SlideShare ist ein Scribd-Unternehmen logo

Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance

CoreTrace Corporation
CoreTrace Corporation

Whitepaper by Encari's co-founder and the Mid-West ISO's chairman. Matthew Luallen, co-founder of Encari, and Paul Feldman, chairman of the Mid-West ISO, have written a whitepaper that explains how utilities attempting to meet the North American Electric Reliability Corporation "Critical Infrastructure Protection" (NERC CIP) requirements can meet both the spirit and the letter of the regulations. The whitepaper provides insights and recommendations around the following topics: Utilities should go beyond "checking the box" to meeting the true intention of the NERC CIP requirements: protecting the reliability and availability of the Bulk Electric System (BES). Traditional security solutions (e.g., blacklist-based antivirus, emergency security patches) not only fail to protect reliability and availability, they may negatively impact the goals themselves. In addition to superior protection against even zero-day attacks, application whitelisting is gaining a following because it addresses the operational realities associated with control system implementations that blacklist-based solutions cannot. Application whitelisting simultaneously helps address NERC CIP-007, R3 (security patching); CIP-007, R4 (anti-malware); and even NERC CIP-003, R6 (change control and configuration management).

TechnologieBusiness
1 von 8
Downloaden Sie, um offline zu lesen
Malicious Software Prevention for NERC CIP-007 Compliance: Protective Controls for Operating Systems and Supporting Applications Matthew E. Luallen, Co-Founder, Encari Paul J. Feldman, Chairman of the Midwest ISO, Independent Director of Western Electricity Reliability Council (WECC) Executive Summary Utilities attempting to meet the North American Electric Reliability Corporation “Critical Infrastructure Pro- tection” (NERC CIP) requirements have encountered an unexpected, but very serious conundrum in the cyber-security realm: should they strive to meet the spirit or letter of the regulations? The potential penalties are compelling, up to $1,000,000 per day of non-compliance per a requirement; however, “checking the box” and simply meeting the letter of the NERC CIP requirements should not be the primary goal. Increasing security for security’s sake should not be the goal either. All solutions must focus on meeting the true intention of the NERC CIP requirements — the same goal that has driven investments since the dawn of the electric infrastructure: protecting the reliability and availability of the Bulk Electric System (BES). Utilities could “check the box” and meet the letter of the regulations by implementing and maintaining tra- ditional security solutions (e.g., blacklist-based antivirus, emergency security patches). However, security teams have discovered that these solutions may not only fail to protect reliability and availability, they may negatively impact the goals themselves. For example, on critical Process Control Systems (PCS) at the core of the electric infrastructure, blacklist-based applications may impose unacceptable performance bur- dens, while vulnerability patches may jeopardize stability, be delayed by the PCS vendor, or affect system availability during application and / or system reloading. Fortunately, there is another way to truly meet the spirit of the NERC CIP requirements: application white- listing. Application whitelisting modifies the traditional antivirus and host security approach and turns it 180 degrees. Rather than maintaining an exponentially enlarging blacklist of detected malicious software, this newer and more powerful technology enforces a relatively small whitelist of the authorized applications for each system. Application whitelisting automatically eliminates all unauthorized applications by ensuring that only approved applications can execute, including the prevention of even unknown malware. This paper will explain why application whitelisting may serve as a compensating control for NERC CIP- 007, R3 (security patching) and solution for CIP-007, R4 (anti-malware). Application whitelisting also stops all unknown applications from executing; therefore, depending upon installation options, the same appli- cation whitelisting implementation may simultaneously aid utilities in meeting NERC CIP-003, R6 (change control and configuration management). Cyber-security of the Electric Infrastructure Almost every aspect of American life depends on the reliable delivery of electricity — from producing goods to saving lives, from defending the country to conducting electronic banking and commerce. Quite simply, the electric infrastructure is one of the United States’ most critical resources and needs to be protected as such. 1
The importance of the electric infrastructure is not news to utilities and regulators. Over the years, tech- nologies and regulations have been implemented with the singular goal of ensuring the reliability and availability of electric power through the high voltage electrical infrastructure (the Bulk Electric System or BES). The BES grid has been architected to prevent cascading power failures and to continue function- ing whenever one generator or transmission line fails (“N-1” failure protection). The industry has done a remarkable job lately in dealing with these N-1 situations that are often the result of natural disasters or some other rare event. But what happens when there are multiple, simultaneous failures or system manipulations rather than just one? The grid is not currently equipped to handle this situation, referred to by many as the “N-x” failure situation. The cost of building a redundant, balanced ability to respond to this situation is prohibitive at best, and potentially even mathematically impossible. Fortunately, the odds of a natural event or a physical attack creating this situation have been so low that the investments weren’t warranted. Today, nature is not the biggest concern when it comes to potential N-x situations. That distinction belongs to cyber-attacks. Whether for extortion or terrorism, cyber-attacks against the electric infrastructure are particularly ominous because they can easily be designed to create an N-x attack situation. Realizing this fact, the industry and regulators have been working to create standards and implement technologies to thwart these attempts. The North American Electric Reliability Corporation (NERC), a self-regulatory organization that is subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada, is a primary player in this effort. NERC’s mission is to ensure the reliability of the bulk power sys- tem in North America. Specific to cyber-attacks and their ability to create N-x situations, NERC has worked with the electric industry to create a set of requirements known as the NERC CIP (“Critical Infrastructure Protection”) Cyber Security Standards to protect the grid’s most critical assets. Utilities throughout North America are focused on the NERC CIP standards and reliability of the Bulk Electric System — but under a new and evolving regime of mandatory compliance and possible fines. Philosophies of “carrot” versus “stick” have not been fully worked out to establish a system whose focus is clearly reliability, and the dan- ger of a compliance focus (at the possible expense of reliability) is real. Every company needs to examine its own goals and motivations in this regard to ensure a continued focus on reliability with compliance as a byproduct rather than THE product. While reliability and compliance can go hand in hand, the industry still has work to do to ensure that is truly the case. In the meantime each company needs to ask the question — “Do our budget processes, organizational structures, reward systems, and senior management actions support a culture of reliability, or is reliability secondary to compliance. Companies must understand that the answers to this question will drive different actions throughout the organization with ultimately different consequences. Security of Critical Cyber Assets: Introduction to NERC CIP-007 “Checking the box” and simply meeting the letter of the NERC CIP requirements should not be the goal. Increasing security for security’s sake should not be the goal either. All solutions must focus on meeting the true intention of the NERC CIP requirements and balance appropriately the delicate security model — the same goal that has driven investments since the dawn of the electric infrastructure: protecting the reliability and availability of electricity delivery. All stakeholders — the asset owners, customers and the government, must contemplate a thorough understanding of the risks. The owners and the shareholders need and deserve a fair return on their investments, the customers want to safely procure a valuable com- modity with high reliability and low cost, while the government needs to manage risk across all 18 Critical Infrastructures / Key Resources (CI/KR). 2
