ICSJWG: Whitelisting Project

Wednesday, October 17, 2012 @ 09:10 AM gHale

By Gregory Hale
For those is in the manufacturing automation sector, application whitelisting should not be a new idea, but seeing how it works gives more proof it is a viable part of a defense in depth program.

That is where the LOGIIC program comes into play. LOGIIC, which stands for Linking Oil and Gas Industry to Improve Cybersecurity, began a host protection strategies project to evaluate technologies to use in industrial control systems (ICS). The focus of this one project was application whitelisting (AWL).

ICSJWG: Cyber Exercises a Key
ICSJWG: Knowledge Sharing
ICSJWG: Researchers on Same Team
Firewall Costs; Hidden Costs
ICS, SCADA Myth: Protection by Firewalls

“We wanted to see how AWL interacts with antivirus,” said Zachery Tudor, program director at SRI International, during his session Tuesday at the Industrial Control Systems Joint Working Group (ICSJWG) meeting in Denver, CO. “We wanted to make sure we didn’t break the existing environment. We wanted to increase security without impacting system reliability or performance.”

The LOGIIC program involves major oil players like Shell, Total and BP to name a few. They program is non competitive environment to learn and share cyber security best practices for the industry.

One of the issues that started the study was the idea of patching. Companies needed a way to ensure security on a system that needs patching, but can shut down to apply the patch.

They wanted to know “how do I maintain security when I can’t patch as often as the patches come out,” Tudor said.

The goal of application whitelisting for an industrial control system is to prevent unauthorized applications from running, enforce a list of approved applications, include an administration tool that allows for adjustment to the whitelist, and monitor and report attempts to violate the policy.

Whitelisting is all about creating a list of applications that are allowable. The technology tries to stop an undesirable action from happening. It has a deny all capability. That compares to blacklisting which is an allow all strategy. Blacklisting tries to fight off the malware once it gets into the system. Whitelisting only allows in what the user wants in.

Tudor discussed the four phases of the project including understanding the technology landscape, testing the architecture and facility, evaluation and the project close.

In short, the project results showed whitelisting to be a solid performer, but not the “silver bullet” to solve all security issues.

“AWL addressed threats not addressed by antivirus or patching,” Tudor said. “It was effective for most systems, but not for all. It does not protect against all attacks.”

In most cases, however, whitelisting would have prevented viruses like Stuxnet and Conficker.

Some of the things to consider, Tudor said, is if you system can handle any new application. Also, how much effort it will take to integrate AWL with antivirus. One other thing would be to consider how much whitelisting will cost now and in the future.

Over all, whitelisting is a solid tool in the cyber security tool box.

“There is a lot of benefit,” Tudor said. But, he added a caveat: “AWL requires careful implementation and AWL policies and it may conflict with antivirus and make the system unresponsive.”

Leave a Reply

You must be logged in to post a comment.