Anti-Malware for OT: EDR vs. AV

Part of the PROTECT Playbook ← Return to Hub

Anti-Malware for OT: EDR vs. AV

Regulatory Context: IACS UR E27 (Section 4.3.2) mandates protection against malicious code. This module explores the selection of security tools that provide robust protection without compromising the real-time availability of shipboard control systems.

In the machinery space, the “Cure” can be more dangerous than the “Disease.” Standard Antivirus software often consumes high CPU resources or mistakenly quarantines critical OEM drivers, causing a system freeze. To comply with E27, we must implement anti-malware solutions that are “OT-Aware.”

The Conflict: Stability vs. Security

The fundamental challenge of anti-malware on a vessel is the Availability Priority. In an office, an AV-induced reboot is a nuisance; on a bridge during docking, it is a catastrophic failure. Maritime OT requires security that “fails open” or operates with such a low footprint that the HMI never loses its connection to the PLC. Traditional software often lacks this nuance, treating a critical propulsion control service the same way it treats a web browser, leading to high-risk false positives that can take a vessel offline.

The VSAT Update Trap

Traditional AV requires daily signature updates. On a ship with limited bandwidth, an AV that cannot “call home” becomes useless against new threats within 48 hours.

False Positives in OT

Proprietary OEM software often behaves like “malware” in the eyes of standard AV because it accesses low-level hardware ports. A false positive here can stop the Main Engine.

Technical Comparison: Choosing the Right Tool

Modern maritime strategies are moving toward Endpoint Detection and Response (EDR) to provide proactive detection without the heavy resource drain of traditional scanning.

Feature	Legacy Antivirus (AV)	Modern EDR
Detection Method	Known File Signatures	Behavioral AI (Anomalies)
Offline Capability	Poor (Needs cloud sync)	High (Logic resides locally)
Resource Impact	High (Disk-heavy scanning)	Low (Passive Monitoring)
OT Recommendation	Avoid for Core Assets	Primary for E27 Compliance

ETO Anti-Malware Strategy

Application Whitelisting

Instead of looking for “bad” files, configure the system to ONLY allow “known good” OEM applications to run. Everything else is blocked by default.

File Integrity Monitoring (FIM)

For legacy Windows XP/7 systems, use FIM to alert the ETO if any critical system files are modified or added.

Centralized Logging

Ensure that anti-malware alerts are sent to a central Syslog server (Pillar A) so the ETO can see threats across the whole fleet from one screen.

Legacy Tip: On very old HMIs that cannot support modern EDR agents, the best “Anti-Malware” is **Physical Hardening (USB Blocking)** and **Network Segmentation**. If you can’t protect the host, you must protect the environment around it.

PREVIOUS:
OS Hardening & Service Disabling

Next Section

Software & Firmware Patch Management

Software & Firmware Patch Management Regulatory Context: IACS UR E27 (Section 4.4) requires a documented process for ide...

Software & Firmware Patch Management →