The NERC CIP standards provide a convenient roadmap for the assets that need controlling/protecting from cyber-attacks, “Critical Cyber Assets” (CCA) and Non-Critical Cyber Assets (NCCA) located within an Electronic Security Perimeter (ESP). While there are nine NERC CIP requirements, this paper focuses on the requirements that are directly related to securing the critical process control systems at the core of the electric infrastructure: Energy Management Systems (EMS), Distributed or Digital Control Systems (DCS), and Plant Control Systems (PCS). The primary anti-malware requirement is located within NERC CIP-007, and the most relevant sections associated with application whitelisting are as follows: • CIP-007-R3: Security Patch Management: The Responsible Entity, either separately or as a compo- nent of the documented configuration management process specified in CIP-003 Requirement R6, shall establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). R3.1: The Responsible Entity shall document the assessment of security patches and security upgrades for applicability within thirty calendar days of availability of the patches or upgrades. R3.2: The Responsible Entity shall document the implementation of security patches. In any case where the patch is not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. • CIP-007-R4: Malicious Software Prevention: The Responsible Entity shall use Antivirus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s). R4.1: The Responsible Entity shall document and implement Antivirus and malware prevention tools. In the case where Antivirus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. R4.2: The Responsible Entity shall document and implement a process for the update of Anti- virus and malware prevention “signatures.” The process must address testing and installing the signatures. The rest of this paper will outline how utilities can best meet these requirements — and simultaneously improve the infrastructure’s overall security, reliability and availability — in a manner that is consistent with the operational reality of control systems. Unique Operational Realities of Critical Control Systems Any discussion about the security of control systems must begin with an understanding of the realities of these critical implementations — realities that traditional security solutions simply cannot handle. While the list is long, there are four major challenges that deserve mention: 1. Many control systems are iso¬lated and not always connected to the Internet; therefore, the systems are unable to consistently download the latest antivirus signatures or patches, leaving them vulner- able even to known attacks. 3
2. Most control systems cannot be rebooted or can only be rebooted at specific times in very tight maintenance windows, making unplanned installations of operating system or application patches infeasible. 3. Control systems generally have limited memory and hardware resources available making them un- able to handle the performance impacts of resource-hungry security applications, including black- list-based antivirus. 4. Many security systems today are running on older operating systems that are no longer supported and for which patches are no longer created. As a real world example, a global energy company headquartered in the northeast USA, was concerned about the use of blacklist-based antivirus solutions on the execution of real-time applications for its power generating plant control systems’ operations. The company’s Critical Cyber Assets include operator inter- faces (a.k.a. Human Machine Interfaces or HMI) in the DCS/PCS environment that are critical to reliable and safe operation of their assets and data historians. While a typical energy management (a.k.a. Super- visory Control and Data Acquisition or SCADA) system used by utilities for control of electricity production and delivery over large geographic areas can tolerate two second status and ten second analog updates, acceptable HMI operations in a generating plant environment are based on a one second maximum re- sponse time and refresh rate. Operational testing on a plant data historian demonstrated that blacklist- based applications imposed an unacceptable burden on response time and refresh rates through higher processor loading and additional network traffic between the control system cyber assets. Additionally, the generating company’s stringent uptime standards made unplanned patches — especially those that required rebooting — unfeasible. The company was also concerned that automatic delivery of blacklist sig- nature updates over the Internet or Intranet poses risk to application reliability and requires opening ports in firewalls that pose a threat to the security of the generating plant cyber assets; management of these risks requires additional resources. In the end, traditional solutions can be implemented to simply meet the “check boxes” of the requirements, but utilities are forced to choose between various suboptimal outcomes when they do. These outcomes may include increased management costs, impacted performance and availability, and a false sense of security. Specifically: • CIP-007, R3 Compliance: Patch management systems can meet the requirement if managed and implemented correctly on a consistent on-going basis using defined and approved procedures. • CIP-007, R4 Compliance: Antivirus solutions can meet the requirement if managed and implement- ed correctly on a consistent on-going basis using defined and approved procedures. • Performance Impacts: Blacklist scans impose an unacceptable performance burden on these criti- cal systems — this is especially the case on older systems with limited resources. • System Availability: Control systems’ high availability is jeopardized by patches that require the rebooting of systems during normal operating hours. • Complexity Risk: Even if patch management and traditional antivirus solutions are perfectly imple- mented, the fact that they introduce an element of continued implementation complexity versus al- ternatives is an added risk. • False Sense of Security: Blacklisting solutions are ineffective against unknown, zero day and tar- geted malware, rootkits and most memory attacks. Systems without consistent connectivity may be exposed to even known threats if signatures are not updated or patches have not been applied. Out- 4
of-support legacy systems (for which patches will never be available) will remain unprotected against even known vulnerabilities. Even in the face of this daunting list of operational inconsistencies, utilities would still implement traditional security solutions if they were highly effective at securing systems or if they were the only option to meet the NERC CIP requirements. The reality is that they are neither. Security professionals (and even the antivi- rus vendors themselves) agree that blacklisting is no longer sufficient to defeat today’s threats. Blacklisting cannot address whole classes of malware threats and attacks (e.g., zero-day exploits, targeted attacks, memory exploits, rootkits, etc.) and independent tests show blacklisting solutions’ detection rates con- tinue to drop. An alternative approach exists – Cyber Asset Application Whitelisting. Why Cyber Asset Application Whitelisting is a Viable Solution Application whitelisting takes the traditional antivirus approach and turns it 180 degrees. Rather than main- taining an exponentially enlarging blacklist of known malicious software, this new and powerful technology enforces a relatively small whitelist of the authorized applications for each computer. By ensuring that only approved applications can execute, application whitelisting automatically eliminates all unauthorized ap- plications — including even unknown malware. This approach meets the actual intention of the NERC CIP requirements: preventing all unauthorized applications from executing on Critical Cyber Assets. While this paper is not intended to explain all of the technical intricacies of how application whitelisting solutions work, leading solutions are built on two fundamental principles. First and foremost, the solutions are designed to enforce a relatively small list of known and approved applications rather than chase a huge and exponentially growing list of detected malware. For instance, to protect your home would you rather issue house keys to all family members and friends that are allowed access (whitelist) or define restric- tions for each individual in the world that is not allowed access (blacklist)? This paradigm shift occurred in the mid 1990’s for firewall technology as entities began implementing “deny by default” firewall rules implemented for the past five years leveraging the whitelisting model. The solution must also be designed to easily handle the addition of new applications or updates without increasing management overhead or requiring any changes to the company’s existing operational approaches. For application whitelisting to enforce a list of known and approved applications, each of the following must occur. The solution must have a way of building or acquiring the whitelist of applications for any given computer — preferably from the computer itself since no two computers are alike. Also, the