Whitelisting Boosts Security

Tuesday, August 28, 2012 @ 12:08 PM gHale

Vital New Approach to a Defense in Depth Security Program

By Gregory Hale
It wasn’t that long ago deep within eastern Tennessee’s Anderson and Roane counties, the Department of Energy’s Oak Ridge National Laboratory (ORNL) fell victim to a hack attack where several megabytes of data ended up stolen.

That 2011 attack started when multiple Lab employees clicked on a link in a phishing email disguised to look like benefits information from the human resources department. Hackers were aware of a Zero Day vulnerability in the Lab’s Internet Explorer browser software and they knew just how to take advantage of it.

Lab workers became aware of the intrusion on April 11 and that started them on a frenetic hunt to find a way to stop the attack. By April 15, Lab management came to the ultimate decision: Unplug the Internet. No connection in or out. The attack stopped; so did any hope of using the Internet for the next two weeks.

Work continued at the lab — home to nuclear, chemical and biotechnology research centers — but any kind of communication or interaction or connection to outside sources was gone. Productivity was lost for a two-week period.

To win and gain an advantage today, manufacturing and process businesses must adapt quickly to change. Time to make decisions and take action is more compact. That makes timely distribution of reliable information vital. In today’s business climate, data needs to go out to operations, engineering and management in the proper context. That all means manufacturers must increase accessibility to the system and, while exchanging business and process information is necessary, it does open the door to intrusions.

That is why a solid defense in depth security program is essential for manufacturers, including antivirus, blacklisting, firewalls and whitelisting to name a few. Security ends up being a process of working with and creating continuously-evolving strategies to fend off attackers, who always find new ways to steal information, data, money or whatever they can get their digital hands on.

Whitelisting to Rescue
One of the newer ways to fend off would-be attackers is to create an application whitelisting program.

The goal of application whitelisting for an industrial control system is to prevent unauthorized applications from running, enforce a list of approved applications, include an administration tool that allows for adjustment to the whitelist, and monitor and report attempts to violate the policy.

“If you look at the basic premise of application whitelisting, it is turning patching upside down,” said Rick Kaun, global business manager Industrial IT Solutions at Honeywell Process Solutions. “I use the analogy of being in a night club. As long as you don’t cause trouble, you are allowed in. That means the bad guys can get in and you don’t find out about it until they are causing trouble. Once I know about you, I put a picture of you at the front door and the bouncer does not let you in next time. That is what antivirus is. Whitelisting is the other. Three couples come to your house for dinner. It is a very expected list. You know what to do.”

“If you look at the basic premise of application whitelisting, it is turning patching upside down.”

— Rick Kaun, Honeywell Process Solutions

Antivirus used to be a great tool that could stop an attack cold. Antivirus’, or blacklisting’s stated goal is to keep all the bad players out of the system by defining a list of file formats the antivirus mechanism does not allow. Plug in the software and watch it do its magic. Antivirus these days is a staple for a security solution, but it cannot work alone any more. With new versions of malware hitting the cyber street every day, antivirus just can’t keep up. New variants pop up that can totally evade any detection.

Just in the first quarter this year alone, malware had its biggest increase in more than four years, according to a report from security software provider, McAfee. The number of samples taken was at 83 million, according to McAfee’s quarterly security report. Fake antivirus programs declined in popularity, but software with faked security signatures, rootkits and password-stealing Trojans rose. McAfee counted 200,000 new examples of password-stealing Trojan horses. That is in just one quarter.

Tandem Effort
As a part of a defense in depth posture, manufacturers need whitelisting to play off antivirus.

“They have to work together,” said Mike Baldi, chief cyber security architect for Honeywell Process Solutions. “Our recommendation for industrial control systems is for them to work together. The technologies are not designed to know about each other so they need to be configured to work together otherwise they can conflict. We have seen that scenario. We do feel it is the best protection for a system to have antivirus and whitelisting installed.”

“I don’t think anyone can just stand up with just one,” Kaun said. “A lot of people are standing up with just blacklisting today because whitelisting is such a challenge, but you really shouldn’t put all your eggs in one basket.”

The two technologies need to work together to act as a back up or there could be a problem.

“I can give an example of how they couldn’t work together,” Baldi said. “Both technologies intercept system operations when you open a file. If you have two applications trying to open the same file at the same time, you can get into system contention problems and they could actually cause one or the other applications to fail. For example, whitelisting runs at the kernel mode so it could block antivirus from doing its job. Antivirus could encounter errors because whitelisting was using a file as it was being opened. So, the two applications have to be aware of each other. There is also some scanning that is done by antivirus that needs to be accounted for and whitelisting needs to allow that.”

