Application Whitelisting can Toughen Up Weakest Link
By Gregory Hale
IT folks were happy at one major U.S. manufacturer a few years ago as they were installing state of the art security technology. “This is the best move for the organization to keep free and clear from any miscreant bug or viruses launched into the network,” they were saying at the time. Just as they neared the end, the crew worked over the weekend to iron out all kinks so they could have it ready first thing Monday morning.
When Monday came, the long-time process control engineering team came in and promptly turned off all the new security measures because it was too different and not the way they always did things.
It seems a hacker element left a bunch of malware-riddled USB sticks in parking lot at Dutch chemical giant DSM. Instead of plugging the discarded drives into a workstation, which would have infected the machine, a DSM worker who found one of the devices handed it in to the IT department.
The IT workers did a quick check and found an unspecified password-stealing keylogger.
Technologies like antivirus, firewalls and whitelisting, are vital to helping secure any manufacturing automation system, but the human factor is the key ingredient to shepherd any process to ensure continued uptime that will hike productivity and profitability. The catch is though, everyone needs to be on the same security page.
“The gray beards are saying ‘unplug it, we don’t’ need it, who cares. I have been running this plant for 30 years,’ ” said Rick Kaun, global business manager Industrial IT Solutions at Honeywell Process Solutions. “That just isn’t realistic given the business needs for data.”
Arms Around Information Flow
Information, and information flow, is more valuable than ever to organizations. Despite its importance, companies don’t really understand how to effectively manage this valuable resource. An estimated 49 percent of the worth of organizations derives from the information they own, according to the “State of Information Survey” from Symantec Corp.
When asked what would happen if their organization’s information were irrevocably lost with no chance of recovery, survey respondents said they would lose customers (49 percent), damage the brand (47 percent), decrease revenue (41 percent), increase expenses (39 percent) and suffer a tumbling stock price (20 percent).
Protecting against stolen data, information, intellectual property, business market plans, and even money is becoming more complicated and sophisticated. That is why a solid defense in depth strategy for manufacturers, including application whitelisting is more important than ever.
Complexity, or perceived complexity, of technology is an automatic turn off for users. That has been the problem in the past with whitelisting, but this technology is much too valuable to dismiss with a mere perception. Whitelisting, unlike other security programs, can actually be an application where you put it on the system and forget about it. Just maintain it when you do a security assessment.
“Whitelisting can reduce the need to patch, but it will not eliminate the need to patch. It is protecting you from certain vulnerabilities until the opportunity comes to apply the patches.”
— Mike Baldi, Honeywell Process Solutions
The goal of application whitelisting for an industrial control system is to prevent unauthorized applications from running, enforce a list of approved applications, include an administration tool that allows for adjustment to the whitelist, and monitor and report attempts to violate the policy.
“I think whitelisting further enhances the value of a skill set that has the knowledge of process control and IT,” Kaun said.
The initial pushback against whitelisting always seems to fall along the lines of complexity and restrictiveness. But in reality, a manufacturer can make the program as restrictive as it wants and building it can be as easy as following directions.
“You have to build a list, said Shawn Gold, global solutions leader, industrial IT solutions at Honeywell Process Solutions. “There are tools that come with the whitelisting that has some installation scripts, but you have to build a list of things that are allowed.”
“Basic whitelisting provides protection by creating a list of known good executables that can run on your systems,” said Mike Baldi, chief cyber security architect for Honeywell Process Solutions. “All the application whitelisting systems available provide that functionality, but there are additional features. For example you can choose to protect areas of your registry if you want. You can choose to lock down your USB devices. You can enter rules for the whitelisting to protect against certain memory type attacks. These are above and beyond the basic white listing protection. Everything you configure in the system has a risk that you may lock down some normal operation that is needed to run the system. So you have basic whitelisting that can be restrictive to a certain point or you can continue to lock down the system extremely tight with whitelisting, but you have to be very careful to understand the consequences of locking it down.”
With a slowly recovering economy, the need to keep producing more product these days at a lower cost point is at a premium. That means any unplanned downtime could be devastating to any manufacturer’s bottom line. That is why companies need to avoid dreaded downtime and work with multiple layers of defense and constant user education.
The problem is end users tend to be the most common and hard-to-remediate weak point, and even security researchers struggle to address the problem. “You can’t patch users,” said Greg Conti, associate professor of computer science at West Point in the Georgia Tech Information Security Center and the Georgia Tech Research Institute, “Georgia Tech Emerging Cyber Threats Report for 2012.” “And there’s always a human being somewhere behind the security technology.”
