Has anybody gained any experience on the performance of a control system where they have implemented security features? Does the anti-virus and firewalls have any impact?
Submitted by marcinantkiewicz on Sat, 09/26/2009 - 05:37.
I am not aware of any response time issues.
Please note that AV will cause performance degradation if allowed to search through files (which most want to do on a schedule). Application white listing, when mature, would be a much better approach (bit9.com).
A decent firewall should not cause noticeable degradation, but I would stay away as far as possible from any of the Unified (ACL+AV+proxy+somethingelse) solutions.
We did, however, see problems with some AV packages not working well with the software packages required for the machine's function. Another vendor's product was installed.
In another case, a vendor supplied security solution (NERC CIP) conflicted with the operations of the control software. Another security solution was acquired on the open market.
In quite a few cases, network scans caused instability. One application still crashes when scans are performed with relaxed settings, where the sockets were only opened and closed, with no data passed to the application.
Many security solutions that work well in the IT land should not be used on critical systems, because they were never designed with such use in mind. Take IPS for example - most vendors would argue to make such systems a requirement, but the asset owners would be installing a component that kills connections based on a specific bit pattern. In theory the signatures would be specific enough not to kill random connection, but in practice the opposite happens. While file attachments can be sent and resent, there is no work around for lost messages on the process side.
Performance Impact from Implementing Security
I am not aware of any response time issues.
Please note that AV will cause performance degradation if allowed to search through files (which most want to do on a schedule). Application white listing, when mature, would be a much better approach (bit9.com).
A decent firewall should not cause noticeable degradation, but I would stay away as far as possible from any of the Unified (ACL+AV+proxy+somethingelse) solutions.
We did, however, see problems with some AV packages not working well with the software packages required for the machine's function. Another vendor's product was installed.
In another case, a vendor supplied security solution (NERC CIP) conflicted with the operations of the control software. Another security solution was acquired on the open market.
In quite a few cases, network scans caused instability. One application still crashes when scans are performed with relaxed settings, where the sockets were only opened and closed, with no data passed to the application.
Many security solutions that work well in the IT land should not be used on critical systems, because they were never designed with such use in mind. Take IPS for example - most vendors would argue to make such systems a requirement, but the asset owners would be installing a component that kills connections based on a specific bit pattern. In theory the signatures would be specific enough not to kill random connection, but in practice the opposite happens. While file attachments can be sent and resent, there is no work around for lost messages on the process side.
Marcin Antkiewicz