Last week I blogged about the general momentum around application whitelisting citing our meetings with Neil MacDonald from Gartner and a recent post from George Kurtz of McAfee.
This week, I want to speak more specifically about using application whitelisting to both meet the letter and the spirit of NERC CIP-007 compliance requirements. This is an area where application whitelisting is gaining significant momentum as a supplement or alternative to traditional blacklist antivirus. There are many reasons why the energy industry is ahead of the general curve in adopting whitelisting technologies.
- The government has mandated protection of critical infrastructure against malware and other cyber attacks
- The outcome from a failure of these critical systems could be catastrophic
- It is recognized that not only does traditional anti-virus fail to stop the threat, but its performance impact is significant enough to cause other problems
- Continual updating and patching of security systems is unfeasible for many control systems that are connected to the Internet
Our many customers in the energy industry recognize the ability of application whitelisting to not only address the deficiencies of antivirus, but also to provide security to their critical infrastructure significantly beyond checkbox NERC CIP compliance requirements.
Contributing to industry awareness are recent papers released by industry thought leaders. Paul J. Feldman, Chairman of the Midwest ISO Independent Director of Western Electricity Reliability Council (WECC), followed a recent paper titled “5 Questions the Board Should Ask About NERC CIP Plans” with a new whitepaper he co-authored with Matthew E. Luallen, 
Co-Founder, Encari, “Malicious Software Prevention for Complying with NERC CIP-007 Requirements”.
The first paper addresses key considerations for companies moving to comply with NERC requirements and how they can meet the intent of the regulation and calls out the purpose behind the regulation.
Presidential (US) directive PDD-63 of May 1998 set up a national program of Critical Infrastructure Protection (CIP). The Bulk Electric System is part of the critical national infrastructure. The NERC CIP Standards relate to the national effort, and the traditional efforts of energy companies to protect assets from cascading large scale failures.
The second deals specifically with how application whitelisting meets CIP-007-R3, Security Patch Management, and CIP-007-R4, Malicious Software Prevention compliance requirements and how it assists in meeting CIP-003-R6 and CIP-007-R6. The conclusions are compelling.
Application whitelisting takes the traditional antivirus approach and turns it 180 degrees. Rather than maintaining an exponentially enlarging blacklist of known malicious software, this new and powerful technology enforces a relatively small whitelist of the authorized applications for each computer. By ensuring that only approved applications can execute, application whitelisting automatically eliminates all unauthorized applications – including even unknown malware. This approach meets the actual intention of the NERC CIP requirements: preventing all unauthorized applications from executing on Critical Cyber Assets.
If you are responsible for NERC CIP compliance you should be giving serious consideration to application whitelisting to meet many of the key requirements of the regulation.