The whitelist: Finding the light in cyber darkness
Attacks on critical infrastructure and energy organizations are becoming more frequent and costly from financial and shareholder perspectives. These attacks are calculated, sophisticated, and persistent to achieve the end goal—whether they access data or damage the operational technology (OT) environment. This has spurred energy organizations to be aware of existing cyber vulnerabilities and seek solutions to improve their security posture, maintain best practices, and prevent the next major disruption to operations.
Because these attacks are most often aimed at the industrial control system network, they have the potential to cause catastrophic damage in comparison to information technology (IT)-specific incidents.
These attacks pose risks to human safety, physical equipment, and are very expensive. In 2015, the average annual cost of cyber crime for energy and utility companies was $12.8 million, which led all industries in highest cost aside from the financial sector. It’s not exactly a competition anyone wants to win, but a reality faced in industrial environments.
The rising costs are associated with the rising number of threats. Attacks on critical infrastructure have increased dramatically in the last few years, up 20.4% in 2015 compared to 2014 according to an ICS-CERT report, but they have not been as widely reported as IT breaches because they aren’t as pervasive and remain contained within the organization.
In some cases they may not even be recognized as a cyber attack until months later. According to the 2015 SANS industrial control system (ICS) security report, 34% of industrial organizations surveyed believe their systems have been breached more than twice in the past year, and 44% were unable to identify the source of the infiltration.
The uncertainty and lack of transparency surrounding cyber attacks in industrial sectors have made them difficult to not only prevent and mitigate, but also to understand. When hackers hijacked the systems of two power distribution companies in Ukraine, 80,000 customers lost power. The illusive critical infrastructure cyber attack became a reality for everyone.
To help guide organizations, the U.S. Department of Homeland Security (DHS) recently issued its "Seven Steps to Effectively Defend Industrial Control Systems," which identified the implementation of application whitelisting as the most effective strategy to mitigate potential cyber threats. Application whitelisting has traditionally been challenging to configure in ICS networks, but recent innovations and shifting business strategies toward a managed security service model have enabled much easier and cost-effective adoption.
What is application whitelisting?
In the IT environment, application whitelisting is an administrative process designed to limit what applications can run on a computer. Similarly in an OT, industrial environment, application whitelisting runs on human-machine interface (HMI) computers and designates the specific applications that are allowed to run on the ICS network.
This strong layer of protection for a network that is overlaid on physical assets helps detect and prevent cyber attacks in the form of malware that could directly impact the operation of those assets. By ensuring that only genuine firmware code is capable of running on the secured controller platforms, application whitelisting protects servers from malware and zero-day attacks.
One downside to application whitelisting has been the complexity and cost surrounding implementation and maintenance within organizations. More vendors, however, are offering implementation as part of the investment in the ICS software and accompanying cyber security solutions. The technique’s effectiveness provides value for the vendor and industrial customer by protecting the ICS layer of the network. DHS recommends that ICS operators collaborate with their vendors to baseline and calibrate application whitelist deployments to guarantee secure set-up and proven protection.
To ensure the success of a strong application whitelisting practice, training and education must be implemented throughout the organization. To maintain the application whitelisting mechanism, operators must have an understanding of cyber vulnerabilities and what applications are safe to run on the network. As a large portion of the energy workforce is nearing retirement, operators with a background in engineering and cyber security are a scarce commodity and continue to be highly sought after.
Industrial organizations will need to become more aggressive about providing training programs and opportunities for continued education to develop the workforce it requires and help nontechnical staff understand how their actions impact security. To supplement the need many vendors offer to maintain the application whitelisting as a service. This helps alleviate the talent gap by providing the technology and expertise to support cyber security requirements and needs, which is particularly beneficial when an organization is not set up to manage this undertaking internally.
Blacklisting’s role in cyber security
Traditional firewalls and antivirus software are not enough to prevent against advanced attacks. A more predominant method in the energy space, blacklisting, has been a standard practice in virus protection and intrusion detection/prevention systems but has failed to meet the constantly evolving threats that are being manipulated and adapted to penetrate unique industrial environments.
Blacklists rely on signatures for known threats that are part of a threat-centric model in which known threats are blocked from running while all other unlisted programs are allowed to run. The downside is there is no inherent protection against zero-day threats that are not yet known to be potentially damaging, and it’s impossible to keep up with the growing volume of malware today.
One of the more known malwares, BlackEnergy, has been active in the energy industry since 2007. Like the flu virus, BlackEnergy has evolved in several variants to become more effective in propagation. BlackEnergy 3 was found in the recent Ukraine hack and may have been introduced through spear phishing. The variant in this case was the inclusion of a KillDisk component. It is believed hackers gained access to the networks, and once on the networks, took over the operator stations to control the breakers and shut down power. Blacklisting would not have recognized the "BlackEnergy 3" variant to prevent the initial access to the network.
Blacklisting also tends to require more server updates to keep pace with the proliferation of malware. When aging digital assets, such as gas turbines and compressor controls, have a life span of a decade or longer and require continuous operation, they are more vulnerable than other machines that receive regular updates and patching during frequent maintenance shutdowns.
These assets are safest when they are either completely shut down or fully operational. For this reason, frequent updates pose a greater risk of introducing cyber threats. Rather than protect against the known threats, operators must rely on the trusted applications and block everything else through whitelisting. As additional applications are identified as safe, operators can modify the whitelist to include or remove applications when needed without taking the asset offline.
Light: Policy-based control
A strong cyber security strategy for an ICS today includes a granular, policy-based control of the application layer to enable industrial operators to eliminate the system’s attack surface size by only opening doors to trusted software and applications. Many vendors have developed whitelisting mechanisms to determine the validity of software processes running in an embedded control system and ensure that only the genuine released software is allowed to run.
This comprehensive approach to safeguarding against attacks prevents the execution of malicious programs, malware, or other software processes deemed to be security risks. All of this is critical to safeguarding a critical infrastructure or energy organization—and its customers—and is particularly important when these risks are more prevalent and destructive.
Dana Pasquali, product management leader, GE Oil & Gas. Edited by Chris Vavra, production editor, Control Engineering, firstname.lastname@example.org.
Cyber security attacks pose risks to human safety and physical equipment and are very expensive for companies.
Application whitelisting is an administrative process designed to limit what applications can run on a computer.
Many vendors have developed whitelisting mechanisms to determine the validity of software processes running in a control system.
What other protocols and methods can companies use to lower the risk of a cyber security attack?
See additional stories about industrial control systems (ICSs) linked below.