By Toney Jennings
Utilities attempting to meet the North American Electric Reliability Corporation “Critical Infrastructure Protection” (NERC CIP) requirements have encountered an unexpected, but serious conundrum in the cyber-security realm: should they strive to meet the spirit or letter of the regulations? “Checking the box” and simply meeting the letter of the NERC CIPs should not be the goal. All solutions must focus on meeting the true intention of the NERC CIPs—the same goal that has driven investments since the dawn of the electric infrastructure: protecting the reliability and availability of electricity delivery.
The importance of the electric infrastructure is not news. The grid has been architected to prevent cascading power failures and to continue functioning whenever one generator or transmission line fails (“N-1″ failure protection), often the result of a natural disaster.
But, what happens when there are multiple, simultaneous failures rather than just one? The grid is not well-equipped to handle “N-x” failure situations. Nature is not the biggest concern when it comes to potential N-x situations; cyber-attacks are. Cyber-attacks against the electric infrastructure can easily wreak serious havoc. Realizing this fact, the industry has created standards and implemented technologies to thwart these attempts, hence the NERC CIPs.
The CIPs provide outline the assets that need protecting from cyber-attacks, “Critical Cyber Assets”. While there are nine major CIPs, this article focuses on the anti-malware requirements that are directly related to securing the critical process control systems at the core of the infrastructure (NERC CIP-007).
Utilities could “check the box” and meet the letter of the regulations by implementing traditional security solutions (e.g., blacklist-based antivirus, emergency security patches). However, security teams have discovered that these solutions may not only fail to protect reliability and availability, they may negatively impact the goals themselves.
Control systems have some operational realities that traditional security solutions simply cannot handle. While the list is long, there are four major challenges that deserve mention.
First, many control systems are not always connected to the Internet, therefore, they are unable to consistently download the latest antivirus signatures or patches, leaving them vulnerable even to known attacks.
Second, most control systems cannot be rebooted or can only be rebooted at specific times in very tight maintenance windows, making unplanned installations of operating system or application patches infeasible.
Third, most systems have limited memory and hardware resources available making them unable to handle the performance impacts of resource-hungry security applications.
Fourth, many systems are running on older operating systems that are no longer supported and for which patches are no longer created.
Even in the face of this daunting list, utilities would implement traditional solutions if they were highly effective at securing systems or if they were the only option to meet the NERC CIPs. The reality is that they are neither. Security professionals (and even the antivirus vendors themselves) agree that blacklisting is no longer sufficient to defeat today’s threats. Blacklisting cannot address whole classes of malware threats and attacks (e.g., zero-day exploits, targeted attacks, memory exploits, rootkits, etc.) and independent tests show detection rates plummeting. And there is another option: application whitelisting.
Application whitelisting takes the traditional antivirus approach and turns it 180 degrees. Rather than reactively maintaining a huge blacklist of known malware, application whitelisting solutions enforce a small whitelist of the authorized applications for each computer. By ensuring that only approved applications can execute, application whitelisting automatically eliminates all unauthorized applications and malware. This approach meets that actual intention of the NERC CIPs: preventing all unauthorized applications from executing on critical cyber assets.
Without explaining all of the technical intricacies, leading solutions are built on three principles. First, the solutions are designed to create and then enforce a relatively small list of known and approved applications for each computer. Second, they should be able to easily handle the addition of new applications or updates without increasing management overhead or requiring any changes to the company’s existing operational approaches. Third, the solution must have the ability to report any attempts to violate the security policies it is enforcing.
Application whitelisting is gaining a following because it addresses the operational realities that blacklist-based solutions cannot. First, application whitelisting provides protection without requiring signature or patch updates, so it can function in systems that are not connected to the Internet.
Second, whitelist-protected control systems remain online until regularly scheduled maintenance windows, instead of requiring downtime for emergency vulnerability patches.
Third, application whitelisting solutions do not impact control system performance—a huge advantage over resource-hungry security applications like blacklist-based antivirus.
Fourth, resource requirements for management of application whitelisting for control system hosts is minimal compared to blacklisting because of the relatively static application environment in power plant control systems.
And finally, leading application whitelisting solutions provide protection for control systems that are built on older, unsupported operating systems for which no patches are created.
For all of these reasons, application whitelisting is the preferred approach for utilities trying to secure control systems, to meet NERC CIPs, and to protect the overall reliability of electricity delivery in North America.
Author: Toney is president and CEO of CoreTrace. He has been leading teams in the information protection and information technology fields for over 18 years. He was previously president and CEO of Mirage Networks where under his leadership Mirage became a recognized leader in network access control with hundreds of customers and thousands of units sold. Prior to Mirage, Toney was a founder, CEO, and Chairman of WheelGroup Corporation, the creators of the first commercially available intrusion detection system, through its successful sale to Cisco Systems.