By Dan Teal
Going Beyond NERC CIP Requirements
As the American utilities industry scrambles to implement the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) requirements in their energy management systems (EMS), two macro requirements have emerged. First, utilities need security solutions that are operationally consistent with the realities of “always-on” and high-performance EMS solutions. Secondly, companies need solutions that truly increase security rather than simply help them meet compliance “check boxes”.
Since traditional security measures (e.g., blacklist-based antivirus, emergency security patches) cannot meet either macro requirement, many utilities are adopting application whitelisting technology as a viable solution. Application whitelisting is an evolving and maturing antivirus technology that provides a heightened level of security on all systems without interfering with day-to-day operations. Without any additional effort, application whitelisting also automatically goes beyond security to guarantee that only approved applications are executing in the EMS environment (CIP-003).
Any discussion about the security and control of EMS solutions must begin with an understanding of the realities of EMS implementations. Compared to corporate IT environments, EMS solutions have some truly unique operational realities that traditional security solutions simply cannot handle. While the list is long, there are four major challenges that deserve mention. Because many EMS implementations are isolated and not always connected to the Internet, the systems are unable to download the latest antivirus signatures or vulnerability patches, leaving them vulnerable to known attacks. Secondly, most EMS systems cannot be rebooted or can only be rebooted at specific times, making unplanned installation of operating system or application patches infeasible. Also, systems have limited memory and hardware resources available making them unable to handle the performance impacts of resource-hungry security applications, including blacklist-based antivirus. And finally, many security systems today are running on older operating systems that are no longer supported and for which patches are no longer created.
Even in the face of this daunting list of operational inconsistencies, utilities would still implement traditional security solutions if they were highly effective at securing EMS systems or if they were the only option to meet the NERC CIPs. The reality is that they are neither. Security professionals (and even the antivirus vendors themselves) agree that blacklisting is no longer sufficient to defeat today’s threats. Blacklisting cannot address whole classes of malware threats and attacks (e.g., zero-day exploits, targeted attacks, buffer overflows, rootkits, etc.) and independent tests show blacklisting solutions’ detection rates continue to drop. And there is another option: application whitelisting.
Application whitelisting takes the traditional antivirus approach and turns it 180 degrees. Rather than maintaining an exponentially enlarging blacklist of known malicious software, this new and powerful technology enforces a relatively small whitelist of the authorized applications for each computer. By ensuring that only approved applications can execute, application whitelisting automatically eliminates all unauthorized applications–including malware and unapproved applications installed by employees or contractors.
Leading application whitelisting solutions are built on two fundamental principles. First and foremost, the solutions are designed to enforce a list of known and approved applications rather than chase the unknown ones like malware. They are also designed to easily handle the addition of new applications or updates without increasing management overhead or requiring any changes to the company’s existing operational approaches.
For application whitelisting to enforce a list of known and approved applications, each of the following must occur. The solution must have a way of building or acquiring the whitelist of applications for any given computer. Also, the solution must securely and efficiently enforce the whitelist on the computer. And finally, the solution must have the ability to report any attempts to violate the security policies it is enforcing. These three capabilities together provide the security required to protect the computer, while at the same time reporting on system status.
There are many different approaches to producing the actual whitelist, but experience has shown that no two computers are exactly alike, meaning that whitelists across platforms rarely match. Therefore, the whitelist must be assembled for each computer individually. This task can be performed automatically by some solutions via scanning the computer and building the whitelist.
Of extreme importance, the whitelist enforcement mechanism is usually deployed in the form of a tamper-proof client installed on each computer or endpoint. It is crucial that local users or malicious programs cannot circumvent the enforcement provided by this engine, so the client must function in the operating system itself. Through tight integration with the operating system, the solution is able to protect the system and have the greatest efficiency–it essentially functions as part of the operating system rather than an add-on security feature. From within the operating system, the client reads in the whitelist or policy, and ensures that only those applications on the whitelist are allowed to run. This process begins during boot time when the operating system is starting, and then checks all executables that load to ensure they are authorized. The client only performs checks when a new application or process attempts to start, so the ongoing performance impact is imperceptibly low compared to blacklist antivirus scans.
Application whitelisting solutions also monitor activity. For example, a solution can log attempts to overwrite protected applications on the computer or attempts to run unauthorized applications. The solution can also periodically remove all unauthorized applications that may have been copied to the system, ensuring the pristine condition of the system is maintained. Compliance reports can show the system configuration has been maintained and any unauthorized executables that have been removed.
Addressing another one of application whitelisting’s fundamental principles, an application whitelisting solution must be able to automatically–without requiring IT involvement–update the whitelist whenever new applications are added or existing ones are upgraded. With the exception of some point-of-sale and other fixed purpose machines, computers are in constant need of updating. Even in a controlled environment like energy systems, the systems must eventually be updated with newer applications or patches. Some of these requirements are driven by compliance and company policies, while others are required to implement new functionality.
Innovative whitelisting solutions allow authorized change while still maintaining security on the system. The term being applied to this process is “Trusted Change.” All trusted change is built on this simple concept: IT establishes multiple “sources of trust” from which users and systems can install applications or upgrades. As long as the users and systems receive the applications or upgrades from these trusted sources, the applications or upgrades can be automatically added to the whitelist without any additional IT involvement. The additions are transparent and friction-free.
In addition to superior protection against even zero-day attacks, application whitelisting is gaining a following because it addresses the operational realities associated with EMS implementations that blacklist-based solutions cannot. First, application whitelisting continues to provide protection without requiring signature or patch updates, so it can function in systems that are not connected to the Internet. Second, whitelist-protected EMS systems remain online until regularly scheduled maintenance windows, instead of requiring downtime for emergency vulnerability patches. Third, application whitelisting solutions do not impact EMS system performance–a huge advantage over resource-hungry security applications like blacklist-based antivirus. And finally, leading application whitelisting solutions provide protection for EMS systems that are built on older, unsupported operating systems for which no patches are created. For all of these reasons, application whitelisting is a solid option for utilities trying to secure EMS solutions and meet NERC compliance.
About the Author:
Dan Teal has been innovating in the computer security field for over 20 years. As a founder and chief scientist of WheelGroup Corporation (acquired by Cisco Systems in March 1998), he designed the first commercially available intrusion detection system, NetRanger. Prior to WheelGroup, Dan worked as an information warfare officer at the Air Force Information Warfare Center (AFIWC).