Digital Energy Journal- Keeping out viruses with whitelisting

Join | Existing Member Login

You are Home » News » View Article

Keeping out viruses with whitelisting

Thursday, January 31, 2013

'Application whitelisting', or making it impossible to install unauthorised software, can be a more effective way to keep offshore PCs and servers used to run the production operations clean than antivirus, reckons Amor Group

'Application whitelisting', or restricting the installation of unauthorised software on offshore PCs and servers, can be a more effective way to keep them clean of viruses than anti-virus software, says Andrew Wadsworth, Head of Process Control Security at Amor Group, a UK business technology company specialising in energy, transport and public services industries.

The idea of restricting installation of unauthorised software is a familiar one to anyone who has ever used Microsoft Windows XP, Vista or 7, which must be virtually every reader.

But the usual Microsoft Windows software installation restrictions do not work, and we all have a fair idea why.

When asked if we are sure we want to install some software, often we click 'yes' without thinking.

Virus writers have got many tricks to fool us into installing their software.

Systems which 'lock down' PCs, so that people cannot install whatever they want on them, are not very popular with offshore engineers, in case they need to install an urgent software patch.

People feel that the security controls cause more problems than benefits and try to disable them.

Amor Group tries to solve all of these problems with a more sophisticated approach.

It installs a special application whitelisting software product, called Bouncer, made by a company called CoreTrace, based in Austin, Texas.

The company determines an authorised list of software for each PC, based on the task that PC is doing. Any patches for the authorised software can be installed with less interruption.

The whitelist software is fully tested to make sure it can work reliably together with the software products (see below), so there shouldn't be any demands from staff to remove it.

A big challenge for successful whitelisting is enabling controlled changes. Bouncer has a number of ways of addressing this. For example, it can enforce that any software updates must be signed by a digital certificate confirming the update is supplied from an approved company, and/or the security level of the system must be temporarily reduced to allow patches from approved companies to be installed.

A temporary reduction to the security level, or changes to the white list, can be made offshore, by trained site personnel with special authority.

North Sea installation

Amor was contracted by an oil company with platforms in the North Sea, to install its 'whitelisting' software application on all of its offshore oil platforms, each with between 10 and 20 PCs onboard.

The oil company determined that its needs would be better met by using whitelisting software than using antivirus.

The oil company had a range of different control systems, including an early warning radar system to detect vessels coming around the platform, monitoring systems for sand and vibration, turbine and compressor controls. 'Bouncer is installed on the whole range of control and monitoring systems which are used,' he said.

Installation procedure

When it comes to persuading offshore personnel to install the software, the asset managers and IT departments typically can see the benefits of the application whitelisting, Mr Wadsworth said.

But the people who are harder to persuade are the instrument technicians, who are concerned they might end up with reduced levels of control over their computer systems.

'The people working on the platform - they are the ones who have got to deal with it at the time.
They get complaints that they haven't met their production targets because of an unscheduled shut down.'

'We're used to going offshore and working with these guys, we can usually win them around,' he says.

The process starts with getting a comprehensive hardware and software inventory of all the systems. 'Few organisations have a complete, accurate inventory but it's vital to plan the testing and installation work' he says.

The next stage is to set up a test computer for each system with all of the offshore operations software and the whitelisting software both installed on it, to try to check that the whitelist software does not interfere with the operations software at all.

Amor Group runs extensive testing when its software system is installed to make sure all the necessary software applications are in fact whitelisted and run fine with the software.

Then the application whitelisting software is installed offshore. 'When it comes to actually installing on the live system, that's when people start getting nervous,' he says.

Amor staff will go offshore and check everything is working correctly. 'In general we'll have a vendor field engineer on site with us.'

'We have a checklist that we go through on every single installation - we don't miss a step in there.'

The computer is thoroughly scanned for viruses before installing the white listing software, because otherwise the viruses would become whitelisted.

'We've found on a number of occasions there were viruses offshore that the companies didn't know about on their control systems,' he said.

When installing the software, 'recover' software is used so you can quickly get the system back to where it was. A complete image of the hard drive at the outset is recorded.

'So far we've not had any unplanned shutdowns or outages as a result of this installation process,' he says.

'There is a huge difference between implementing this stuff on a control systems environment, rather than a corporate IT environment. We're acutely aware of the potential impact that we can have.'

'A corporate IT environment could schedule this as an update to hundreds and thousands of PCs, if people can't get to their email for a bit, so what, it is inconvenient but no-one's going to get hurt.'

'We do the same thing on a control system environment there could be a production or a safety impact. We're very conscious of that.'

'It is essentially grunt work - going through all of that testing procedure but critical for our success.'

Amor also gives offshore staff training into how to fix problems with the system.

'They know what you do If they need to install an emergency patch,' he said. 'But to be honest it's never happened yet.'

'It makes them feel more comfortable.'

Stopping Stuxnet

To illustrate how the system works, CoreTrace did a test to see if the powerful Stuxnet virus could have got through its defences.

It found that Stuxnet would have been blocked twice.

Stuxnet found its way onto PCs by exploiting vulnerability in Windows shortcut. Bouncer can prevent that vulnerability being exploited. A patch has been issued for this vulnerability, but many computer systems don't get patched.

Stuxnet's next step was to rename a DLL (dynamic link library) file. The application whitelisting software would not have allowed this, because the DLL file would have been whitelisted, so cannot be changed.

Stuxnet's next step is to install a new DLL file with the same name as the previous one. The whitelisting software would not have allowed this file to run, because it was not whitelisted. It would have detected that the file content had changed (even though the filename was the same) by comparing the file size with the previous file size, and looking at the 'SHA1 hash', a special piece of code which is generated using the code in the file, which changes every time the code in the file changes.

'It goes beyond the protections that Windows provides,' he says.

Antivirus software works by trying to spot viruses but letting everything else run, so it would only notice that Stuxnet was trying to install itself on the computer and block it if the antivirus software company knows about it and, crucially, the computer's antivirus software has been updated.

The whitelisting software can stop you running applications both on the hard disk and the computer's memory.

Better than antivirus

The default for whitelisting is 'don't allow things to run, and only allow things that it knows about to run,' he says. 'So if something new comes along, it says that's not on my list, I'll block it.'

In contrast, the default for antivirus software is to allow everything to run unless it is identified as a virus.

Antivirus software on control system computers is updated woefully infrequently. The US Department of Homeland Security has found that antivirus systems on industrial control systems are on average 15 months out of date.

There is a big reluctance to change virus software on control systems in case the update causes a problem. Many of us have had experiences of virus updates causing our computers to crash.

Many control system computers only have the trial antivirus software which was installed on the machine when it was new.

The computers are normally put through extensive 'factory acceptance testing' before they are installed, and there is a reluctance to change anything after the computer has passed the test.

In contrast, whitelist software doesn't need updating at all.

'The automation manufacturers, pretty much all the major automation vendors - are waking up to whitelisting - and are in the process of looking at approving whitelisting products for their systems,' he said. He concluded, 'Whitelisting is being widely recognised as a key component of a comprehensive defence strategy against malware and malicious attacks on control systems'.

Many companies which use application whitelisting remove their antivirus completely, because the whitelisting provides better protection, and there is hassle and risk involved in maintaining antivirus software.

Although the antivirus software is still used to check that the machine is clean at the beginning, and checking that any software updates are free of viruses before they are installed, he says.

Associated Companies
» Amor Group

CREATE A FREE MEMBERSHIP

To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.