As Jason Holcomb noted on this blog a few weeks back, there is a growing interest in apply the practice of whitelisting to control systems. In whitelisting a set of known “good” applications is created and maintained, and only applications from that list are allowed on systems in the environment. This in theory removes the need for anti-virus and other malware monitoring products.
My concerns with whitelisting are threefold:
First, in regards to the creation process of the whitelist. How is software deemed permissible? What is the process for determining what needs to be included on the list? Could permissible software actually become an attack vector?
As many newer control system products become web based, a web browser that would of necessity be on the whitelist could become a vector for malicious attacks. Also unknown flaws in whitelisted software could potentially allow for attack vectors. Case in point the recent Adobe Acrobat vulnerability.
Which brings me to my next concern; the vetting process of the whitelisted software. Who performs the vetting? How effective is the vetting process?
Poor vetting for vulnerabilities of software on the whitelist, could be hazardous. As AV and malware monitoring software may not be present on a whitelist controlled environment the potential for an unknown bug wreaking havoc could be large.
And finally once an application is white listed it [the application/vendor] then could become a target. Attackers could turn their attention to corrupting the software base of the vendors. This could be from both cyber vectors, trying to infiltrate and corrupt the vendor code base from the outside, or from social engineering. How hard would it be to get on the cleaning crew of a vendor’s sub-contracted janitorial service? This would allow almost un-fettered physical access to systems, in the wee hours of the night when the cleaning occurs.
I think whitelisting a good idea as part of a defense in depth strategy, but not to the exclusion of other methodologies i.e. and as a primarily policy based measure, effectiveness would also be greatly dependent on enforcement. Personally, I would still have AV systems, malware monitoring programs, IDSs, HIDs, etc in place. While whitelisting could reduce the attack surface of a system by limiting the number and types of software to only trusted application, it could also introduce single points of failure common across the environment. I think it best when used in conjunction with existing security practices as part of a defense in depth approach.