What is Software Whitelisting?
Software Whitelisting is a security measure under which only approved software is allowed to run on a system. Anything not explicitly permitted is blocked by default.
In industrial environments, this protects against Malware, unauthorised tools, and human errors — even when Antivirus or patching is not feasible.
🧠 Why is Software Whitelisting important in OT?
| Risk without whitelisting | Consequence |
|---|---|
| Malware or ransomware via USB | Malicious .exe or scripts run directly on an Engineering Station |
| Shadow IT on SCADA workstations | Uncontrolled tools affect real-time processes |
| Zero-day attacks | Malware without an AV signature is executed |
| Misuse of legitimate tools | Living Off The Land (e.g. PowerShell, WMI, TeamViewer) becomes possible |
🔧 How does Software Whitelisting work?
- Inventory – Determine which software is legitimate per OT system
- Whitelist creation – Based on hash, file location, or publisher
- Policy enforcement – Only approved processes may start
- Monitoring – Log and block attempts to run anything that is not allowed
🚧 Technical approaches
| Method | Pros and cons |
|---|---|
| Hash-based | Very accurate, but sensitive to updates |
| Path-based | Simple, but more vulnerable to bypass |
| Publisher-based | Flexible during updates, requires Code Signing |
| Combination | Best practice: multiple layers for optimal control |
🎯 OT applications
| System | Allowed software |
|---|---|
| HMI | Runtime only, logging tools, vendor drivers if needed |
| Historian | Database engine, connector software, logging agents |
| Engineering Station | Vendor IDE only, no browsers or file explorers |
| SCADA servers | Control software, monitoring tools, no word processors |
✅ Best practices
- Start in audit mode: log everything that runs first
- Work with operations to add exceptions safely
- Combine with USB Control to prevent software from being smuggled in
- Review whitelists periodically or in response to a MOC (Management of Change)
- Monitor via SIEM, EDR, or endpoint agents (e.g. AppLocker, McAfee, Carbon Black)
- Combine with patch management and Code Signing for completeness
📌 In summary
Software Whitelisting is a powerful defensive measure in static OT environments. It prevents unknown or unwanted software from being executed at all — an effective barrier against modern attacks.