As cyber threats evolve, so do some great tools to combat viruses and malware in the industrial control environment. One such tool available today is a technology called application whitelisting.
Essentially, application whitelisting for industrial control systems (ICS) allows only approved or “safe” software to operate while blocking other, potentially unsafe and unauthorised applications from running.
The basic concept behind whitelisting is to permit only the good, known files to execute, rather than attempting to block malicious code and activity. When properly implemented, whitelisting should enforce a list of approved applications, include an administration tool that allows for adjustment to the whitelist, and monitor and reports attempts to violate the policy.
Let’s take a look at an example. A common mode of attack is to replace one of your system files with a version that has malware embedded in it. When you run that utility you also enable the malware which does damage to your system.
For instance, the notepad.exe file could be replaced on your system and when you run notepad you are actually enabling the malware. With application whitelisting, this kind of attack would be prevented because your system would not allow a different version of notepad to run. Attack averted.
So why haven’t process manufacturers totally embraced application whitelisting?
One reason might be the concern of improper configuration which might introduce additional risk and could adversely impact system operation. By choosing a solution from vendor with both cyber and process control expertise, they provide proper planning and implementation that minimises or eliminates this risk.
The static systems environment, coupled with less frequent changes to the allowable list mean that patches and updates are handled with greater ease.
Another challenge might be the concern of how to manage frequent changes to the list of allowable applications. With business networks, there is a constant, changing list and that means lots of updates and management are required.
But in a more static systems environment such as industrial control, the set of applications running on those systems changes less frequently. You can plan for patches and updates and manage them with the administration utility included in the whitelisting tool, making the process not only manageable but ensuring a greater layer of security.
Antivirus has traditionally been the primary malware prevention tool for ICS. Often referred to as blacklisting, antivirus will prevent malware from running on the automation system by comparing files to a library of known malware signatures.
While this can be a powerful tool for threat prevention, it is not a silver bullet. With new versions of malware being introduced daily, antivirus alone just can’t keep up. New variants pop up that can evade anti-virus detection, and anti-virus signature files must be updated around the clock.
So what offers a solid one-two punch? Consider implementing both antivirus and application whitelisting. Together, they offer solid layers of protection – keeping out known threats while shielding from unknown threats, making the ICS much more difficult to exploit.
With the evolving threat landscape, it’s time for all ICS end-users work with their vendor to decide whether to implement application whitelisting on their systems. While there is a cost to adding whitelisting to your industrial control system, the rewards can far outweigh the risk and consequences of exploitation.
[Mike Baldi is chief cyber security architect, Honeywell Process Solutions.]