Watch CBS News Videos Online

The story begins with an interview of Admiral Mike McConnell, former chief of national intelligence, who has this to say:

“If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker,” McConnell explained.

“Do you believe our adversaries have the capability of bringing down a power grid?” Kroft asked.

“I do,” McConnell replied.

Asked if the U.S. is prepared for such an attack, McConnell told Kroft, “No. The United States is not prepared for such an attack.”

As someone who has worked in the computer industry for over 20 years, it is often easy to simply look at compliance requirements as a necessary evil that brings very little real value to business. In the case of regulations governing security on the Internet, like the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC-CIP) guidelines, their goal is nothing short of our National security.

In general, this was a very thorough piece that not only deals with grid security, but also highlights recent Internet based attacks and provides details of how important it is to defend all of our critical systems. If you have some time today this segment is certainly worth watching.

“My overall impression: this is an elegant and effective solution to some of the security challenges we face with Windows servers and workstations in control systems.”

Jason hits on many of the reasons why application whitelisting has been so popular in the energy industry and why, more than ever, it is being used to protect critical SCADA and DCS systems as well as met NERC CIP requirements.

He goes on to say:

“If you have NERC CIP responsibility, some light bulbs are probably going off about now. Can I deploy a product like Bouncer and not have to do AV updates and patches? The CEO of Encari (Matthew Luallen) and the Midwest-ISO chairman (Paul Feldman) make a case for meeting “both the spirit and letter of the law” in this whitepaper: Malicious Software Prevention for NERC CIP-007 Compliance. The case is pretty clear for anti-malware. For patching it may at least buy you some time as a compensating control.”

Our customers have been discovering that for their control system and SCADA needs that application whitelisting is a more effective alternative than blacklist anti-virus and patching. Not only is it significantly cheaper and easier to protect your systems in this way, it doesn’t incur the significant performance penalty that comes from today’s anti-virus solutions.

We think that application whitelisting is starting to gain significant momentum as an alternative to blacklist anti-virus. Adoption is accelerating in the area of single purpose machines like those in control systems, but is also generating significant interest as a viable alternative in the enterprise as well. The bottom line is that existing endpoint security is simply so broken that people are actively seeking an alternative to the legacy systems they have in place.

Yesterday came the latest report of how fragile our power infrastructure can be. A research scientist in China has reported that an attack on a small subnetwork could bring down the whole west coast power grid. While I have not seen all of the research, and therefore cannot comment on it directly, we do know that the grid is not equipped to handle multiple simultaneous outages – and that is exactly what malware can be used to create. The stakes couldn’t be higher and the IT infrastructure supporting our power grids should reflect this risk.

NERC CIP regulations are important, but it is important that the spirit of the regulations are what people strive for; protecting IT assets from attack. Achieving compliance isn’t the goal, but a guideline for ways to improve security in our critical infrastructure. Reactive systems that do not protect against custom, targeted attacks simply won’t cut it in this environment. Whether it is in the network or on the endpoint our systems need to be hardened to withstand an attack we have never seen before and that we don’t expect.

I have written about this numerous times and one of my articles was recently re-published in the Electric Light & Power Transmission & Distribution (T&D) newsletter. The key for people to remember is that in this environment patching and cleaning up infection simply isn’t enough.

This week, I want to speak more specifically about using application whitelisting to both meet the letter and the spirit of NERC CIP-007 compliance requirements. This is an area where application whitelisting is gaining significant momentum as a supplement or alternative to traditional blacklist antivirus. There are many reasons why the energy industry is ahead of the general curve in adopting whitelisting technologies.

• The government has mandated protection of critical infrastructure against malware and other cyber attacks
• The outcome from a failure of these critical systems could be catastrophic
• It is recognized that not only does traditional anti-virus fail to stop the threat, but its performance impact is significant enough to cause other problems
• Continual updating and patching of security systems is unfeasible for many control systems that are connected to the Internet

Our many customers in the energy industry recognize the ability of application whitelisting to not only address the deficiencies of antivirus, but also to provide security to their critical infrastructure significantly beyond checkbox NERC CIP compliance requirements.

Contributing to industry awareness are recent papers released by industry thought leaders. Paul J. Feldman, Chairman of the Midwest ISO Independent Director of Western Electricity Reliability Council (WECC), followed a recent paper titled “5 Questions the Board Should Ask About NERC CIP Plans” with a new whitepaper he co-authored with Matthew E. Luallen, 
Co-Founder, Encari, “Malicious Software Prevention for Complying with NERC CIP-007 Requirements”.

The first paper addresses key considerations for companies moving to comply with NERC requirements and how they can meet the intent of the regulation and calls out the purpose behind the regulation.

Presidential (US) directive PDD-63 of May 1998 set up a national program of Critical Infrastructure Protection (CIP). The Bulk Electric System is part of the critical national infrastructure. The NERC CIP Standards relate to the national effort, and the traditional efforts of energy companies to protect assets from cascading large scale failures.

The second deals specifically with how application whitelisting meets CIP-007-R3, Security Patch Management, and CIP-007-R4, Malicious Software Prevention compliance requirements and how it assists in meeting CIP-003-R6 and CIP-007-R6. The conclusions are compelling.

Application whitelisting takes the traditional antivirus approach and turns it 180 degrees. Rather than maintaining an exponentially enlarging blacklist of known malicious software, this new and powerful technology enforces a relatively small whitelist of the authorized applications for each computer. By ensuring that only approved applications can execute, application whitelisting automatically eliminates all unauthorized applications – including even unknown malware. This approach meets the actual intention of the NERC CIP requirements: preventing all unauthorized applications from executing on Critical Cyber Assets.

If you are responsible for NERC CIP compliance you should be giving serious consideration to application whitelisting to meet many of the key requirements of the regulation.

The culprit? Unauthorized code on their servers resulted in the exposure of the credit card data. Despite the protections employed to protect the card data on servers, they were done in by simple malware on a system in their infrastructure.

The exposure experienced by Network Solutions is not unique. One of the greatest threats to any company connected to the Internet is the prevalence of malware and the number of systems that belong to botnets. We recently blogged about two botnets formed by the new clampi trojan and the older conficker malware. Unfortunately, traditional blacklist antivirus technology is no longer capable of preventing infection and standards that target the protection of critical assets ought to take that into account.

To that extent, I would like to contrast the two requirements mandating system security in PCI DSS relative to those in NERC CIP. NERC CIP requirements calls for security that can detect, prevent, deter, and mitigate malware. The actual R4 requirement from NERC-CIP 007 is shown here:

• R4. Malicious Software Prevention – The Responsible Entity shall use antivirus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).
• R4.1. The Responsible Entity shall document and implement antivirus and malware prevention tools. In the case where antivirus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk.
• R4.2. The Responsible Entity shall document and implement a process for the update of antivirus and malware prevention “signatures.” The process must address testing and installing the signatures.

PCI on the other hand does not have this granularity and focuses instead solely on the use of antivirus. Here is the relevant PCI requirement mandating the use of antivirus:

• 5.1. Deploy antivirus software on all systems commonly affected by malicious software (particularly personal computers and servers).
• 5.1.1. Ensure that all antivirus programs are capable of detecting, removing, and protecting against all known types of malicious software.
• 5.2. Ensure that all antivirus mechanisms are current, actively running, and capable of generating audit logs.

The security of the systems in an organization’s IT infrastructure remains one of the greatest challenges to providing strong security. Application whitelisting’s purpose in life is to prevent unauthorized code from residing on critical assets. It’s time for organizations to start thinking about how they can proactively protect these devices instead of simply providing a checkbox for antivirus. Let us know what you think in the poll above.