One source in that study agreed with Conti, “People are always the most vulnerable part of the IT infrastructure,” he said. “We have so many security layers and defenses, from separating physical control systems from the standard business network, to DMZs, to limiting network protocols that communicate with physical systems, and securing all the primary UIs to the Internet. At the end of the day, there’s a person on the end of all that security that can make decisions that will have an impact.”
Installing application whitelisting presents an upfront learning curve for users, but it is one that can be worth the time and effort.
“Our customers are learning really quickly,” Gold said. “I think the majority expect whitelisting to be more all encompassing and reduce the level of management significantly. It will help, but you have to really be careful about it. The maturity of our customers is increasing, but I do think there are a lot of misconceptions still.”
“The hype about whitelisting is high,” Baldi said. “There has been a lot of publicity. The understanding at the technical level at how involved it is and how tightly it has be interlaced with your system isn’t there. They hear words that this wonderful technology is available and it is going to increase your security protection, but there hasn’t been a lot of activity so far in applying whitelisting so there is not a lot of practical knowledge with that.”
Fear of complexity is one issue, but there is another Kaun feels has a strong human factor involved.
“It is apathy,” Kaun said. “I think the big vendors last year came up with 4,000 viruses or threats, but internally we came up with about 15,000 threats out there. Your least informed employees are your single biggest threat, so you can have all the technologies in the world, but if someone is holding the door open or handing out passwords then you have a problem.”
“I read one study that said 50 or 60 percent of people on the street said they would give over their favorite password for a free chocolate bar. It’s not whether we have application whitelisting or not; whether we have intrusion detection or not; whether we have a full robust program; whether we have point solutions, it is apathy.’’
Users need a solid technology base and a good plan that everyone knows, Kaun said.
“The source of the threat is not as important as when it gets here, and some day it will in some shape or form. How equipped are we to weather that storm, that is the real risk. If you see it as you want to spend how many dollars to make sure al-Qaeda doesn’t hack us, your problem there isn’t budget, it is education and awareness.”
Who takes responsibility and what should a user do often becomes an issue at a plant. Should it be IT, or should the process engineering team take control? At the end of the day, it often becomes an all hands on deck effort.
“Manufacturers are using every tool available to them,” Gold said. “Every combination exists; from the IT group being responsible, to the IT group embedding a person within the process control group, to the process control group being totally responsible and not having anything to do with the IT group.”
“The worst situation is where no one does anything, which is more common than one would expect. Then there is the thinking that we don’t have to do much because we are locking things down with an air gap. Even when air gaps are used in combination with locking down USB ports and not allowing vendors with their laptops to connect to their system, they are missing the critical point on how to mitigate or manage a virus when a path in is eventually compromised There are various levels of preparedness.”
Patch management is one more way whitelisting can help users overcome some threat issues.
“Whitelisting can reduce the need to patch, but it will not eliminate the need to patch. It is protecting you from certain vulnerabilities until the opportunity comes to apply the patches,” Baldi said. “It is a tremendous potential benefit as long as the limits of that benefit are realized. There are combinations of technologies and benefits that we call defense in depth that together can significantly reduce the need to patch. What I mean by that is they can allow you to run with known vulnerabilities in your system longer until you can schedule maintenance time to do your patches. That would be your antivirus software, your whitelisting software and a third technology called virtual patching, which is basically intrusion protection from the network out. Those three technologies together can significantly reduce your need to patch and allow you to better manage your patch cycles.”
“A lot of people in the plant environment think along the lines of you set it and forget it,” Kaun said. “Part of the value of whitelisting is it works on that premise. The flip side is when you go to change something, how do we manage that so we don’t turn the whitelisting off? The problem is if anything changes it becomes completely useless. That is the challenge when we apply patches we have to make sure the scrutiny has to be much greater so we don’t break our application whitelisting. So, a very detailed technical analysis and a more thorough change management needs to take place.”
Application whitelisting all comes down to helping eliminate human error so manufacturers can keep their system up and running during a time when sophisticated attacks are on the rise.
“It is about safe reliable expected operation,” Kaun said. “Am I concerned? I am concerned because there is more risk and the clients we serve are increasingly under pressure and hitting downtime.”
“We need to not worry about the noise and just get down to work.”
Gregory Hale is the Editor and Founder of Industrial Safety and Security Source (ISSSource.com).