solution must securely and efficiently enforce the whitelist on the computer. And finally, the solution must have the abil- ity to report any attempts to violate the security policies it is enforcing. These three capabilities together provide the security required to protect the computer, while at the same time reporting on system status. The whitelist enforcement mechanism is best deployed in the form of a tamper-proof client installed on each computer or endpoint. It is crucial that local users or malicious programs cannot circumvent the en- forcement provided by this engine, so the client must function in the operating system itself. Through tight integration with the operating system, the solution is able to protect the system and have the greatest ef- ficiency — it essentially functions as part of the operating system rather than an add-on security feature. From within the operating system, the client reads in the whitelist, and ensures that only those applications on the whitelist are allowed to run. This process begins during boot time when the operating system is starting, and then checks all executables that load to ensure they are authorized. The client only performs checks when a new application or process attempts to start, so the ongoing performance impact is im- perceptibly low compared to blacklist antivirus scans. It is paramount that asset owners work with control system vendors to include this type of capability directly in to the control system software and/or hardware. 5
Control system vendors of IEDS, RTUs, Relays, Synchrophasors and other hardware and software need to ensure that their future systems are protected by default — application whitelisting is an excellent step in the correct direction. Application whitelisting solutions also monitor activity to aid in NERC CIP-007, R6 compliance. For ex- ample, a solution can log attempts to overwrite protected applications on the computer or attempts to run unauthorized applications. The solution can also periodically remove all unauthorized applications that may have been copied to the Cyber Asset, ensuring the pristine condition of the Cyber Asset is main- tained. Compliance reports can show the system configuration has been maintained and any unauthorized executables that have been removed thereby providing supporting evidence that is necessary for NERC CIP-003, R6. Addressing another one of application whitelisting’s fundamental principles, an application whitelisting solution must be able to automatically — without requiring real-time IT involvement — update the whitelist whenever new applications are added or existing ones are upgraded. Even in a controlled environment like energy systems, the Cyber Assets must eventually be updated with newer applications or patches. Some of these requirements are driven by compliance and company policies, while others are required to imple- ment new functionality. Innovative whitelisting solutions allow authorized change while still maintaining security on the Cyber As- set. The term being applied to this process is “Trusted Change”. All trusted change is built on this simple concept: IT establishes multiple “sources of trust” from which users and Cyber Assets can install applica- tions or upgrades. As long as the users and Cyber Assets receive the applications or upgrades from these trusted sources, the applications or upgrades can be automatically added to the whitelist without any addi- tional IT involvement. The additions are transparent and friction-free. Examples of trusted sources include trusted applications, trusted digital signatures, trusted updaters, and even trusted users. By preventing all unauthorized applications and malware from executing, application whitelisting simulta- neously serves as a compensating control for NERC CIP-007, R3 and a solution for CIP-007, R4 in a way that also increases security and protects the availability / reliability of electricity delivery. Specifically: • CIP-007, R3 Compliance: By preventing the execution of malware — including those that are de- posited via vulnerabilities that haven’t been patched or via memory-based attacks like DLL injections — application whitelisting is a compensating control until the PCS vendor approved security patches are installed during regular maintenance windows. • CIP-007, R4 Compliance: Application whitelisting may currently meet CIP-007, R4 (since it is clearly an anti-malware solution) or it may be considered a compensating control (since it eliminates all un- authorized applications from executing). • Security: Application whitelisting, or deny by default, is far more effective than blacklisting because it prevents all malware, whether known or unknown. Leading versions stop rootkits and prevent memory attacks like DLL injections and attempts to write to kernel memory as well. Additionally, ap- plication whitelisting provides protection for out-of-support legacy Cyber Assets for which patches will never be available. • Performance Impacts: Since the whitelists are relatively small and only run when an application at- tempts to execute, the performance impact is imperceptible. • System Availability: Control systems’ high availability is protected because the Cyber Assets are not required to be rebooted during normal operating hours. 6
Application Whitelisting Aids in Complying with NERC CIP-003, R6 and CIP-007, R6 While the bulk of this paper has been focused on meeting the true intention of NERC CIP-007 R3 and R4, preventing the execution of any malware, the reality is that application whitelisting prevents the execution of all unauthorized applications — not just malicious ones. Unauthorized applications are a focus of NERC CIP-003, R6: • CIP-003, R6: Change Control and Configuration Management: The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configu- ration management activities to identify, control and document all entity or vendor related changes to hardware and software components of Critical Cyber Assets pursuant to the change control pro- cess. Application whitelisting may aid in stopping a non-compliant, unapproved activity pursuant to CIP-003, R6 by providing attempted change detection and actual execution restriction of unauthorized applications. Application whitelisting solutions also typically include baselining and reporting to aid in the generation of evidence pursuant to CIP-007, R6 Security Status Monitoring: • CIP-007, R6: Security Status Monitoring: The Responsible Entity shall ensure that Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or orga- nizational process controls to monitor system events that are related to cyber security. Any identified security event may be a result of poorly defined procedures and executed practices of change control and configuration management or actual attempted Cyber Asset manipulation that should be man- aged and escalated according to an entities CIP-008 Cyber Security Incident Response Plan (CSIRP). Other benefits of application whitelisting in lieu of blacklisting for control system host computers include: • Eliminate the need to test and update blacklist signatures per CIP-007, R4.2. • Control system hosts need not be continuously connected to an external network to maintain a high degree of protection against malware. • The application environment for control system hosts is relatively static after initial Cyber Asset com- missioning. The use of application whitelisting requires minimal management resources compared to blacklisting. Conclusion In addition to superior protection against even zero-day attacks, application whitelisting is gaining a fol- lowing because it addresses the operational realities associated with control system implementations that blacklist-based solutions cannot. First, application whitelisting continues to provide protection without requiring signature or patch updates, so it can function in Cyber Assets that are not connected to the Internet. Second, whitelist-protected control systems remain online until regularly scheduled maintenance windows, instead of requiring downtime for emergency vulnerability patches. Third, application whitelisting solutions typically do not impact control system performance — a significant advantage over resource- hungry security applications like blacklist-based antivirus. Fourth, resource requirements for management of application whitelisting for control system hosts is minimal compared to blacklisting because of the 7
relatively static application environment in power plant control systems. And finally, leading application whitelisting solutions provide protection for control systems that are built on older, unsupported operating systems for which no patches are available. For all of these reasons, application whitelisting is a solid option for utilities trying to secure control sys- tems, to meet NERC CIP requirements, and to protect the overall availability and reliability of the BES in North America. Information Note: The views expressed in this paper are the authors’ own and not necessarily associated with any organization that the authors serve in Board, Client, or Advisory Board roles. 8

