202 CHAPTER 8 Exception, Anomaly, and Threat Detection is capable of looking at device metrics across the entire network. Depending upon the specific monitoring product used, the whitelist might be built through the use of a defined system variable (much like the generation of enclave-specific variables in firewalls and IDS/IPS devices, as discussed in Chapter 7, "Establishing Secure Enclaves"), configurable data dictionaries, manually scripted detection signatures, etc. Application Behavior Whitelists Applications themselves can be whitelisted per host using an AWL product. However, application behavior can also be whitelisted within the network. As with asset whitelisting, application behavior whitelists need to be defined so that good behavior can be differentiated from bad behavior. Like asset whitelists, applica- tion behavior whitelists can be utilized by a central monitoring and management system by defining a variable of some sort within a Log Management or an SIEM system. However, because of the nature of industrial network protocols, many application behaviors can be determined directly by monitoring those protocols and decoding them in order to determine the underlying function codes and commands being executed (see Chapter 4, "Industrial Network Protocols"). This allows for in-line whitelisting of industrial application behavior in addition to network-wide whitelisting offered by a Log Management or SIEM system. If in-line whitelist- ing is used, via an industrial security appliance or application monitor, network whitelisting may still be beneficial for assessing application behavior outside of industrial control systems (i.e., for enterprise applications and SCADA applications that do not utilize industrial protocols). Some examples of application behavior whitelisting in industrial networks are as follows: l l l Only read-only function codes are allowed. Master PDUs or Datagrams are only allowed from predefined assets. Only specifically defined function codes are allowed. Some examples of application behavior whitelisting in enterprise networks are as follows: l l l Only encoded HTTP web traffic is allowed and only on Port 443. Only POST commands are allowed for web form submissions. Human­Machine Interface (HMI) applications are only allowed on predefined hosts. Some examples of application behavior whitelisting across both environments together are as follows: l l Write commands are only allowed in native fieldbus protocols and not over TCP/IP. HMI applications in supervisor networks are only allowed to use read functions over TCP/IP-based protocols.