Whitelist malware defense for embedded control system devices

Malware protection is a necessity for any electric device in modern critical infrastructure. We must all protect our critical cyber assets with antivirus as North American Electric Reliability Corporation (NERC) CIP-007 R4 states, but more broadly, we must protect our assets from malicious code infection regardless of whether they are identified as critical assets or not. Embedded devices and traditional personnel computer devices should be protected. The Stuxnet worm demonstrated that air gaps and unplugged devices are not immune from infection. We must engineer devices and systems to protect against the impact of malware. Traditionally, this protection was accomplished by using blacklist technology, where the technology watched for known bad code and blocked it. This resulted in a race to update malware protection technology when new threats were discovered, before infection happened. With malware statistics topping 83 million pieces of code, based on the August 2014 McAfee Labs Threats Report, and growing every day, the administrative task is impossible to keep up with. This design also can put excessive burden on processors, slowing computations and communications. New malware protection technology is designed using a whitelist architecture that only allows known good code to execute on the device. This simplifies administrative overhead because new updates are not needed when new malware is released. A control system environment is built with application-specific devices that are set to accomplish one or more tasks and left alone to continue accomplishing the same tasks for many years, setting a perfect stage for whitelist malware protection technology. This paper investigates the benefits that whitelist malware protection provides at the application layer (similar to existing anti-malware technology) and explains why embedded devices need architecture-specific malware protection. The paper shows that correctly combining malware protection and embedded architecture improves the reliability and cost of ownership of the whole system. The paper also highlights the enhanced security that whitelist malware protection provides over traditional solutions and how these principles apply to computers and embedded devices. The paper shows how whitelist malware protection meets and exceeds the NERC CIP requirements in Versions 3 and 5.