enforce security policies for USB device usage. 2.1.3. What is the ICS Protection Workflow? ICS Protection works as a scanner station for all USB based removable media. It can scan USB media for malware, clean them from the USB media before it s used in any HMI computer, Engineer PC or any other Windows based computer. By installing a small agent on the system you want to protect, ICS Protection can enforce iron-clad USB security policies across the entire ICS infrastructure, meaning that no USB device can be used on these Windows computers if they have not been scanned by ICS Protection. ICS Protection is a two-folded solution: 1) The physical scanner station This is where you scan and clean your USB devices. 2) The non-interruptible kernel driver This is the driver that will stop non-scanned USB devices from being used. The typical workflow/usage of ICS Protection is to scan your USB devices before they will be used in any Windows based ICS computers. Figure 2 Validated USB device permitted to access ICSP protected computer www.bluecoat.com Page 4
Introduction Blue Coat ICS Protection Any attempt to use a USB device in an ICSP protected computer without first scanning it with the ICS Protection Scanner Station will be denied. Figure 3 Malware infected USB device is denied access to ICSP protected computers 2.1.4. Blue Coat SandBox Technology Blue Coat SandBox technology enables ICS Protection to detect new malware before a detection signature has been released by analyzing code behavior in a virtual environment before it runs on a real machine. 2.1.5. Internet Update InternetUpdate can be set to automatically update the virus scanning engine and signature files at hourly intervals. See the companion manual Blue Coat ICS Protection Scanner Station Administrator Guide. 2.1.6. Decompression Supported File Formats ICSP can decompress packets representing files compressed in a number of different formats before scanning the content. ACE ACE Apple Single ARJ BZip2 CAB CAB CHM/ITSF GZ InnoSetup Installer LZH Mail / MIME MSI self extractors (compression / decompression) (compression / decompression) self extractors (compression / decompression) with Base 64, QP, or UUE encoding (compression / decompression) www.bluecoat.com Page 5
Introduction Blue Coat ICS Protection Nullsoft Installer RAR RAR RAR TAR Wise SFX ZIP ZIP 7Zip Version 2 Version 3 (store / decompression) Version 3 (self-extractors) (compression / decompression) (compression / decompression / append new objects) self extractors www.bluecoat.com Page 6
Using ICS Protection Scanner Station Functional Overview 2. Using ICS Protection Scanner Station The ICS Protection Scanner Station scans USB devices for malware so they can be safely used within the ICS environment. Connect portable USB devices using the included mini-usb-to-usb cable in the front of the Scanner Station, or use the built-in USB ports located on the underside of the Scanner Station. Figure 4 Mini-USB-to-USB cable Figure 5 Built-in USB ports Note: Using the removable and replaceable mini-usb cable will reduce wear-and-tear on the build-in USB ports and may extend the useable lifespan of the ICS Protection Scanner Station. 3.1. Functional Overview Blue Coat ICS Protection Scanner Station provides three (3) primary functions: Scan Removable Device Quickly scans USB devices for malware so they can be safely used on target ICS devices, such as Windows-based HMI computers and engineering workstations. Create Malware Cleaner Scans Windows computers for malware from a USB device and cleans infected systems, regardless of the source of the infection. Create Driver Package Copies the driver package to the mounted USB storage device. This executable package can then be used to install the Kernel driver at the target computer that is to be protected. www.bluecoat.com Page 7
Scan Removable USB Device for Malware 3.2. Scan Removable USB Device for Malware Insert a USB device into the Scanner Station. The three icons will be enabled. 1. Click Scan removable device. Figure 6 ICS Protection Home screen 2. (Encrypted USB devices only) If you are scanning an encrypted USB device, the Enter password for USB memory stick screen displays alongside a password entry field. Otherwise, skip to step 3. Enter the USB device password using the attatched keyboard and click continue. www.bluecoat.com Page 8
