What is Application Whitelisting?
Application Whitelisting (AWL) is a security measure that allows only explicitly approved software or processes to run on a system. Anything not on the whitelist is automatically blocked.
In OT, AWL is a powerful defence against Malware, Ransomware and unauthorised scripts on systems such as SCADA, HMI and Engineering Station.
🧠 Why is AWL important in OT?
| Risk without whitelisting | Consequence |
|---|---|
| Malware via USB or updates | Malicious code runs without detection |
| Unauthorised tools or scripts | Shadow IT or exploits active on production systems |
| New, unknown attacks (zero-day) | No AV signature = no blocking |
| Misuse of legitimate tools (LOLbins) | PowerShell or WMI used for lateral movement |
Many APTs and OT malware (such as TRITON and Industroyer) make use of legitimate tools. AWL prevents them from being executed.
🧩 How does Application Whitelisting work?
| Step | Description |
|---|---|
| Inventory | Which applications are legitimate in the OT environment? |
| Build whitelist | Add only approved files/hashes/signatures to the policy |
| Enforce policy | Only whitelisted software runs; other executables are blocked |
| Logging and alerts | Attempts to execute non-approved software are logged |
🔧 Implementation methods
| Method | Explanation |
|---|---|
| Hash-based | Only specific versions/files allowed (highest control) |
| Path-based | Only execution from approved locations (faster, less secure) |
| Publisher-based | Only signed software from trusted publishers |
| Combinations supported | Balance between security and manageability |
🛠️ Use in OT systems
| System | Whitelisting example |
|---|---|
| SCADA server | Only official vendor software, logging tools, drivers |
| Engineering Station | Only vendor-specific development environments, no browsers |
| HMI panel | Only runtime and logging tools, no Office or scripts |
| Historian | Only approved database services, no unknown connectors |
✅ Best practices
- Combine AWL with patch management and Antivirus
- Apply default-deny: block everything except what is explicitly allowed
- Start in audit mode for initial logging and tuning
- Use SIEM to detect and log anomalies
- Combine with USB Control to prevent unapproved software being introduced
- Review the whitelist after system updates or MOC processes
⚠️ Considerations
| Challenge | Approach |
|---|---|
| Many software variants | Use publisher- or hash-based combinations for flexibility |
| Legacy systems | Apply AWL with exceptions for essential .exe files |
| Updates blocking themselves | Verify Code Signing and run via trusted processes |
📌 In summary
Application Whitelisting blocks unauthorised software, prevents Zero-day attacks and reduces human error. In OT environments with little change, AWL is particularly effective and manageable.