Let’s get this out of the way application whitelisting does not equal perfect security. But neither do any of the other host-based security products that are competing to get on your control system servers and workstations. The bloated AV programs that do signature-based scanning, heuristics, packet filtering, and intrusion prevention can’t even solve all your problems and often create new ones for you. For example, how do I get signature updates into my isolated network and how much time do I have to spend testing updates to make sure they don’t break my control applications?
Host-based security technologies (HIDS, AV, local firewall, etc.) each address specific issues and have their own place but let’s look at this from the perspective of an executive or even a control engineer. They want the biggest security bang for their buck which includes not only hard cost but ongoing maintenance expense. Of course they should consider using the Bandolier security audit files to help harden and audit the application and OS. But assuming that and other policy, network, life-cycle, and perimeter issues are addressed, where do you go from there for host-based security? Specifically — if you had to make a decision about a single host-based, bolt-on security application for your control system servers and workstations, which technology would you add first?
The right answer depends on many factors but I’m convinced that application whitelisting is at least on the list for consideration — something I would not have said six months ago.