This afternoon the DHS ICS-CERT (in coordination with the National Security Administration) published a new document on their web site that is designed to serve as an appendix to their “Seven Steps to Defend Industrial Control Systems” that was published last December. The six-page document is titled: “Guidelines for Application Whitelisting in Industrial Control Systems”.
Alert readers will recall that “Implement application whitelisting” was the first of the seven steps described briefly in the original paper. Where the concept of whitelisting was covered in just two paragraphs in the December paper, this document provides a much more detailed description of how whitelisting is used. This guideline document describes:
• AWL benefits;
• How AWL differs from and complements anti-virus;
• How AWL operates;
• Creating whitelists;
• AWL as a change control process verification tool;
• AWL limitations;
• Choosing a compatible AWL solution;
• Challenge of running AWL in some specialized environments;
• Protect administrator access;
• Managing an AWL system;
While this certainly is not a whitelisting text book (and at six pages, it was not intended to be) it does provide a detailed enough description of the whitelisting process to be valuable for process control engineers (and maybe more importantly IT specialists). At the same time, it is written at a general enough level that facility managers and C-Suite personnel in organizations with critical control systems should be expected to read the document.
While this guideline does make the point that whitelisting is only one part of a defense in depth security program, the authors did miss making an important point by not referring back to Figure 1 in the Seven Steps document. That document notes that in 2014 and 2015 ICS-CERT estimates that application whitelisting would have mitigated 38% of the ICS-CERT reported control system incidents.
An important addendum to this document is the list of references found on page 6. I particularly appreciate the links to the three NSA whitelisting documents. My only personal complaint is that ICS-CERT continues to use footnotes in their .PDF documents. I would prefer to see links put into the document where the document is referenced. That’s my personal preference, but at least they do have the links available.
I hope that this is just the first of seven appendix documents that ICS-CERT and NSA produce to support the Seven Steps publication.