Empfohlen

An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...EnergySec
 
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Andrew Storms
 
Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...David Sweigert
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Dave Darnell
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Chris Hammond-Thrasher
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsSergey Gordeychik
 

Empfohlen

An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...EnergySec
 
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Andrew Storms
 
Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...David Sweigert
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Dave Darnell
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Chris Hammond-Thrasher
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsSergey Gordeychik
 
Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsGovernment Technology and Services Coalition
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropePositive Hack Days
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistMatthew Rosenquist
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
CIP Version 5 Immersion Workshop
CIP Version 5 Immersion WorkshopCIP Version 5 Immersion Workshop
CIP Version 5 Immersion WorkshopEnergySec
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsFrederic Roy-Gobeil, CPA, CGA, M.Tax.
 
Infrastructure security
Infrastructure security Infrastructure security
Infrastructure security Adhar kashyap
 
PMCD Fall 2015 Newsletter
PMCD Fall 2015 NewsletterPMCD Fall 2015 Newsletter
PMCD Fall 2015 NewsletterSandeep Raju
 
Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Erik Ginalick
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...Government Technology and Services Coalition
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Enterprise Management Associates
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221SALIH AHMED ISLAM
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_finalTerry Young
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of ThingsThe Security of Things Forum
 
Designing a security policy to protect your automation solution
Designing a security policy to protect your automation solutionDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solutionSchneider Electric India
 
Career exploration trip presentation for cdpi (1)
Career exploration trip presentation for cdpi (1)Career exploration trip presentation for cdpi (1)
Career exploration trip presentation for cdpi (1)cdpindiana
 
Ewrt 2 class 7
Ewrt 2 class 7Ewrt 2 class 7
Ewrt 2 class 7jordanlachance
 
Jb 2183 Ch 1
Jb 2183 Ch 1Jb 2183 Ch 1
Jb 2183 Ch 1Bill Handy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropePositive Hack Days
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistMatthew Rosenquist
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
CIP Version 5 Immersion Workshop
CIP Version 5 Immersion WorkshopCIP Version 5 Immersion Workshop
CIP Version 5 Immersion WorkshopEnergySec
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsFrederic Roy-Gobeil, CPA, CGA, M.Tax.
 
Infrastructure security
Infrastructure security Infrastructure security
Infrastructure security Adhar kashyap
 
PMCD Fall 2015 Newsletter
PMCD Fall 2015 NewsletterPMCD Fall 2015 Newsletter
PMCD Fall 2015 NewsletterSandeep Raju
 
Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Erik Ginalick
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Enterprise Management Associates
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_finalTerry Young
 
Designing a security policy to protect your automation solution
Designing a security policy to protect your automation solutionDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solutionSchneider Electric India
 

Was ist angesagt? (19)

Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government Contractors
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
CIP Version 5 Immersion Workshop
CIP Version 5 Immersion WorkshopCIP Version 5 Immersion Workshop
CIP Version 5 Immersion Workshop
 
Delve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of ThingsDelve Labs - Upcoming Security Challenges for the Internet of Things
Delve Labs - Upcoming Security Challenges for the Internet of Things
 
Infrastructure security
Infrastructure security Infrastructure security
Infrastructure security
 
PMCD Fall 2015 Newsletter
PMCD Fall 2015 NewsletterPMCD Fall 2015 Newsletter
PMCD Fall 2015 Newsletter
 
Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspects
 
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
 
Designing a security policy to protect your automation solution
Designing a security policy to protect your automation solutionDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution
 

Andere mochten auch

Career exploration trip presentation for cdpi (1)
Career exploration trip presentation for cdpi (1)Career exploration trip presentation for cdpi (1)
Career exploration trip presentation for cdpi (1)cdpindiana
 
Final Presentation
Final PresentationFinal Presentation
Final PresentationCharlie93b
 

Andere mochten auch (6)

Career exploration trip presentation for cdpi (1)
Career exploration trip presentation for cdpi (1)Career exploration trip presentation for cdpi (1)
Career exploration trip presentation for cdpi (1)
 
