0% found this document useful (0 votes)

30 views11 pages

NERC CYBER - Implementing Application Whitelisting - Tatera

This document summarizes a presentation on implementing application whitelisting on industrial control systems. It provides an overview of PG&E and why application whitelisting is important for protecting industrial control systems. Application whitelisting allows only approved applications to run and is effective for industrial control systems where the set of applications is static. However, it does not protect against exploitation of vulnerabilities in approved applications. The document outlines best practices for planning, testing, and managing an application whitelisting solution.

Uploaded by

paladin777

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

30 views11 pages

NERC CYBER - Implementing Application Whitelisting - Tatera

Uploaded by

paladin777

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 11

Implementing Application Whitelisting on

Computers used for Protection and Control

GridSecCon -Thursday October 19, 2017

Bernard Tatera P.E, GICSP
Pacific Gas & Electric
System Automation & SCADA
San Ramon, CA

PUBLIC
Overview of PG&E
Investor Owned Utility Gas &
Electric Service incorporated in
1905
Based in San Francisco, PG&E
delivers some of the nation’s
cleanest energy to nearly 16
million people in Northern and
Central California.

70,000 Square Miles

Approximately 24,000 employees

GridSecCon 2017 2 • PUBLIC

Some things are scary the first time
you try them

GridSecCon 2017 3 • PUBLIC

Why use Application Whitelisting (AWL) ?

• Only those on the list will

be accepted, approved or
recognized (i.e., permitted).
Whitelisting is the reverse
of blacklisting, the practice
of identifying those that are
denied, unrecognized, or
ostracized (i.e., prohibited).

• Application Whitelisting is the

most effective Cyber Control
to Defend ICSs

• The set of applications that run

in ICS is essentially static, making
whitelisting practical.

• AWL Must be partnered with

Patch management
Source: https://ics-cert.us-
cert.gov/sites/default/files/documents/Seven%20Steps%20to%20Effectively%20Defend%20Industrial%20Control%20Systems_S508C.pdf

GridSecCon 2017 4 • PUBLIC

Limitations of Application Whitelisting

AWL does have limitations and should be considered as one layer in a defense-in-
depth cybersecurity strategy rather than a sole solution.

Probably the most notable limitation is that AWL does not protect systems from
exploitation attacks that target vulnerabilities in trusted applications. These
applications are on the AWL approved list and are allowed to execute.

Examples of exploitation attacks include SQL injection, cross-site scripting (XSS), and
memory corruption attacks such as buffer overflows.

Adversaries target unpatched systems. A configuration/patch management program

centered on the safe importation and implementation of trusted patches will help
keep control systems more secure.

Source: https://ics-cert.us-
cert.gov/sites/default/files/documents/Seven%20Steps%20to%20Effectively%20Defend%20Industrial%20Control%20Systems_S508C.pdf

GridSecCon 2017 5 •PUBLIC

Application Whitelisting Planning and Implementation .

1. Initiate the Solution. The first phase involves identifying current and future needs for application whitelisting; specifying requirements
for performance, functionality, and security; and developing necessary policies.

2. Design the Solution. The second phase involves all facets of designing the application whitelisting solution. Examples include
architectural considerations, whitelist management, cryptography policy, and security aspects of the solution itself.

3. Implement and Test a Prototype. The next phase involves implementing and testing a prototype of the designed solution in a lab or test
environment. The primary goals of the testing are to evaluate the functionality, management, performance, and security of the solution.

4. Deploy the Solution. Once the testing is completed and all issues are resolved, the next phase includes the gradual deployment of the
application whitelisting technology throughout the enterprise.

5. Manage the Solution. After the solution has been deployed, it is managed throughout its lifecycle. Management includes solution
maintenance and support for operational issues. The lifecycle process is repeated when enhancements or significant changes need to be
incorporated into the solution.

Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf

GridSecCon 2017Name of Presentation • 6

6 •PUBLIC
Preparing for AWL Installation

1. The system architecture should be set up in accordance with recommendations based

on the Security Control policy's in order to keep malware risks to the possible
minimum prior and during integration of AWL.

2. Install and configure the operating system.

3. Install all necessary programs and components.
4. Install all security updates that are available for the operating system and programs.
5. Install a virus scanner and update it with the latest virus signature files.
6. You should disconnect the device from external / third-party networks (e.g. at the
frontend Firewall).
7. Run a complete virus scan on the device.
8. Install AWL locally, or by means of ePO.
9. "Solidify" all local hard disks and partitions, i.e. the computer system is scanned for
executable programs; only the programs found can be executed in the future.
10. Activate Application Control and restart the device.

GridSecCon 2017 7 •PUBLIC

How to Test AWL

Fortunately, the majority of PC-architecture based ICS systems are simpler

and thus easier places to implement AWL. Leveraging the “learning modes”
supported by most AWL solutions can be critical to getting a solution
working.

It is critical to test each AWL solution in an appropriate test bed before

implementing it on an operational ICS. Such testing should specifically
include operating the ICS in situations where any infrequently used modules
get executed, thus ensuring all relevant programs are included in the
whitelist

Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf

GridSecCon 2017 8 •PUBLIC

Key Takeaways

• Work with Vendor to plan installation of Whitelisting software

• Put whitelisting requirement in specifications for new projects / upgrades

• Include whitelisting in factory acceptance testing. Verify performance

• Verify that specific I/O device drivers work properly with selected whitelisting
software

• Develop procedures / guidelines for disabling whitelisting when security

upgrades and new software installation is required

GridSecCon 2017 9 •PUBLIC

AWL References

Seven Steps to Effectively Defend Industrial Control Systems

https://ics-cert.us-
cert.gov/sites/default/files/documents/Seven%20Steps%20to%20Effectively%20Defend%20Industrial%20C
ontrol%20Systems_S508C.pdf

ICS-CERT recommends deploying application whitelisting on ICS

http://ics-cert.uscert.gov/tips/ICS-TIP-12-146-01B

APPLICATION WHITELISTING (AWL): STRATEGIC PLANNING GUIDE

https://www.us-cert.gov/sites/default/files/cdm_files/FNR_NIS_OTH_AWL_Strategic_Planning_Guide.pdf

DHS article “Application Whitelisting in an ICS Environment, DHS ICS-CERT Monitor July, August, September
2013.
https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jul-Sep2013.pdf