Application whitelisting products are creating the biggest buzz amongst technical security controls in DCS and SCADA security. But in many cases in may be too much buzz and a little less reality. S4 2012 had two presentations that looked at the effectiveness of application whitelisting.
First, Sebastian Obermeier and the team at ABB Corporate Research put three application whitelisting products to the test in a number of attack scenarios. Sebastian goes over the results and finds attacks that circumvent the application whitelisting.
What was even more interesting was the three solutions varied in effectiveness. He goes over in detail the attacks that succeeded, and in some cases how one or the three products managed to stop the attack where the others failed. Part of this is due to other capabilities bundled into the application whitelisting solution.
[vimeo 35966889 w=500&h=331]
Even with the whitelisting failures, Sebastian stated that application whitelisting enhances security and is moving forward with its integration into ABB ICS products.
The second application whitelisting presentation is from Andrew Ginter
[vimeo 36055461 w=500&h=331]
Andrew focused on scripting attacks that took advantage of a code interpreter with some examples in the ancient Tcl. I found his comments on application whitelisting and Stuxnet towards the end of the presentation quite interesting. To paraphrase, application whitelisting would have stopped Stuxnet only because the Stuxnet authors knew application whitelisting was not used. Had it been in use they would have found a way to circumvent it and succeed given their motivation and skill level.