Ewrt 2 class 7
Ewrt 2 class 7Ewrt 2 class 7
Ewrt 2 class 7
 
Jb 2183 Ch 1
Jb 2183 Ch 1Jb 2183 Ch 1
Jb 2183 Ch 1
 
The Leadership Gift
The Leadership GiftThe Leadership Gift
The Leadership Gift
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
Using PR To Promote Your Dealership - OFDA Conference 2008
Using PR To Promote Your Dealership - OFDA Conference 2008Using PR To Promote Your Dealership - OFDA Conference 2008
Using PR To Promote Your Dealership - OFDA Conference 2008
 

Ähnlich wie Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance

Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilitiesNirmal Thaliyil
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...David Sweigert
 
Dr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational AwarenessDr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational AwarenessDr Dev Kambhampati
 
NIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric UtilitiesNIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric UtilitiesDr Dev Kambhampati
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)Ivan Carmona
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorKaspersky
 
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdfWHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdfFas (Feisal) Mosleh
 
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...Schneider Electric
 
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesNetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesCoreTrace Corporation
 
Advanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionAdvanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionEntrust Datacard
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_finalTerry Young
 
InTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfInTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfglan Glandeva
 
Cyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control SystemsCyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control SystemsIJEACS
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Tucson Electric Power Commissions Secunia's Vulnerability Intelligence Manage...
Tucson Electric Power Commissions Secunia's Vulnerability Intelligence Manage...Tucson Electric Power Commissions Secunia's Vulnerability Intelligence Manage...
Tucson Electric Power Commissions Secunia's Vulnerability Intelligence Manage...Flexera
 
Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich TopCyberNewsMAGAZINE
 
The Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsThe Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsEnergySec
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Vincenzo De Florio
 
Defending against industrial malware
Defending against industrial malwareDefending against industrial malware
Defending against industrial malwareAyed Al Qartah
 

Ähnlich wie Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance (20)

Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
 
Dr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational AwarenessDr Dev Kambhampati | Electric Utilities Situational Awareness
Dr Dev Kambhampati | Electric Utilities Situational Awareness
 
NIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric UtilitiesNIST Guide- Situational Awareness for Electric Utilities
NIST Guide- Situational Awareness for Electric Utilities
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdfWHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
WHITE PAPER - The Importance of CIP in the Energy Sector v2.0.pdf
 
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
 
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesNetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
 
Advanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionAdvanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure Protection
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final
 
InTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfInTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdf
 
Cyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control SystemsCyber-Defensive Architecture for Networked Industrial Control Systems
Cyber-Defensive Architecture for Networked Industrial Control Systems
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
Tucson Electric Power Commissions Secunia's Vulnerability Intelligence Manage...
Tucson Electric Power Commissions Secunia's Vulnerability Intelligence Manage...Tucson Electric Power Commissions Secunia's Vulnerability Intelligence Manage...
Tucson Electric Power Commissions Secunia's Vulnerability Intelligence Manage...
 
Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich
 
The Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity RequirementsThe Expanding Web of Cybersecurity Requirements
The Expanding Web of Cybersecurity Requirements
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013
 
Power station monitoring and cyber security
Power station monitoring and cyber securityPower station monitoring and cyber security
Power station monitoring and cyber security
 
Defending against industrial malware
Defending against industrial malwareDefending against industrial malware
Defending against industrial malware
 

Mehr von CoreTrace Corporation

Moskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondMoskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondCoreTrace Corporation
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Corporation
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Corporation
 
CoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And DataCoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And DataCoreTrace Corporation
 
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI Analysis
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI AnalysisCoreTrace Whitepaper: BOUNCER by CoreTrace ROI Analysis
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI AnalysisCoreTrace Corporation
 
CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits
CoreTrace Whitepaper: Combating Buffer Overflows And RootkitsCoreTrace Whitepaper: Combating Buffer Overflows And Rootkits
CoreTrace Whitepaper: Combating Buffer Overflows And RootkitsCoreTrace Corporation
 
CoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm
CoreTrace Whitepaper: Application Whitelisting -- A New Security ParadigmCoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm
CoreTrace Whitepaper: Application Whitelisting -- A New Security ParadigmCoreTrace Corporation
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:CoreTrace Corporation
 

Mehr von CoreTrace Corporation (9)

Moskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And BeyondMoskowitz Whitepaper Microsoft App Locker And Beyond
Moskowitz Whitepaper Microsoft App Locker And Beyond
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control SystemsCoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Whitepaper: Whitelisting And Control Systems
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy SystemsCoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
 
CoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And DataCoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And Data
 
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI Analysis
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI AnalysisCoreTrace Whitepaper: BOUNCER by CoreTrace ROI Analysis
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI Analysis
 
CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits
CoreTrace Whitepaper: Combating Buffer Overflows And RootkitsCoreTrace Whitepaper: Combating Buffer Overflows And Rootkits
CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits
 
CoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm
CoreTrace Whitepaper: Application Whitelisting -- A New Security ParadigmCoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm
CoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm
 
Core Trace PCI DSS Compliance
Core Trace PCI DSS ComplianceCore Trace PCI DSS Compliance
Core Trace PCI DSS Compliance
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Kürzlich hochgeladen (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance

