Should You Be Using Application Whitelisting?

There is one thing that can be universally said for cybersecurity solutions: most solutions are inconvenient for the user.  But who said that cybersecurity was ever convenient?  And so it goes for two key solutions for cybersecurity, antivirus (aka. blacklisting) and application whitelisting. Antivirus protection has been around forever, and has been a staple part of any “defense-in-depth” cybersecurity solution set.  Antivirus solutions scan your devices for the presence of malware based on a known known list of bad threats and upon finding such, can quarantine and remove it.  But the key drawback for blacklisting is the requirement that a piece of malware needed to be “previously discovered” and that a “signature” file needs to be developed and ultimately updated to the device (regularly) for the software to identify the malware during a scan.  Typically, the updating of the signature files required time consuming resources and often were relegated to updating when we have time… often never.  Today, new signature files are released daily and unless these updates to your control system are automated, these update installs generally fell further behind as the months wear on.

Application whitelisting is a much newer technology and works exactly opposite to blacklisting.  From a list of known acceptable executables for each station, the principle of block everything (aka. default deny) that is not on the acceptable “whitelist” was initially thought to be a “silver bullet”.  The good news here is that “zero-day” malware executables possibly introduced to the DCS using portable media devices (e.g. USB sticks, etc.) would not be seen on the “whitelist” and therefore not be executed.  For customers who are having trouble enforcing policies and procedures for the safe use of USBs at their sites, this can be an excellent solution.  Of course, the problem here was that if the malware was already lying dormant on the system component, whitelisting had no way to scan for them, and in fact, actually will whitelist them if they were not found/cleaned before the whitelisting process was started.   Another knock-on whitelisting was the on-going file management maintenance overhead that this solution required.  If you did not have the time to update signature files, updating whitelisting required even more maintenance time.

Process control lends itself nicely to the application of whitelisting as changes to the control system don’t come very often and when they do, they are from known suppliers.   The advent of digitally signed software has allowed applications whitelisting solutions to “auto-accept” digitally-signed updates if the associated digital certificates were included in the whitelisting policies.  This allows for strengthened security and lower ownership costs using dynamic whitelisting that automatically accepts new software added through your trusted channels.

But neither solution is a silver bullet by itself!  Antivirus must be updated periodically (as frequent as possible) and application whitelisting requires appropriate measures to maintain its “whitelist” updated to avoid the need to bypass it (misuse of whitelisting can impact the cybersecurity posture of your system). Emerson therefore recommends using both solutions for an effective “one-two” punch against malware infection.  Using applications whitelisting to protect from “zero-day” attacks as well as using antivirus blacklisting to scan for malware yields the best result. 

Emerson supports this scenario using two product solutions: Endpoint Security for DeltaV Systems and Application Whitelisting for DeltaV systems.  Both utilize McAfee-based solutions which are centrally managed by the McAfee® ePolicy Orchestrator® (McAfee ePO™) software.  And while antivirus has been with us for some time, McAfee’s recent rework and release of ENS10 antivirus software has made it smaller, lighter and faster than ever.  Combining Application Whitelisting with its advanced memory protection (a topic that will be covered in a subsequent post) with Endpoint Security can reduce those time-consuming patching cycles.

Rick Gorskie

Global Sales Manager - Cybersecurity

Emerson Automation Solutions