What is Whitelisting?
Whitelisting is a security measure in which only explicitly approved applications, devices or network connections are allowed β anything not on the list is blocked by default.
In OT environments, whitelisting prevents unauthorised software, scripts or connections from gaining access to critical systems such as PLCs, SCADA or Engineering Stations.
π§ How does Whitelisting work?
- A positive list (whitelist) is created of:
- Permitted applications or processes
- Known MAC addresses or IP addresses
- Authorised network protocols and ports
- A security system blocks anything not explicitly allowed
- Whitelisting is applied at different layers:
- Application layer β only approved software may run
- Network layer β only approved communication is allowed
- USB devices β only registered sticks/mice are accepted
Whitelisting works on the βdeny-by-defaultβ principle β a fundamental building block of Zero Trust.
π Application of Whitelisting in industrial networks
- Only approved firmware on PLCs and Drives may be executed
- An Engineering Station only accepts specific engineering software versions
- An OT firewall allows traffic only between exactly defined IPs and ports
- USB whitelisting prevents the use of unauthorised storage media
- Application Whitelisting blocks malware or shadow IT in air-gapped environments
Whitelisting is often used in combination with Least Privilege and RBAC.
π Whitelisting vs. blacklisting
| Aspect | Whitelisting | Blacklisting |
|---|---|---|
| Permitted actions | Only those approved in advance | Everything except what is explicitly forbidden |
| Security level | High β preventive | Lower β reactive |
| Maintenance | Requires management and updating of the whitelist | Requires constant addition of new threats |
| Use in OT | Very suitable for predictable environments | More difficult against unknown threats |
π Security aspects
- Significantly reduces the attack surface
- Reduces the risk of ransomware and zero-day attacks
- Combine with anomaly detection, Firewall, EDR
- Use central tools for whitelist management (such as AppLocker, McAfee ENS, etc.)
- Regularly validate whether the whitelist is still up to date after updates and maintenance
Note: overly strict whitelisting without good management processes can disrupt production.
π In summary
Whitelisting is a powerful, preventive security measure in OT networks, ideal for stable and predictable environments. By only allowing approved communication and software, you prevent unwanted or malicious actions on critical systems.