Thinking whitelisting was complex has always been one of the issues behind why manufacturers shied away from implementing a program.

“When it comes to process control, I think whitelisting is very well-suited and incredibly challenging,” Kaun said. “The reason why it is incredibly challenging is we are talking legacy control systems. Putting tools in there and locking things down, especially when there are people that don’t understand what their equipment does, if you are using dynamic port ranges for example, how do we actually capture that? That is the challenge.”

Static Bonus
One benefit, though, is the process control environment is relatively static when it comes to software programs. Software is not constantly changing.

“I think the wonderfully beneficial advantage is the environment does not change a lot, so when we get it right, the need to continually tweak that allowed list is a lot less than it would be in a dynamic corporate environment,” Kaun said. “I think on the one hand it is very well-suited because we don’t change a lot, but it is challenging because we have some interesting legacy stuff out there.”

“I can give you a good example of how whitelisting would or would not protect a system,” Baldi said. “A common mode of attack is to replace one of your system files with a version that has malware embedded in it and when you run that utility you also enable the malware which does damage to your system. For instance they could replace the notepad system and when you run notepad you are actually enabling the malware. That kind of attack will be prevented in whitelisting because with your system whitelisted it will not allow a different version of notepad to run.”

The catch Baldi said is if the allowed software has a vulnerability embedded in it.

“If there is a Zero Day vulnerability in the existing version that you have whitelisted of notepad on your system, whitelisting will allow that version to run and the attackers can take advantage of that vulnerability,” he said. “Only the version you have whitelisted will run, but if you whitelisted a Zero Day vulnerability, whitelisting will not protect you against that.”

“That is why you need hand-in-hand antivirus and whitelisting, said Shawn Gold, global solutions leader, industrial IT solutions at Honeywell Process Solutions. “The antivirus should pick up that version of notepad that has a virus in it.”

System Speed
With the traditional security software on a system, end users often fret over adding any more software, fearing it will slow down the process.

But that often ends up not being a problem.

“That is always one the biggest concerns we have,” Gold said. “From anything we add to a process control system, where some IT folks may not be as concerned about the loading on a system, we are paranoid. We have very strict rules on how much load a system can have.”

“From a technical side we are extremely concerned about any changes in the load to our systems because it can impact performance in an upset condition when we need the most horsepower,” Baldi said. “Because of that, we have done some exhaustive testing on our largest systems and we have found some scenarios where whitelisting had a significant impact on operations because of the way the operations worked with the files system. We were able to very quickly — once we have tested them and discovered them — tune the whitelisting so it didn’t impact those areas.”

“If properly tuned and managed for your systems, it can have a negligible impact,” Gold said. “But you have to take that due care and attention.”

System Residence
For an industrial control system, whitelisting does not run at the network level, but rather on every individual node you install it on. So every PC running either a Windows or Linux operating system can have whitelisting running on it. The installation on that node protects only that node.

That means for users to get the most benefit out of whitelisting, they need to understand their system and know what is running on it.

“You should be reviewing your cyber security vulnerability and attack vectors on your system on a somewhat regular basis,” Gold said. “When it comes to whitelisting, if you install an update to your system, you will have to update your whitelist as a part of the ongoing maintenance. It depends on how frequently you upgrade your systems. If you are going to install software upgrades once a year, you should be updating your whitelisting as well.

“The conclusion is whitelisting has to be tightly integrated into your process control solutions,” Baldi said. “If it is tightly integrated it is not an issue, it is not something a casual user will go and pull a whitelist solution off the shelf put it on the system and expect it to work seamlessly, there is a definite tight integration needed there.”

That integration will enable the manufacturer to do what they do best: Make product. As a part of an integrated security package, it will also help keep systems running, which increases productivity and profitability. But whitelisting is not the Lone Ranger; it will need to work in conjunction with other programs and solutions and that will increase a defense in depth posture so attackers can’t get in and steal important information.

“White listing should never be considered a silver bullet,” Gold said. “It’s not a replacement for a customer that has other things like blacklisting/antivirus or what other tools they may have. It is something they should be considering in addition to what they currently have. It does buy them some additional benefits in addition to the added security it does provide.”

Gregory Hale is the Editor and Founder of Industrial Safety and Security Source (ISSSource.com).

Leave a Reply

You must be logged in to post a comment.