Posted by Tony Berning / December 15, 2017
This year my colleagues and I were onsite for the first Nuclear Regulatory Commission cyber security program Milestone 8 inspections at the South Texas Project and Monticello nuclear power plants. We took away some key observations from the inspections specifically related to deployments of Metadefender Kiosk in a nuclear environment.
I presented these observations in a webinar Wednesday morning, as well as OPSWAT's recommendations for how to optimize Metadefender Kiosk deployments, both for regulatory compliance and for enhanced security.
If you weren't able to attend the webinar, OPSWAT's main recommendations are:
- Upgrade Metadefender Kiosk and Core to the latest versions
- Understand certain key aspects of Metadefender functionality
- Take additional hardening steps for Metadefender Kiosk
1. Upgrade Metadefender Kiosk and Core
As of this writing, the current versions of Metadefender Kiosk and Core are 4.1.1 and 4.9.0, respectively. (Metadefender Core 4.9.0 was released this week.) These latest versions offer device whitelisting, user alerts for detected input devices, and hash-based whitelisting.
We recommend upgrading since utilizing these features can significantly enhance the security of a Metadefender Kiosk deployment.
The switch from Metadefender Kiosk v3 to v4 is a complex one, and for those sites that are still running v3 and do not have time for a full upgrade to v4, I recommend at the very least upgrading to Metadefender Kiosk 3.4.6.
We also believe that it is best to run Metadefender Kiosk systems on the most recent version of Windows, such as Windows 10, although Windows 7-8.1 are also supported.
2. Key Aspects of Metadefender
In preparation for NRC or other inspections, it helps to be familiar with a few key aspects of Metadefender Kiosk and Core.
Device ID logging: The ID of each device is logged with the Metadefender Kiosk scan session and included on the Metadefender Kiosk scan receipt.
Transfer station: Metadefender Kiosk uses Windows API calls when copying either allowed or blocked files to a designated location. If hash validation is enabled, then Metadefender will also verify the hash value of the file after it has been copied to ensure the integrity of the file.
Watchdog functionality: Metadefender Kiosk contains a watchdog that monitors the application for any abnormal termination. If an abnormal termination is detected, the Metadefender Kiosk watchdog takes one of three actions according to how Metadefender Kiosk is configured: 1. restarting the Kiosk UI, 2. logging out of Windows, or 3. restarting the entire system (OPSWAT's recommendation). No matter which option is selected, the Kiosk UI runs in an isolated environment so that an end user is never able to access the Metadefender Kiosk Windows desktop.
Plugging in multiple devices: Metadefender Kiosk does not scan devices until the user is prompted to plug in a device. If multiple devices are inserted, Metadefender Kiosk always scans the device inserted first and ignores the other devices.
3. Additional Hardening Steps
OPSWAT advises the use of an application whitelisting product to protect the Metadefender Kiosk system itself. OPSWAT does not provide such a solution, but there are many solutions available on the market that provide this functionality.
Additionally, all unused hardware components of a system – whether that's an unused port or any device with Wi-Fi capabilities – should be removed or disabled from the Metadefender Kiosk system.
OPSWAT Online User Guide
We have updated the Metadefender Kiosk Online Help user guide with additional information to help with preparing for the NRC Milestone 8 inspections. You can view the user guide here.
During the webinar, my colleague Dan Lanir, our VP of Customer Success, explained the services we are offering to our nuclear Metadefender Kiosk clients to help prepare for the Milestone 8 inspections. OPSWAT can send a technical resource to be onsite for up to 3 days as the point person for all Metadefender-related questions. Please contact us if you are interested in leveraging this service.
Any Further Questions?
If you have any more questions about preparing for the NRC Milestone 8 inspections, please contact your OPSWAT account manager.
You can also watch the webinar.