McAfee ICS Security

Pacific Northwest National Lab (PNNL) released a report “Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systems: McAfee Application Control, Change Control and Integrity Control“. The date says March 2012, but I just saw a copy thanks to an @reversemode tweet.

It’s a 72-page document with the first four sections reprising the security issues in the electric sector. A nice overview for those new to the topic.

Sections 5 and 6 discuss how McAfee products could be used in electric sector control systems. After describing the McAfee security solutions, they map the product capabilities to requirements in NERC CIP and NISTIR 7628.

I was interested to see the digital signed update feature being discussed for RTUs and PLCs. It is unclear if this is a capability or if the McAfee feature has actually been integrated into a PLC. As we have mentioned before, this is a potential benefit to the McAfee purchase of Wind River.

Appendix A is worth reading for attack scenarios on ICCP servers and PLC’s. This draws on past PNNL projects in this area.

I buried this negative comment, but the love letter tone of this document is completely inappropriate for a supposed objective assessment. I almost didn’t make it through the Preface. I’m all for praise where deserved in an assessment, but text such as:

Through the engagement with the McAfee® management and technical teams we fully recognize that McAfee® is committed to provide significant improvements for cyber security capabilities that will enable energy sector owners and operators to provide highly defensible security postures for their control system environments.


The McAfee® solution also contains digital signature features needed to support integrity requirements. This feature applied at the level designed into an ICS environment provides the highest available path to determine absolute integrity control throughout the platform.

reads like a McAfee brochure. And there was a lot of this type of full throated praise without analysis. Even the Gartner Group or similar wouldn’t go this far.

The cover page indicates this assessment was done with Dept of Energy funding, but the body never makes it clear if McAfee contributed to the funding of this report. It’s a shame because it calls the objectivity of the rest of the document into question.