The report from McAfee and PNNL, Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systems, suggests that traditional security will inevitably leave industrial control systems (ICS) exposed. “What’s actually going on onboard the ICS computing platform remains a mystery to the operator, and even some of the most skilled IT professionals,” it concludes.
The problem is that the nature of threat has, since Stuxnet and Duqu, changed. “Today, we have this new threat which isn’t really the brawler a botnet is, or the bully that malware can be. This new threat seems to have the disposition of a cyber-sniper... The Stuxnet malware attacked Windows systems using an unprecedented four zero-day attacks.”
Zero-days cannot be stopped by traditional blacklisting security – and it is for this reason that the report promotes increased use of whitelist technologies. In particular, it suggest five solutions: dynamic whitelisting, memory protection, file integrity protection, write protection, and read protection. In short, the report promotes a switch from preventing what is bad to only allowing what is known to be good.
Although the report was only published this week, it was actually compiled back in March. As such it makes no mention of the third cyberweapon, Flame, discovered last month. Flame doesn’t change the threat to ICS so much as reinforce it – and empirical support for the conclusions of the report comes from a third party, Bit9. Bit9 is clearly promoting its own products, but the point to bear in mind is that they are whitelisting technologies.
“Flame remained undetected for 2–5 years under antivirus’ watch. It remained undetected under the watch of firewalls, IDS/IPS, and behavioral HIPS solutions,” writes Bit9 in a new blog. But it did not defeat whitelists. “Right now, Bit9 is the only security company to report that they stopped Flame. The only one. Not once, not twice, but over an extended period of time – eight months to be exact. Bit9 protected one of its customers before anyone, including Bit9, knew what it was.”
Comments
lancop1 says:
25 June 2012
Whitelisting and file system change monitoring solutions like Bit9 Parity are essential tools for ALL sizes of computer networks, including small SOHO and SMB networks. Unfortunately, Bit9 isn't interested in customers with less than 100 users, so huge swathes of the IT community can't get their hands on this essential technology. What is needed is an inexpensive microsecurity appliance that implements a Bit9 type technology that can be dropped into smaller networks and provide effective whitelisting & file system change monitoring features. With our medical records, credit card data, and other personal information residing on small business networks, effective endpoint protection is no longer just for the big guys. Please make it happen Bit9.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.