Scan Removable USB Device for Malware Validated 1. If the password is accepted, click continue again to finish unlocking the encrypted USB device. When the USB device is unlocked, it automatically proceeds to the scanning stage.. 2. If the password is incorrectly entered, the Wrong password! screen appears with the remaining number of attempts allowed before content on the encrypted USB device is wiped. 3. The Scanning removable device screen appears as all files on the USB device are scanned for malware. Figure 7 Scanning Removable Device screen www.bluecoat.com Page 9
Scan Removable USB Device for Malware Validated 3.2.1. Case 1 USB Validated If no malware is detected, the Validated screen appears. Remove and use the USB device. Figure 8 USB device has been validated for use on protected ICS computers www.bluecoat.com Page 10
Scan Removable USB Device for Malware Infected 3.2.2. Case 2 USB Infected If malware has been detected, the Infected screen appears. The user must choose to keep the file and not be allowed to use the USB device or to delete the malicious file, and then have use of the device. Note: Cleaning or deleting malicious files is optional, and the option must be set by the administrator at the Web Admin console. See the Blue Coat ICS Protection Administrator Guide for additional details. Figure 9 USB device is infected and user must choose to delete or keep the file Keeping the infected file informs the user that the USB device will not be usable for the ICSP enabled computers. The Details button displays more information about the malicious file that was detected. Figure 10 Infected USB device will be blocked from use on protected ICS computers www.bluecoat.com Page 11
Scan Removable USB Device for Malware Infected ICS Protection displays details about the malicious file. Please follow your company policies concerning the proper resolution of the identified condition. Figure 11 Details of malicious file detected on USB device If the user agreed to delete the malicious file, the following screen confirms that one or more malicious files were found and either cleaned or deleted. The USB device may now be used on ICSP enabled computers. Figure 12 Infected files have been removed and the USB device may now be used www.bluecoat.com Page 12
Scan Removable USB Device for Malware Partially Validated 3.2.3. Case 3 USB Partially Validated Note: The Partially Validated screen may appear in other cases such as when ICS Protection cannot scan a file due to either the presence of password-protected archives or encrypted files. In these cases, the unknown file(s) will not be usable but the rest of the files on the USB device will continue to be available. Figure 13 Partially valided USB device will be allowed access to ICSP computers Pressing Details displays additional information about the file that was found to be malicious and deleted. Figure 14 Details of a password-protected file that could not be scanned www.bluecoat.com Page 13
Scan Removable USB Device for Malware Infected 3.3. Create Portable Malware Cleaner The portable malware cleaner can be used in situations where you suspect that a Windows computer may have been infected by malware. The malware cleaner is a tool that is always updated and can scan and clean Windows computers from a USB device. Figure 15 ICS Protection Home screen Insert the USB device and click Create Malware Cleaner. ICS Protection first scans the USB device to make sure that it is not already infected with malware before allowing it for use on ICSP enabled computers. Figure 16 Malware cleaner files successfully copied to the USB device 3.4. Create ICS Protection Driver Package A USB-based driver package installs the ICS Protection driver on Windows-based HMI computers and engineering workstations stations to prevent access by USB devices that have not been scanned by ICS Protection. Insert a USB device and click the Create Driver Package icon. www.bluecoat.com Page 14
Scan Removable USB Device for Malware Infected Figure 17 ICS Protection Home screen A confirmation displays when the driver package has been created on the USB device. The USB device is then scanned to make sure it is not already infected with malware before allowing access to ICSP enabled computers. Figure 18 Driver installation files successfully copied to the USB device www.bluecoat.com Page 15
Scan Removable USB Device for Malware Infected 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, CONTENT ANALYSIS SYSTEM, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Americas: Rest of the World: Blue Coat Systems, Inc. Blue Coat Systems International SARL 420 N. Mary Ave. 3a Route des Arsenaux Sunnyvale, CA 94085 1700 Fribourg, Switzerland www.bluecoat.com Page 16