This afternoon the DHS ICS-CERT (in coordination with the National
Security Administration) published a new document on their web site that is
designed to serve as an appendix to their “Seven Steps to Defend Industrial
Control Systems” that was published
last December. The six-page
document is titled: “Guidelines for Application Whitelisting in Industrial
Control Systems”.
Alert readers will recall that “Implement application
whitelisting” was the first of the seven steps described briefly in the
original paper. Where the concept of whitelisting was covered in just two
paragraphs in the December paper, this document provides a much more detailed
description of how whitelisting is used. This guideline document describes:
• AWL benefits;
• How AWL differs from and
complements anti-virus;
• How AWL operates;
• Creating whitelists;
• AWL as a change control process
verification tool;
• AWL limitations;
• Choosing a compatible AWL
solution;
• Challenge of running AWL in some
specialized environments;
• Protect administrator access;
• Managing an AWL system;
While this certainly is not a whitelisting text book (and at
six pages, it was not intended to be) it does provide a detailed enough
description of the whitelisting process to be valuable for process control
engineers (and maybe more importantly IT specialists). At the same time, it is
written at a general enough level that facility managers and C-Suite personnel
in organizations with critical control systems should be expected to read the
document.
While this guideline does make the point that whitelisting is
only one part of a defense in depth security program, the authors did miss
making an important point by not referring back to Figure 1 in the Seven Steps
document. That document notes that in 2014 and 2015 ICS-CERT estimates that application
whitelisting would have mitigated 38% of the ICS-CERT reported control system
incidents.
An important addendum to this document is the list of
references found on page 6. I particularly appreciate the links to the three
NSA whitelisting documents. My only personal complaint is that ICS-CERT
continues to use footnotes in their .PDF documents. I would prefer to see links
put into the document where the document is referenced. That’s my personal
preference, but at least they do have the links available.
I hope that this is just the first of seven appendix documents
that ICS-CERT and NSA produce to support the Seven Steps publication.
Posts
No comments:
Post a Comment