  • 1. Malicious Software Prevention for NERC CIP-007 Compliance: Protective Controls for Operating Systems and Supporting Applications Matthew E. Luallen, Co-Founder, Encari Paul J. Feldman, Chairman of the Midwest ISO, Independent Director of Western Electricity Reliability Council (WECC) Executive Summary Utilities attempting to meet the North American Electric Reliability Corporation “Critical Infrastructure Pro- tection” (NERC CIP) requirements have encountered an unexpected, but very serious conundrum in the cyber-security realm: should they strive to meet the spirit or letter of the regulations? The potential penalties are compelling, up to $1,000,000 per day of non-compliance per a requirement; however, “checking the box” and simply meeting the letter of the NERC CIP requirements should not be the primary goal. Increasing security for security’s sake should not be the goal either. All solutions must focus on meeting the true intention of the NERC CIP requirements — the same goal that has driven investments since the dawn of the electric infrastructure: protecting the reliability and availability of the Bulk Electric System (BES). Utilities could “check the box” and meet the letter of the regulations by implementing and maintaining tra- ditional security solutions (e.g., blacklist-based antivirus, emergency security patches). However, security teams have discovered that these solutions may not only fail to protect reliability and availability, they may negatively impact the goals themselves. For example, on critical Process Control Systems (PCS) at the core of the electric infrastructure, blacklist-based applications may impose unacceptable performance bur- dens, while vulnerability patches may jeopardize stability, be delayed by the PCS vendor, or affect system availability during application and / or system reloading. Fortunately, there is another way to truly meet the spirit of the NERC CIP requirements: application white- listing. Application whitelisting modifies the traditional antivirus and host security approach and turns it 180 degrees. Rather than maintaining an exponentially enlarging blacklist of detected malicious software, this newer and more powerful technology enforces a relatively small whitelist of the authorized applications for each system. Application whitelisting automatically eliminates all unauthorized applications by ensuring that only approved applications can execute, including the prevention of even unknown malware. This paper will explain why application whitelisting may serve as a compensating control for NERC CIP- 007, R3 (security patching) and solution for CIP-007, R4 (anti-malware). Application whitelisting also stops all unknown applications from executing; therefore, depending upon installation options, the same appli- cation whitelisting implementation may simultaneously aid utilities in meeting NERC CIP-003, R6 (change control and configuration management). Cyber-security of the Electric Infrastructure Almost every aspect of American life depends on the reliable delivery of electricity — from producing goods to saving lives, from defending the country to conducting electronic banking and commerce. Quite simply, the electric infrastructure is one of the United States’ most critical resources and needs to be protected as such. 1
  • 2. The importance of the electric infrastructure is not news to utilities and regulators. Over the years, tech- nologies and regulations have been implemented with the singular goal of ensuring the reliability and availability of electric power through the high voltage electrical infrastructure (the Bulk Electric System or BES). The BES grid has been architected to prevent cascading power failures and to continue function- ing whenever one generator or transmission line fails (“N-1” failure protection). The industry has done a remarkable job lately in dealing with these N-1 situations that are often the result of natural disasters or some other rare event. But what happens when there are multiple, simultaneous failures or system manipulations rather than just one? The grid is not currently equipped to handle this situation, referred to by many as the “N-x” failure situation. The cost of building a redundant, balanced ability to respond to this situation is prohibitive at best, and potentially even mathematically impossible. Fortunately, the odds of a natural event or a physical attack creating this situation have been so low that the investments weren’t warranted. Today, nature is not the biggest concern when it comes to potential N-x situations. That distinction belongs to cyber-attacks. Whether for extortion or terrorism, cyber-attacks against the electric infrastructure are particularly ominous because they can easily be designed to create an N-x attack situation. Realizing this fact, the industry and regulators have been working to create standards and implement technologies to thwart these attempts. The North American Electric Reliability Corporation (NERC), a self-regulatory organization that is subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada, is a primary player in this effort. NERC’s mission is to ensure the reliability of the bulk power sys- tem in North America. Specific to cyber-attacks and their ability to create N-x situations, NERC has worked with the electric industry to create a set of requirements known as the NERC CIP (“Critical Infrastructure Protection”) Cyber Security Standards to protect the grid’s most critical assets. Utilities throughout North America are focused on the NERC CIP standards and reliability of the Bulk Electric System — but under a new and evolving regime of mandatory compliance and possible fines. Philosophies of “carrot” versus “stick” have not been fully worked out to establish a system whose focus is clearly reliability, and the dan- ger of a compliance focus (at the possible expense of reliability) is real. Every company needs to examine its own goals and motivations in this regard to ensure a continued focus on reliability with compliance as a byproduct rather than THE product. While reliability and compliance can go hand in hand, the industry still has work to do to ensure that is truly the case. In the meantime each company needs to ask the question — “Do our budget processes, organizational structures, reward systems, and senior management actions support a culture of reliability, or is reliability secondary to compliance. Companies must understand that the answers to this question will drive different actions throughout the organization with ultimately different consequences. Security of Critical Cyber Assets: Introduction to NERC CIP-007 “Checking the box” and simply meeting the letter of the NERC CIP requirements should not be the goal. Increasing security for security’s sake should not be the goal either. All solutions must focus on meeting the true intention of the NERC CIP requirements and balance appropriately the delicate security model — the same goal that has driven investments since the dawn of the electric infrastructure: protecting the reliability and availability of electricity delivery. All stakeholders — the asset owners, customers and the government, must contemplate a thorough understanding of the risks. The owners and the shareholders need and deserve a fair return on their investments, the customers want to safely procure a valuable com- modity with high reliability and low cost, while the government needs to manage risk across all 18 Critical Infrastructures / Key Resources (CI/KR). 2
