The whitelist: Finding the light in cyber darkness

Attacks on critical infrastructure and energy organizations are becoming more frequent and a threat from a safety and financial standpoint. Application whitelisting can be an effective strategy in limiting what programs can run on a computer, which can limit the potential for a cyber security attack.

04/08/2016


The average annual cost of cyber crime for energy and utility companies in 2015 was $12.8 million. Courtesy: GE Oil and GasAttacks on critical infrastructure and energy organizations are becoming more frequent and costly from financial and shareholder perspectives. These attacks are calculated, sophisticated, and persistent to achieve the end goal—whether they access data or damage the operational technology (OT) environment. This has spurred energy organizations to be aware of existing cyber vulnerabilities and seek solutions to improve their security posture, maintain best practices, and prevent the next major disruption to operations.

Because these attacks are most often aimed at the industrial control system network, they have the potential to cause catastrophic damage in comparison to information technology (IT)-specific incidents.

These attacks pose risks to human safety, physical equipment, and are very expensive. In 2015, the average annual cost of cyber crime for energy and utility companies was $12.8 million, which led all industries in highest cost aside from the financial sector. It's not exactly a competition anyone wants to win, but a reality faced in industrial environments.

The rising costs are associated with the rising number of threats. Attacks on critical infrastructure have increased dramatically in the last few years, up 20.4% in 2015 compared to 2014 according to an ICS-CERT report, but they have not been as widely reported as IT breaches because they aren't as pervasive and remain contained within the organization.

In some cases they may not even be recognized as a cyber attack until months later. According to the 2015 SANS industrial control system (ICS) security report, 34% of industrial organizations surveyed believe their systems have been breached more than twice in the past year, and 44% were unable to identify the source of the infiltration.

The uncertainty and lack of transparency surrounding cyber attacks in industrial sectors have made them difficult to not only prevent and mitigate, but also to understand. When hackers hijacked the systems of two power distribution companies in Ukraine, 80,000 customers lost power. The illusive critical infrastructure cyber attack became a reality for everyone.

To help guide organizations, the U.S. Department of Homeland Security (DHS) recently issued its "Seven Steps to Effectively Defend Industrial Control Systems," which identified the implementation of application whitelisting as the most effective strategy to mitigate potential cyber threats. Application whitelisting has traditionally been challenging to configure in ICS networks, but recent innovations and shifting business strategies toward a managed security service model have enabled much easier and cost-effective adoption. 

What is application whitelisting?

In the IT environment, application whitelisting is an administrative process designed to limit what applications can run on a computer. Similarly in an OT, industrial environment, application whitelisting runs on human-machine interface (HMI) computers and designates the specific applications that are allowed to run on the ICS network.

This strong layer of protection for a network that is overlaid on physical assets helps detect and prevent cyber attacks in the form of malware that could directly impact the operation of those assets. By ensuring that only genuine firmware code is capable of running on the secured controller platforms, application whitelisting protects servers from malware and zero-day attacks.

One downside to application whitelisting has been the complexity and cost surrounding implementation and maintenance within organizations. More vendors, however, are offering implementation as part of the investment in the ICS software and accompanying cyber security solutions. The technique's effectiveness provides value for the vendor and industrial customer by protecting the ICS layer of the network. DHS recommends that ICS operators collaborate with their vendors to baseline and calibrate application whitelist deployments to guarantee secure set-up and proven protection.

To ensure the success of a strong application whitelisting practice, training and education must be implemented throughout the organization. To maintain the application whitelisting mechanism, operators must have an understanding of cyber vulnerabilities and what applications are safe to run on the network. As a large portion of the energy workforce is nearing retirement, operators with a background in engineering and cyber security are a scarce commodity and continue to be highly sought after.

Industrial organizations will need to become more aggressive about providing training programs and opportunities for continued education to develop the workforce it requires and help nontechnical staff understand how their actions impact security. To supplement the need many vendors offer to maintain the application whitelisting as a service. This helps alleviate the talent gap by providing the technology and expertise to support cyber security requirements and needs, which is particularly beneficial when an organization is not set up to manage this undertaking internally. 

Blacklisting's role in cyber security

Traditional firewalls and antivirus software are not enough to prevent against advanced attacks. A more predominant method in the energy space, blacklisting, has been a standard practice in virus protection and intrusion detection/prevention systems but has failed to meet the constantly evolving threats that are being manipulated and adapted to penetrate unique industrial environments.

Blacklists rely on signatures for known threats that are part of a threat-centric model in which known threats are blocked from running while all other unlisted programs are allowed to run. The downside is there is no inherent protection against zero-day threats that are not yet known to be potentially damaging, and it's impossible to keep up with the growing volume of malware today.

One of the more known malwares, BlackEnergy, has been active in the energy industry since 2007. Like the flu virus, BlackEnergy has evolved in several variants to become more effective in propagation. BlackEnergy 3 was found in the recent Ukraine hack and may have been introduced through spear phishing. The variant in this case was the inclusion of a KillDisk component. It is believed hackers gained access to the networks, and once on the networks, took over the operator stations to control the breakers and shut down power. Blacklisting would not have recognized the "BlackEnergy 3" variant to prevent the initial access to the network. 

Blacklisting also tends to require more server updates to keep pace with the proliferation of malware. When aging digital assets, such as gas turbines and compressor controls, have a life span of a decade or longer and require continuous operation, they are more vulnerable than other machines that receive regular updates and patching during frequent maintenance shutdowns.

These assets are safest when they are either completely shut down or fully operational. For this reason, frequent updates pose a greater risk of introducing cyber threats. Rather than protect against the known threats, operators must rely on the trusted applications and block everything else through whitelisting. As additional applications are identified as safe, operators can modify the whitelist to include or remove applications when needed without taking the asset offline.

Light: Policy-based control

A strong cyber security strategy for an ICS today includes a granular, policy-based control of the application layer to enable industrial operators to eliminate the system's attack surface size by only opening doors to trusted software and applications. Many vendors have developed whitelisting mechanisms to determine the validity of software processes running in an embedded control system and ensure that only the genuine released software is allowed to run.

This comprehensive approach to safeguarding against attacks prevents the execution of malicious programs, malware, or other software processes deemed to be security risks. All of this is critical to safeguarding a critical infrastructure or energy organization—and its customers—and is particularly important when these risks are more prevalent and destructive.

Dana Pasquali, product management leader, GE Oil & Gas. Edited by Chris Vavra, production editor, Control Engineering, cvavra@cfemedia.com.

MORE ADVICE

Key Concepts

Cyber security attacks pose risks to human safety and physical equipment and are very expensive for companies.

Application whitelisting is an administrative process designed to limit what applications can run on a computer.

Many vendors have developed whitelisting mechanisms to determine the validity of software processes running in a control system. 

Consider this

What other protocols and methods can companies use to lower the risk of a cyber security attack? 

ONLINE extra

See additional stories about industrial control systems (ICSs) linked below.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me