The whitelist: Finding the light in cyber darkness

Attacks on critical infrastructure and energy organizations are becoming more frequent and a threat from a safety and financial standpoint. Application whitelisting can be an effective strategy in limiting what programs can run on a computer, which can limit the potential for a cyber security attack.


The average annual cost of cyber crime for energy and utility companies in 2015 was $12.8 million. Courtesy: GE Oil and GasAttacks on critical infrastructure and energy organizations are becoming more frequent and costly from financial and shareholder perspectives. These attacks are calculated, sophisticated, and persistent to achieve the end goal—whether they access data or damage the operational technology (OT) environment. This has spurred energy organizations to be aware of existing cyber vulnerabilities and seek solutions to improve their security posture, maintain best practices, and prevent the next major disruption to operations.

Because these attacks are most often aimed at the industrial control system network, they have the potential to cause catastrophic damage in comparison to information technology (IT)-specific incidents.

These attacks pose risks to human safety, physical equipment, and are very expensive. In 2015, the average annual cost of cyber crime for energy and utility companies was $12.8 million, which led all industries in highest cost aside from the financial sector. It's not exactly a competition anyone wants to win, but a reality faced in industrial environments.

The rising costs are associated with the rising number of threats. Attacks on critical infrastructure have increased dramatically in the last few years, up 20.4% in 2015 compared to 2014 according to an ICS-CERT report, but they have not been as widely reported as IT breaches because they aren't as pervasive and remain contained within the organization.

In some cases they may not even be recognized as a cyber attack until months later. According to the 2015 SANS industrial control system (ICS) security report, 34% of industrial organizations surveyed believe their systems have been breached more than twice in the past year, and 44% were unable to identify the source of the infiltration.

The uncertainty and lack of transparency surrounding cyber attacks in industrial sectors have made them difficult to not only prevent and mitigate, but also to understand. When hackers hijacked the systems of two power distribution companies in Ukraine, 80,000 customers lost power. The illusive critical infrastructure cyber attack became a reality for everyone.

To help guide organizations, the U.S. Department of Homeland Security (DHS) recently issued its "Seven Steps to Effectively Defend Industrial Control Systems," which identified the implementation of application whitelisting as the most effective strategy to mitigate potential cyber threats. Application whitelisting has traditionally been challenging to configure in ICS networks, but recent innovations and shifting business strategies toward a managed security service model have enabled much easier and cost-effective adoption. 

What is application whitelisting?

In the IT environment, application whitelisting is an administrative process designed to limit what applications can run on a computer. Similarly in an OT, industrial environment, application whitelisting runs on human-machine interface (HMI) computers and designates the specific applications that are allowed to run on the ICS network.

This strong layer of protection for a network that is overlaid on physical assets helps detect and prevent cyber attacks in the form of malware that could directly impact the operation of those assets. By ensuring that only genuine firmware code is capable of running on the secured controller platforms, application whitelisting protects servers from malware and zero-day attacks.

One downside to application whitelisting has been the complexity and cost surrounding implementation and maintenance within organizations. More vendors, however, are offering implementation as part of the investment in the ICS software and accompanying cyber security solutions. The technique's effectiveness provides value for the vendor and industrial customer by protecting the ICS layer of the network. DHS recommends that ICS operators collaborate with their vendors to baseline and calibrate application whitelist deployments to guarantee secure set-up and proven protection.

To ensure the success of a strong application whitelisting practice, training and education must be implemented throughout the organization. To maintain the application whitelisting mechanism, operators must have an understanding of cyber vulnerabilities and what applications are safe to run on the network. As a large portion of the energy workforce is nearing retirement, operators with a background in engineering and cyber security are a scarce commodity and continue to be highly sought after.

Industrial organizations will need to become more aggressive about providing training programs and opportunities for continued education to develop the workforce it requires and help nontechnical staff understand how their actions impact security. To supplement the need many vendors offer to maintain the application whitelisting as a service. This helps alleviate the talent gap by providing the technology and expertise to support cyber security requirements and needs, which is particularly beneficial when an organization is not set up to manage this undertaking internally. 

Blacklisting's role in cyber security

Traditional firewalls and antivirus software are not enough to prevent against advanced attacks. A more predominant method in the energy space, blacklisting, has been a standard practice in virus protection and intrusion detection/prevention systems but has failed to meet the constantly evolving threats that are being manipulated and adapted to penetrate unique industrial environments.

Blacklists rely on signatures for known threats that are part of a threat-centric model in which known threats are blocked from running while all other unlisted programs are allowed to run. The downside is there is no inherent protection against zero-day threats that are not yet known to be potentially damaging, and it's impossible to keep up with the growing volume of malware today.

One of the more known malwares, BlackEnergy, has been active in the energy industry since 2007. Like the flu virus, BlackEnergy has evolved in several variants to become more effective in propagation. BlackEnergy 3 was found in the recent Ukraine hack and may have been introduced through spear phishing. The variant in this case was the inclusion of a KillDisk component. It is believed hackers gained access to the networks, and once on the networks, took over the operator stations to control the breakers and shut down power. Blacklisting would not have recognized the "BlackEnergy 3" variant to prevent the initial access to the network. 

Blacklisting also tends to require more server updates to keep pace with the proliferation of malware. When aging digital assets, such as gas turbines and compressor controls, have a life span of a decade or longer and require continuous operation, they are more vulnerable than other machines that receive regular updates and patching during frequent maintenance shutdowns.

These assets are safest when they are either completely shut down or fully operational. For this reason, frequent updates pose a greater risk of introducing cyber threats. Rather than protect against the known threats, operators must rely on the trusted applications and block everything else through whitelisting. As additional applications are identified as safe, operators can modify the whitelist to include or remove applications when needed without taking the asset offline.

Light: Policy-based control

A strong cyber security strategy for an ICS today includes a granular, policy-based control of the application layer to enable industrial operators to eliminate the system's attack surface size by only opening doors to trusted software and applications. Many vendors have developed whitelisting mechanisms to determine the validity of software processes running in an embedded control system and ensure that only the genuine released software is allowed to run.

This comprehensive approach to safeguarding against attacks prevents the execution of malicious programs, malware, or other software processes deemed to be security risks. All of this is critical to safeguarding a critical infrastructure or energy organization—and its customers—and is particularly important when these risks are more prevalent and destructive.

Dana Pasquali, product management leader, GE Oil & Gas. Edited by Chris Vavra, production editor, Control Engineering,


Key Concepts

Cyber security attacks pose risks to human safety and physical equipment and are very expensive for companies.

Application whitelisting is an administrative process designed to limit what applications can run on a computer.

Many vendors have developed whitelisting mechanisms to determine the validity of software processes running in a control system. 

Consider this

What other protocols and methods can companies use to lower the risk of a cyber security attack? 

ONLINE extra

See additional stories about industrial control systems (ICSs) linked below.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me