  • 3. The NERC CIP standards provide a convenient roadmap for the assets that need controlling/protecting from cyber-attacks, “Critical Cyber Assets” (CCA) and Non-Critical Cyber Assets (NCCA) located within an Electronic Security Perimeter (ESP). While there are nine NERC CIP requirements, this paper focuses on the requirements that are directly related to securing the critical process control systems at the core of the electric infrastructure: Energy Management Systems (EMS), Distributed or Digital Control Systems (DCS), and Plant Control Systems (PCS). The primary anti-malware requirement is located within NERC CIP-007, and the most relevant sections associated with application whitelisting are as follows: • CIP-007-R3: Security Patch Management: The Responsible Entity, either separately or as a compo- nent of the documented configuration management process specified in CIP-003 Requirement R6, shall establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). R3.1: The Responsible Entity shall document the assessment of security patches and security upgrades for applicability within thirty calendar days of availability of the patches or upgrades. R3.2: The Responsible Entity shall document the implementation of security patches. In any case where the patch is not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. • CIP-007-R4: Malicious Software Prevention: The Responsible Entity shall use Antivirus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s). R4.1: The Responsible Entity shall document and implement Antivirus and malware prevention tools. In the case where Antivirus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. R4.2: The Responsible Entity shall document and implement a process for the update of Anti- virus and malware prevention “signatures.” The process must address testing and installing the signatures. The rest of this paper will outline how utilities can best meet these requirements — and simultaneously improve the infrastructure’s overall security, reliability and availability — in a manner that is consistent with the operational reality of control systems. Unique Operational Realities of Critical Control Systems Any discussion about the security of control systems must begin with an understanding of the realities of these critical implementations — realities that traditional security solutions simply cannot handle. While the list is long, there are four major challenges that deserve mention: 1. Many control systems are iso¬lated and not always connected to the Internet; therefore, the systems are unable to consistently download the latest antivirus signatures or patches, leaving them vulner- able even to known attacks. 3
  • 4. 2. Most control systems cannot be rebooted or can only be rebooted at specific times in very tight maintenance windows, making unplanned installations of operating system or application patches infeasible. 3. Control systems generally have limited memory and hardware resources available making them un- able to handle the performance impacts of resource-hungry security applications, including black- list-based antivirus. 4. Many security systems today are running on older operating systems that are no longer supported and for which patches are no longer created. As a real world example, a global energy company headquartered in the northeast USA, was concerned about the use of blacklist-based antivirus solutions on the execution of real-time applications for its power generating plant control systems’ operations. The company’s Critical Cyber Assets include operator inter- faces (a.k.a. Human Machine Interfaces or HMI) in the DCS/PCS environment that are critical to reliable and safe operation of their assets and data historians. While a typical energy management (a.k.a. Super- visory Control and Data Acquisition or SCADA) system used by utilities for control of electricity production and delivery over large geographic areas can tolerate two second status and ten second analog updates, acceptable HMI operations in a generating plant environment are based on a one second maximum re- sponse time and refresh rate. Operational testing on a plant data historian demonstrated that blacklist- based applications imposed an unacceptable burden on response time and refresh rates through higher processor loading and additional network traffic between the control system cyber assets. Additionally, the generating company’s stringent uptime standards made unplanned patches — especially those that required rebooting — unfeasible. The company was also concerned that automatic delivery of blacklist sig- nature updates over the Internet or Intranet poses risk to application reliability and requires opening ports in firewalls that pose a threat to the security of the generating plant cyber assets; management of these risks requires additional resources. In the end, traditional solutions can be implemented to simply meet the “check boxes” of the requirements, but utilities are forced to choose between various suboptimal outcomes when they do. These outcomes may include increased management costs, impacted performance and availability, and a false sense of security. Specifically: • CIP-007, R3 Compliance: Patch management systems can meet the requirement if managed and implemented correctly on a consistent on-going basis using defined and approved procedures. • CIP-007, R4 Compliance: Antivirus solutions can meet the requirement if managed and implement- ed correctly on a consistent on-going basis using defined and approved procedures. • Performance Impacts: Blacklist scans impose an unacceptable performance burden on these criti- cal systems — this is especially the case on older systems with limited resources. • System Availability: Control systems’ high availability is jeopardized by patches that require the rebooting of systems during normal operating hours. • Complexity Risk: Even if patch management and traditional antivirus solutions are perfectly imple- mented, the fact that they introduce an element of continued implementation complexity versus al- ternatives is an added risk. • False Sense of Security: Blacklisting solutions are ineffective against unknown, zero day and tar- geted malware, rootkits and most memory attacks. Systems without consistent connectivity may be exposed to even known threats if signatures are not updated or patches have not been applied. Out- 4
  • 5. of-support legacy systems (for which patches will never be available) will remain unprotected against even known vulnerabilities. Even in the face of this daunting list of operational inconsistencies, utilities would still implement traditional security solutions if they were highly effective at securing systems or if they were the only option to meet the NERC CIP requirements. The reality is that they are neither. Security professionals (and even the antivi- rus vendors themselves) agree that blacklisting is no longer sufficient to defeat today’s threats. Blacklisting cannot address whole classes of malware threats and attacks (e.g., zero-day exploits, targeted attacks, memory exploits, rootkits, etc.) and independent tests show blacklisting solutions’ detection rates con- tinue to drop. An alternative approach exists – Cyber Asset Application Whitelisting. Why Cyber Asset Application Whitelisting is a Viable Solution Application whitelisting takes the traditional antivirus approach and turns it 180 degrees. Rather than main- taining an exponentially enlarging blacklist of known malicious software, this new and powerful technology enforces a relatively small whitelist of the authorized applications for each computer. By ensuring that only approved applications can execute, application whitelisting automatically eliminates all unauthorized ap- plications — including even unknown malware. This approach meets the actual intention of the NERC CIP requirements: preventing all unauthorized applications from executing on Critical Cyber Assets. While this paper is not intended to explain all of the technical intricacies of how application whitelisting solutions work, leading solutions are built on two fundamental principles. First and foremost, the solutions are designed to enforce a relatively small list of known and approved applications rather than chase a huge and exponentially growing list of detected malware. For instance, to protect your home would you rather issue house keys to all family members and friends that are allowed access (whitelist) or define restric- tions for each individual in the world that is not allowed access (blacklist)? This paradigm shift occurred in the mid 1990’s for firewall technology as entities began implementing “deny by default” firewall rules implemented for the past five years leveraging the whitelisting model. The solution must also be designed to easily handle the addition of new applications or updates without increasing management overhead or requiring any changes to the company’s existing operational approaches. For application whitelisting to enforce a list of known and approved applications, each of the following must occur. The solution must have a way of building or acquiring the whitelist of applications for any given computer — preferably from the computer itself since no two computers are alike. Also, the solution must securely and efficiently enforce the whitelist on the computer. And finally, the solution must have the abil- ity to report any attempts to violate the security policies it is enforcing. These three capabilities together provide the security required to protect the computer, while at the same time reporting on system status. The whitelist enforcement mechanism is best deployed in the form of a tamper-proof client installed on each computer or endpoint. It is crucial that local users or malicious programs cannot circumvent the en- forcement provided by this engine, so the client must function in the operating system itself. Through tight integration with the operating system, the solution is able to protect the system and have the greatest ef- ficiency — it essentially functions as part of the operating system rather than an add-on security feature. From within the operating system, the client reads in the whitelist, and ensures that only those applications on the whitelist are allowed to run. This process begins during boot time when the operating system is starting, and then checks all executables that load to ensure they are authorized. The client only performs checks when a new application or process attempts to start, so the ongoing performance impact is im- perceptibly low compared to blacklist antivirus scans. It is paramount that asset owners work with control system vendors to include this type of capability directly in to the control system software and/or hardware. 5
