The report from McAfee and PNNL, Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systems, suggests that traditional security will inevitably leave industrial control systems (ICS) exposed. “What’s actually going on onboard the ICS computing platform remains a mystery to the operator, and even some of the most skilled IT professionals,” it concludes.
The problem is that the nature of threat has, since Stuxnet and Duqu, changed. “Today, we have this new threat which isn’t really the brawler a botnet is, or the bully that malware can be. This new threat seems to have the disposition of a cyber-sniper... The Stuxnet malware attacked Windows systems using an unprecedented four zero-day attacks.”
Zero-days cannot be stopped by traditional blacklisting security – and it is for this reason that the report promotes increased use of whitelist technologies. In particular, it suggest five solutions: dynamic whitelisting, memory protection, file integrity protection, write protection, and read protection. In short, the report promotes a switch from preventing what is bad to only allowing what is known to be good.
Although the report was only published this week, it was actually compiled back in March. As such it makes no mention of the third cyberweapon, Flame, discovered last month. Flame doesn’t change the threat to ICS so much as reinforce it – and empirical support for the conclusions of the report comes from a third party, Bit9. Bit9 is clearly promoting its own products, but the point to bear in mind is that they are whitelisting technologies.
“Flame remained undetected for 2–5 years under antivirus’ watch. It remained undetected under the watch of firewalls, IDS/IPS, and behavioral HIPS solutions,” writes Bit9 in a new blog. But it did not defeat whitelists. “Right now, Bit9 is the only security company to report that they stopped Flame. The only one. Not once, not twice, but over an extended period of time – eight months to be exact. Bit9 protected one of its customers before anyone, including Bit9, knew what it was.”