Part of the PROTECT Playbook ← Return to Hub

Anti-Malware for OT: EDR vs. AV

Regulatory Context: IACS UR E27 (Section 4.3.2) mandates protection against malicious code. This module explores the selection of security tools that provide robust protection without compromising the real-time availability of shipboard control systems.

In the machinery space, the “Cure” can be more dangerous than the “Disease.” Standard Antivirus software often consumes high CPU resources or mistakenly quarantines critical OEM drivers, causing a system freeze. To comply with E27, we must implement anti-malware solutions that are “OT-Aware.”

The Conflict: Stability vs. Security

The fundamental challenge of anti-malware on a vessel is the Availability Priority. In an office, an AV-induced reboot is a nuisance; on a bridge during docking, it is a catastrophic failure. Maritime OT requires security that “fails open” or operates with such a low footprint that the HMI never loses its connection to the PLC. Traditional software often lacks this nuance, treating a critical propulsion control service the same way it treats a web browser, leading to high-risk false positives that can take a vessel offline.

The VSAT Update Trap

Traditional AV requires daily signature updates. On a ship with limited bandwidth, an AV that cannot “call home” becomes useless against new threats within 48 hours.

False Positives in OT

Proprietary OEM software often behaves like “malware” in the eyes of standard AV because it accesses low-level hardware ports. A false positive here can stop the Main Engine.

Technical Comparison: Choosing the Right Tool

Modern maritime strategies are moving toward Endpoint Detection and Response (EDR) to provide proactive detection without the heavy resource drain of traditional scanning.

Feature Legacy Antivirus (AV) Modern EDR
Detection Method Known File Signatures Behavioral AI (Anomalies)
Offline Capability Poor (Needs cloud sync) High (Logic resides locally)
Resource Impact High (Disk-heavy scanning) Low (Passive Monitoring)
OT Recommendation Avoid for Core Assets Primary for E27 Compliance
ETO Anti-Malware Strategy
Application Whitelisting

Instead of looking for “bad” files, configure the system to ONLY allow “known good” OEM applications to run. Everything else is blocked by default.

File Integrity Monitoring (FIM)

For legacy Windows XP/7 systems, use FIM to alert the ETO if any critical system files are modified or added.

Centralized Logging

Ensure that anti-malware alerts are sent to a central Syslog server (Pillar A) so the ETO can see threats across the whole fleet from one screen.

Legacy Tip: On very old HMIs that cannot support modern EDR agents, the best “Anti-Malware” is **Physical Hardening (USB Blocking)** and **Network Segmentation**. If you can’t protect the host, you must protect the environment around it.

ETO Quick-Fix: AV Exclusions

If you are forced to use standard Antivirus on an HMI, you must exclude these paths to prevent a system hang:

  • Database Folders: Exclude *.mdf and *.ldf (Prevents Scada History corruption).
  • OEM Drivers: Exclude C:\Windows\System32\Drivers\ (Prevents propulsion lag).
  • Runtime Folders: Exclude the specific folder where the HMI software is installed (e.g., C:\Program Files\Kongsberg\...).
Warning: Always consult the OEM (e.g., Wärtsilä, ABB) before applying exclusions to ensure you remain within their support warranty.

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle
Includes Unlimited Intel Search
Instant access to IACS E26/E27 Templates

Next Section

Software & Firmware Patch Management

Software & Firmware Patch Management Regulatory Context: IACS UR E27 (Section 4.4) requires a documented process for ide...

Login
Login
Scroll to Top