  • 6. Control system vendors of IEDS, RTUs, Relays, Synchrophasors and other hardware and software need to ensure that their future systems are protected by default — application whitelisting is an excellent step in the correct direction. Application whitelisting solutions also monitor activity to aid in NERC CIP-007, R6 compliance. For ex- ample, a solution can log attempts to overwrite protected applications on the computer or attempts to run unauthorized applications. The solution can also periodically remove all unauthorized applications that may have been copied to the Cyber Asset, ensuring the pristine condition of the Cyber Asset is main- tained. Compliance reports can show the system configuration has been maintained and any unauthorized executables that have been removed thereby providing supporting evidence that is necessary for NERC CIP-003, R6. Addressing another one of application whitelisting’s fundamental principles, an application whitelisting solution must be able to automatically — without requiring real-time IT involvement — update the whitelist whenever new applications are added or existing ones are upgraded. Even in a controlled environment like energy systems, the Cyber Assets must eventually be updated with newer applications or patches. Some of these requirements are driven by compliance and company policies, while others are required to imple- ment new functionality. Innovative whitelisting solutions allow authorized change while still maintaining security on the Cyber As- set. The term being applied to this process is “Trusted Change”. All trusted change is built on this simple concept: IT establishes multiple “sources of trust” from which users and Cyber Assets can install applica- tions or upgrades. As long as the users and Cyber Assets receive the applications or upgrades from these trusted sources, the applications or upgrades can be automatically added to the whitelist without any addi- tional IT involvement. The additions are transparent and friction-free. Examples of trusted sources include trusted applications, trusted digital signatures, trusted updaters, and even trusted users. By preventing all unauthorized applications and malware from executing, application whitelisting simulta- neously serves as a compensating control for NERC CIP-007, R3 and a solution for CIP-007, R4 in a way that also increases security and protects the availability / reliability of electricity delivery. Specifically: • CIP-007, R3 Compliance: By preventing the execution of malware — including those that are de- posited via vulnerabilities that haven’t been patched or via memory-based attacks like DLL injections — application whitelisting is a compensating control until the PCS vendor approved security patches are installed during regular maintenance windows. • CIP-007, R4 Compliance: Application whitelisting may currently meet CIP-007, R4 (since it is clearly an anti-malware solution) or it may be considered a compensating control (since it eliminates all un- authorized applications from executing). • Security: Application whitelisting, or deny by default, is far more effective than blacklisting because it prevents all malware, whether known or unknown. Leading versions stop rootkits and prevent memory attacks like DLL injections and attempts to write to kernel memory as well. Additionally, ap- plication whitelisting provides protection for out-of-support legacy Cyber Assets for which patches will never be available. • Performance Impacts: Since the whitelists are relatively small and only run when an application at- tempts to execute, the performance impact is imperceptible. • System Availability: Control systems’ high availability is protected because the Cyber Assets are not required to be rebooted during normal operating hours. 6
  • 7. Application Whitelisting Aids in Complying with NERC CIP-003, R6 and CIP-007, R6 While the bulk of this paper has been focused on meeting the true intention of NERC CIP-007 R3 and R4, preventing the execution of any malware, the reality is that application whitelisting prevents the execution of all unauthorized applications — not just malicious ones. Unauthorized applications are a focus of NERC CIP-003, R6: • CIP-003, R6: Change Control and Configuration Management: The Responsible Entity shall establish and document a process of change control and configuration management for adding, modifying, replacing, or removing Critical Cyber Asset hardware or software, and implement supporting configu- ration management activities to identify, control and document all entity or vendor related changes to hardware and software components of Critical Cyber Assets pursuant to the change control pro- cess. Application whitelisting may aid in stopping a non-compliant, unapproved activity pursuant to CIP-003, R6 by providing attempted change detection and actual execution restriction of unauthorized applications. Application whitelisting solutions also typically include baselining and reporting to aid in the generation of evidence pursuant to CIP-007, R6 Security Status Monitoring: • CIP-007, R6: Security Status Monitoring: The Responsible Entity shall ensure that Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or orga- nizational process controls to monitor system events that are related to cyber security. Any identified security event may be a result of poorly defined procedures and executed practices of change control and configuration management or actual attempted Cyber Asset manipulation that should be man- aged and escalated according to an entities CIP-008 Cyber Security Incident Response Plan (CSIRP). Other benefits of application whitelisting in lieu of blacklisting for control system host computers include: • Eliminate the need to test and update blacklist signatures per CIP-007, R4.2. • Control system hosts need not be continuously connected to an external network to maintain a high degree of protection against malware. • The application environment for control system hosts is relatively static after initial Cyber Asset com- missioning. The use of application whitelisting requires minimal management resources compared to blacklisting. Conclusion In addition to superior protection against even zero-day attacks, application whitelisting is gaining a fol- lowing because it addresses the operational realities associated with control system implementations that blacklist-based solutions cannot. First, application whitelisting continues to provide protection without requiring signature or patch updates, so it can function in Cyber Assets that are not connected to the Internet. Second, whitelist-protected control systems remain online until regularly scheduled maintenance windows, instead of requiring downtime for emergency vulnerability patches. Third, application whitelisting solutions typically do not impact control system performance — a significant advantage over resource- hungry security applications like blacklist-based antivirus. Fourth, resource requirements for management of application whitelisting for control system hosts is minimal compared to blacklisting because of the 7
  • 8. relatively static application environment in power plant control systems. And finally, leading application whitelisting solutions provide protection for control systems that are built on older, unsupported operating systems for which no patches are available. For all of these reasons, application whitelisting is a solid option for utilities trying to secure control sys- tems, to meet NERC CIP requirements, and to protect the overall availability and reliability of the BES in North America. Information Note: The views expressed in this paper are the authors’ own and not necessarily associated with any organization that the authors serve in Board, Client, or Advisory Board roles. 8