What is Application Control?
Application Control is a security measure that manages, restricts or blocks the use of software and applications on systems based on predefined rules. In OT environments, Application Control helps to block unauthorised, untrusted or malicious software on systems such as HMIs, Engineering Stations and SCADA servers.
Application Control protects against Malware, Ransomware and unwanted software without relying on manual updates or antivirus detection.
🧠 How does Application Control work?
- Whitelisting
- Only pre-approved applications are allowed to run
- Anything unknown or unauthorised is blocked by default
- Blacklisting
- Specific applications (e.g. BitTorrent, games, unknown tools) are explicitly forbidden
- Greylist (monitor-only)
- Unknown applications are not blocked, but logged for analysis
- Application at user level
- Control based on user permissions via Active Directory, RADIUS, RBAC or ABAC
- Context-aware filtering
- Access depends on time, location, device or session type
🏭 Use in an OT context
| OT component | Security risk | Application Control option |
|---|---|---|
| Engineering Station | Installation of unsafe software | Whitelist only PLC programming tools |
| HMI | Unwanted software via USB | USB lockdown + only approved executables |
| Historian | External scripts or tools | Allow only database-related processes |
| SCADA | Remote code execution via unknown apps | Allow only runtime and communication processes |
Application Control is a particularly powerful layer of defence in environments with legacy systems and limited patching options.
🔐 Benefits
- Protection against unknown malware (including zero-days)
- Reduces the attack surface for insiders or attackers
- Improves system stability through strict control
- Part of a Defense in Depth strategy
⚠️ Considerations
- Requires an initial inventory of all legitimate applications
- Updates to approved software require management (hash, path, certificate)
- Can cause operational disruption if settings are too strict
✅ Best practices
- Combine with patch management and EDR
- Integrate with SIEM or Logging for monitoring
- Use together with Whitelisting and Least Privilege principles
- Manage centrally through Group Policy, Active Directory or dedicated tooling
📌 In summary
Application Control provides strong protection in industrial environments by allowing only approved applications to run. This prevents unwanted software execution, improves system integrity and supports Compliance with IEC 62443 and ISO 27001.