Whitepaper Abstract Securing our nation's critical power infrastructure has never been more important. Utilities systems are vulnerable to cyber threats, which can be malicious attacks from hackers or terrorists, as well as unintentional damage done by employees. In response, industry regulators have implemented a number of regulations and standards to address these weaknesses and ensure the continued safe and reliable generation of electricity. This NetSpi whitepaper discusses the options — including application whitelisting — that are available to harden critical systems and meet key regulatory requirements. In particular, the paper identifies options for addressing NERC Critical Infrastructure Protection standards CIP-002 through CIP-009.

1. White Paper
Hardening Critical Systems at Electrical Utilities
Meeting Regulatory Requirements Through Endpoint Controls
Ryan Wakeham
Senior Security Consultant, NetSPI
The electrical industry addresses cyber security
Securing our nation’s critical power infrastructure has never been more
important. Electrical power utilities generate and distribute the energy that
is needed to drive the economy, as well as daily life, in modern America.
However, these utilities depend on networks of aging systems and devices and
are therefore vulnerable to cyber threats, which can be malicious attacks from Utilities depend on networks
hackers or terrorists, as well as unintentional damage done by employees. of aging systems and
In response to the risks posed by insufficient cyber security controls, industry devices and are therefore
regulators and organizations such as the Federal Energy Regulatory
Commission (FERC), the North American Electric Reliability Corporation vulnerable to cyber threats,
(NERC), the Nuclear Regulatory Commission (NRC), and the Nuclear Energy which can be malicious
Institute (NEI) have implemented a number of regulations and standards to
address these weakness and ensure the continued safe and reliable generation attacks from hackers
of electricity. In particular, the NERC Critical Infrastructure Protection standards
CIP-002 through CIP-009 provide a cyber security framework for non-nuclear or terrorists, as well as
facilities. These standards require critical cyber asset identification, in additional unintentional damage done
to certain physical, logical, and administrative controls.
by employees.
Regulatory requirements
The key systems that utilities typically identify as critical cyber assets
include servers and workstations in process or SCADA environments. These
environments are central to the efficient generation and distribution of power;
therefore, the servers and workstations that operate in concert with digital
devices throughout power plants and the electrical grid must be available and
functioning properly around the clock. The need for high availability in these
systems, combined with the fact that they run proprietary software applications,
means that they are rarely protected by controls such as security patches and
anti-malware programs that are often taken for granted in other environments.
continued on next page
www.netspi.com
612-465-8880

2. White Paper
Hardening Critical Systems at Electrical Utilities
The NERC CIPs apply a number of requirements to these sorts of systems.
For example, the CIPs require configuration hardening (CIP-007 R2), patch
management or compensating controls (CIP-007 R3), anti-malware controls
(CIP-007 R4), and security monitoring and logging (CIP-007 R6). Because
process and SCADA servers and workstations are often not suited to more
conventional controls, electrical utilities may find it difficult to fulfill these
requirements in an appropriate way. However, a relatively new set of solutions,
dubbed “endpoint security” or “endpoint control,” shows great promise in
helping utilities to meet these requirements laid out in the NERC CIPs.
The whitelist approach
What is endpoint control?
adheres to the fundamental
While the term “endpoint control” may mean different things to different people, security tenet of denying by
endpoint control products generally provide administrators with more granular
control over the systems for which they are responsible. The first generation of default all applications and
these products includes anti-malware scanners, host-based firewalls, and other
processes except those
host-based software that can be configured to control access to removable
media and the network. The second generation increases the abilities of that have been granted
administrators to control the activities occurring on endpoint systems through
the use of technologies such as application and process whitelisting. explicit permission to run.
A first-generation control product such as an anti-malware scanner relies on
signature matching with a blacklist or else uses heuristic-based guessing to
determine if an application or process should be allowed to run. By contrast,
the whitelist approach adheres to the fundamental security tenet of denying
by default all applications and processes except those that have been granted
explicit permission to run. This approach both eliminates the chance that an
unknown or unidentified process will be run and also gives administrators
the capability to control processes at a much more granular level than was
previously possible.
continued on next page
www.netspi.com
612-465-8880

