Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. [1]

ID: M0949
Security Controls: IEC 62443-3-3:2013 - SR 3.2, IEC 62443-4-2:2019 - CR 3.2, NIST SP 800-53 Rev. 4 - SI-3, NIST SP 800-53 Rev. 5 - SI-3
Version: 1.0
Created: 11 June 2019
Last Modified: 19 September 2023

Techniques Addressed by Mitigation

Domain ID Name Use
ICS T0865 Spearphishing Attachment

Deploy anti-virus on all systems that support external email.

ICS T0864 Transient Cyber Asset

Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.

ICS T0863 User Execution

Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).