Skip to content

Safe Lock

Security for Industrial Control Systems (ICS) in an industry 4.0 environment without installing Antimalware

Safe Lock

Industry 4.0 revolves around the idea of smart factories. This implies allowing control systems to communicate with each other and other higher-level systems thus becoming a potential target for malicious activities such as Zeus. It’s usually not allowed to install security solutions on these systems as they do require frequent changes and updates. Safe Lock was designed to address the need for security in industry 4.0 environments by specifically securing Industrial Control Systems (ICS) with a unique set of protection technologies without the need for frequent updates or changes.


By making the system available to be used for specific purpose (lockdown*), Safe Lock prevents the intrusion and execution of malware. With a limited impact on system performance and no need to update pattern files, Safe Lock protects industrial control systems and embedded devices for which high availability is required, and fixed-function devices in closed environments. In addition, thanks to easy-to-use user interface and product cooperation with Trend Micro Portable Security 2**, Safe Lock can be deployed quickly and provides high operability.

*) Making the system available to be used for specific purpose by limiting system functions, and by controlling system resources and accesses.
**) Trend Micro Portable Security 2: Malware scanning and cleanup tool for standalone PC or closed system

Safe Lock - Figure 1


Safe Lock is designed to solve the following issues:

Issue 1: Security measures using pattern files impact system availability

Solution: Application whitelisting

By adopting an approach in which only applications that have been registered on the approved list in advance are allowed to run, malware can be prevented from running with limited impact on system performance than when using security software that utilizes pattern files. In addition, Safe Lock does not impact system performance of the system’s important communications, and does not require the system to be restarted during operation.

 

Issue 2: Constant updates of pattern files are not available in a closed environment

Solution: No Internet connection required

Since routine updates of pattern files are not necessary, Safe Lock can protect terminals in environments that are not connected to the Internet.

 

Issue 3: Malware infections via external storage devices or networks

Solution: Exploit protection

Through its intrusion and execution prevention functions, Safe Lock prevents exploit attacks via networks or external storage devices, such as USB memory, and prevents exploit attacks to running processes, thereby ensuring a lower risk of malware infection or unauthorized execution.

Safe Lock - Figure 4

.

Issue 4: Maintenance for security solution is complicated and requires huge administration effort

Solution: Easy operation

Safe Lock’s clear, easy-to-use GUI and cooperation with Portable Security allows efficient maintenance. In addition, by predefined trusted updaters, Safe Lock can be operated without sacrificing maintainability.


Application whitelisting

When an application is started, it is controlled if the application can be run or not in accordance with the approved list*. Safe Lock has two execution modes: "Block" and "Detect only". Controlled files include exe, DLL, driver, and script files.

* The approved list stores the file paths and hash values of the controlled files.

Safe Lock - Figure 5

 

Approved list management

Safe Lock offers various functions to achieve quick and easy implementation, high visibility, and good operability, such as: easy initial setup that performs automatic collection of the system’s controlled files, manual editing of the list, predefined trusted updaters, export/import of the list, and hash checking.

Safe Lock - Figure 6

 

Exploit protection

To reduce the risk of malware infection or unauthorized execution, Safe Lock offers various functions, such as: USB malware protection, network virus protection, DLL injection prevention, API hooking prevention, and memory randomization.

Role based administration

Safe Lock provides both administrator and restricted user accounts. It is possible to limit the Safe Lock functions available to restricted users.

Log

Safe Lock generates a series of operation logs on the Windows Event Log. In order to avoid affecting system availability, notification screens are not displayed during operation.

Cooperation with Trend Micro Portable Security

On a terminal on which Safe Lock is installed, Portable Security—our malware scanning & cleanup tool for standalone PC/closed system—can be used without having to add the Portable Security executable file to the approved list.

Interface

Safe Lock provides not only a command line interface, but also a clear and easy-to-use GUI.

* For more information regarding individual functions, refer to the Safe Lock Administrator’s Guide (PDF).


  Safe Lock for client Safe Lock for server
Operating systems
  • Windows 2000 Professional SP4 32bit
  • Windows XP Professional SP1, SP2, SP3 32bit
  • Windows Vista Business / Enterprise / Ultimate NoSP, SP1, SP2 32bit
  • Windows 7 Professional / Enterprise / Ultimate NoSP, SP1 32/64bit
  • Windows XP Embedded Standard SP1, SP2 32bit
  • Windows Embedded Standard 2009 NoSP 32bit
  • Windows Embedded Standard 7 NoSP, SP1 32/64bit
  • Windows Embedded Enterprise XP SP1, SP2, SP3 32bit
  • Windows Embedded Enterprise Vista NoSP, SP1, SP2 32bit
  • Windows Embedded Enterprise 7 NoSP, SP1 32/64bit
  • Windows 2000 Server SP4 32bit
  • Windows 2003 Standard / Enterprise / Storage SP1, SP2 32bit
  • Windows 2003 R2 Standard / Enterprise / Storage NoSP, SP2 32bit
  • Windows 2008 Standard / Enterprise / Storage SP1, SP2 32/64bit
  • Windows 2008 R2 Standard / Enterprise / Storage NoSP, SP1 64bit
  • Windows Embedded Server 2003 SP1, SP2 32bit
  • Windows Embedded Server 2003 R2 NoSP, SP2 32bit
  • Windows Embedded Server 2008 SP1, SP2 32/64bit
  • Windows Embedded Server 2008 R2 NoSP, SP1 64bit
CPU In accordance with OS minimum system requirements
Memory In accordance with OS minimum system requirements
Free disk space 300MB or above (installer checks this)
Display VGA (640x480) resolution or higher, 16 colors or more

 

Limitations

  • Memory Randomization, API Hooking Prevention and DLL Injection Prevention are not supported on 64-bit platforms.
  • In the case of systems that use Windows Embedded, our product support may not extend to environments in which customized OS components are causing problems only in the environment concerned, i.e. are resulting in problems that cannot be reproduced in a standard Windows environment.
  • If OS functions or third party products are used to implement encrypted folders or virtualized applications, Safe Lock will not support the applications running in the corresponding folders.

Warnings

  • Safe Lock can not be installed in an environment with other Trend Micro products.
  • Safe Lock cannot determine whether blocked files is malware or not. Please consult the relevant developer to confirm the legitimacy of files. To scan and remove malware, please purchase Portable Security, our malware scanning & cleanup tool for standalone PC/closed system. (For supported operating systems, refer to the Portable Security system requirements.)
  • If the lockdown is enabled without registering on the approved list those applications that are necessary for normal operation of the OS and the system is then restarted, the OS may not work correctly or users may not be able to login to the OS. Please note that if this occurs, it becomes impossible to perform Safe Lock operations—such as releasing the lockdown—and the OS must therefore be reinstalled. When the OS or applications are updated, the updated files must be registered on the approved list.
  • Forgetting the administrator password after engaging the lockdown makes it impossible for users to change the settings of or uninstall Safe Lock. Please note that in such a case, the OS must be reinstalled.

Note: The system requirements stated above, such as OS, memory, and free disk space, are subject to change without prior notice, due to termination of OS support, or improvements to our products, etc.


Social Media

Connect with us on