3. White Paper
Hardening Critical Systems at Electrical Utilities
Endpoint control in process environments
Endpoint control products can provide significant benefits when implemented
in process systems. For one thing, process environments are fairly static,
with servers and workstations running only a limited number of pre-defined
applications and services. In such an environment, endpoint control solutions
that use application whitelisting can prevent unauthorized applications from
ever executing.
If properly implemented, this level of control can protect these critical systems Application whitelisting
from threats that originate at the network, that may be introduced by removable
media, or that are already resident on the system. Additionally, application can eliminate the need for
whitelisting can eliminate the need for security patching because potential security patching because
malware or exploits are prevented from ever running. This reduces the
administrative burden of applying security patches and also minimizes the potential malware or
downtime of these critical systems. Finally, because no full-system malware
scans ever need to be performed, a properly designed whitelisting solution has exploits are prevented from
the potential to minimize the negative impact on system performance. ever running.
Of course, endpoint control solutions are just one piece in a multi-layer
defensive strategy. An endpoint control solution will be unable to directly provide
additional security to digital devices such as programmable logic controllers
(PLCs) and remote terminal units (RTUs). These PLCs and RTUs, which rarely
have security controls more sophisticated than a password, are abundant in
process networks, including within power plants and across the bulk power grid.
In light of this reality, other logical controls, such as network segmentation and
firewalls, should be deployed in addition to endpoint control solutions.
continued on next page
www.netspi.com
612-465-8880

4. White Paper
Hardening Critical Systems at Electrical Utilities
What to look for in an application whitelisting solution
As with any security product, the effectiveness with which the solution performs
its task is the critical deciding factor. The most effective whitelisting solutions
need to operate at the kernel level of the operating system in order to ensure
that they cannot be undermined. This should give the additional advantage of
allowing the solution to monitor and manage network-level activity.
Finally, no matter how well a security solution may enforce controls, it will
not be completely effective if it is difficult to manage over a potentially large The most effective
environment; for administrators, the management features of the solution
are just as important as the security controls that it provides. These features whitelisting solutions need
should include the ability to configure multiple hosts as a group and apply to operate at the kernel
policies remotely, as well as provide monitoring, logging, alerting, and reporting
features. level of the operating
The whitelisting software that meets both the security and the management system in order to ensure
requirements fills an important need for endpoint control that supports that they cannot be
regulatory requirements in electric utilities.
undermined.
The table on the following page maps several NERC CIP requirements to
important features of an application whitelisting solution.
continued on next page
www.netspi.com
612-465-8880

5. White Paper
Hardening Critical Systems at Electrical Utilities
Requirement Applicable Excerpt Whitelisting Solution Feature
CIP-007-R2 The Responsible Entity shall Network-level controls,
establish and document a based on integration with
process to ensure that only those the operating system kernel,
ports and services required can act as a firewall and
for normal and emergency prevent communication over
operations are enabled. unauthorized ports or protocols.
CIP-007-R3.2 The Responsible Entity shall Application whitelisting solutions
document the implementation can act as a compensating
of security patches. In any control on unpatched systems No matter how well a
case where the patch is not because they prevent illicit
installed, the Responsible Entity activities such as the execution security solution may
shall document compensating of unauthorized code and the
enforce controls, it will not
measure(s) applied to mitigate exploitation of network services.
risk exposure or an acceptance be completely effective
of risk.
CIP-007-R4 The Responsible Entity shall Application whitelisting can if it is difficult to manage
use anti-virus software and other prevent any malware, known
malicious software (“malware”) or unknown, from running on over a potentially large
prevention tools, where protected systems. Additionally,
environment.
technically feasible, to detect, this solution provides superior
prevent, deter, and mitigate performance compared to
the introduction, exposure, blacklisting solutions.
and propagation of malware
on all Cyber Assets within the
Electronic Security Perimeter(s).
CIP-007-R6 The Responsible Entity shall Solutions should support
ensure that all Cyber Assets management requirements,
within the Electronic Security which include the ability to
Perimeter, as technically monitor, log, alert, and report on
feasible, implement automated status and events.
tools or organizational process
controls to monitor system
events that are related to cyber
security.
www.netspi.com
612-465-8880