Wonderware Conference. Schneider Electric confidential.

TSS-02
WSP 2014 R2 Whitelisting
& Cyber Security
Recommendations
Alicia Rantos
Principal Technical Support
Engineer

Introduction: Alicia Rantos

Principal Technical Support Engineer, Global Customer Support (GCS) at Schneider
Electric Software
Project lead for GCS Training, GCS vCloud and GCS Cyber Security Lead which includes
Liaison for R&D and other Schneider Electric entities.
Following training with the Department of Homeland Security via CSSP in 2014 Alicia
obtained GICSP certification in 2015. And attends regular meetings with Cyber Security
R&D as well industry trainings and conferences. Also holds B.S. in Computer Information
Systems with a minor Organizational Leadership from Chapman University and a Masters
of Business Administration (MBA) from University California Irvine.
With the company for over 15 years supporting InTouch, Application Server, Wonderware
Information Server, Tablets and Panels and various other products. In addition to
supporting level 2 customers on primary Wonderware products and a regular content
contributor to the Wonderware GCS website.

Wonderware Conference. Schneider Electric confidential.

Summary
Recommended configuration details for Whitelisting our WSP 2014 R2
products with Intel Securitys ePO products. Plus, important industrial
controls cyber security recommendations

Wonderware Conference. Schneider Electric confidential.

Agenda
Whitelisting as a cyber security solution
McAfee ePO and Application Control for whitelisting
Compatibility and Installation
Central Administration
Whitelisting specifics for WSP 2014 R2 and related components
Installing updates, hot fixes, patches and upgrades
Additional defense-in-depth cyber security recommendations

Wonderware Conference. Schneider Electric confidential.

Whitelisting
Application Whitelisting is a proactive security technique where only a
limited set of approved programs are allowed to run, while all other
programs (including most malware) are blocked from running by default.
Application Whitelisting is not a replacement for traditional security
software, such as antivirus and host firewalls. It should be used as one
layer in a defense-in-depth strategy.

Wonderware Conference. Schneider Electric confidential.

McAfee Application Control

McAfee Application Control software provides an effective way to block unauthorized
applications and code servers, workstations and fixed function devices.
McAfee Application Control can be used to block the start of unauthorized or unknown
applications on servers and workstations. After the installation and activation of McAfee
Application Control, all executable applications and files are protected against
modification. Updates of authorized applications in the list can be integrated via:
Trustworthy users (user)
Trustworthy manufacturers (certificate)
A trustworthy directory
A binary file
Updaters (updating programs, e.g. Windows Update or virus scanners)
Wonderware Conference. Schneider Electric confidential.

McAfee Application Control

McAfee Application Control offers functions that monitor the main memory,
provide protection against buffer overflow, and protect files that are running in
the main memory.
McAfee Application Control is a component of McAfee Integrity Control. McAfee
Integrity Control includes the components McAfee Application Control and
McAfee Change Control.
In the WSP environment, only the functionality of the whitelisting (McAfee
Application Control) has been tested.

Wonderware Conference. Schneider Electric confidential.

McAfee Application Control

Video

Wonderware Conference. Schneider Electric confidential.

Compatibility and Installation

Currently WSP 2014 R2 (or higher) is compatible with McAfee ePO version 5.1
and Application Control version 6.1.3.
Administration
The administration of McAfee Application Control can be done in two
different ways:
Locally on a computer system (standalone)
Centrally via the administration software McAfee ePolicy Orchestrator (ePO)
We recommend central administration using ePO which is what weve
tested our WSP products with and what were.

Wonderware Conference. Schneider Electric confidential.

Compatibility and Installation

General Procedure
Installation of McAfee Application Control on a PC.
Execution of the "Solidify" on the PC.
Activation of McAfee Application Control.
Computer restart.

Wonderware Conference. Schneider Electric confidential.

Central Administration
The central administration of the whitelisting (installation, configuration, and
monitoring of the clients) takes place via the McAfee ePO application.
All local McAfee Application Control commands and options are also remotely
available via the ePO.
The McAfee ePO administration software must be installed on its own computer
with up-to-date hardware and a respectively compatible, McAfee supported
Windows Server operating system; Windows 2008 R2 or Windows 2012 R2.
Note:
McAfee ePO must not be installed on a WSP computer or an Active Directory domain controller.
We highly recommend using Active Directory for Access Control.

Wonderware Conference. Schneider Electric confidential.

Central Administration

Wonderware Conference. Schneider Electric confidential.

Whitelisting WSP 2014 R2 Installation

Preparations
1.
2.
3.
4.
5.

Setup of the system based on the recommendations of the WSP documentation.

Reference the WSP Readme.
Installation and configuration of the operating system.
Installation of the required programs and components.
Installation of all available security updates for the operating system, program and
program related components.
Installation of a virus scanner including security updates and the newest, available
virus signature files.

Wonderware Conference. Schneider Electric confidential.

Whitelisting WSP 2014 R2 Installation

Preparations
6.

If possible, isolation of the connection to external / third-party networks (e.g.

on front firewall).
7. Execution of a complete virus scan of the computer.
8. Installation of McAfee Application Control via ePO.
9. Execution of the "Solidify" process for all local hard drives and partitions.
10. Activation of McAfee Application Control.
11. Computer restart

Wonderware Conference. Schneider Electric confidential.

Whitelisting WSP 2014 R2 Installation

Preparations
Installation and Configuration; Central administration via ePO
Installation of the ePO server
Install McAfee ePolicy Orchestrator (ePO).
Install Solidcore Extension Package.
Apply license for Solidcore or McAfee Application Control.
The standard settings recommended by McAfee for the installations of these products can
be used.

Wonderware Conference. Schneider Electric confidential.

Whitelisting WSP 2014 R2 Installation

Preparations
Installation of McAfee Solidcore clients:

Add of the Solidcore Agent Deployment Package to the ePO repository.

Add the client systems in the ePO console.
Install the Solidcore Agent on the clients.
Activation of the Solidcore Agent on the clients.
Solidification via Client Task from ePO.
Activation of client
Additional client tasks

Wonderware Conference. Schneider Electric confidential.

Whitelisting WSP 2014 R2

Video

Wonderware Conference. Schneider Electric confidential.

Whitelisting Specifics for Application Server,

InTouch, Historian
Add Solidcore rules to implement the policy:
Publishers
Digital certificates which certify the ownership of a cryptographic public key by the named subject.
A public key is a value provided by a designated authority as an encryption key that combined with
a private key derived from the public key can be used to effectively encrypt messages and digital
signatures.

Updaters
Installers, executables, Checksums (SHA1)

Installers
Executables; .exe, .msi, .msm

Wonderware Conference. Schneider Electric confidential.

Whitelisting Specifics for Application Server,

InTouch, Historian
Publishers:
Updater Label: Any name (we used Invensys Certificate in our example)
Issued To: Invensys System, Issued By: VeriSign Class 3 Code Signing 2010 CA
Extracted From: WSP 2014 R2 (or later) Setup.exe

Wonderware Conference. Schneider Electric confidential.

Whitelisting Specifics for WSP 2014 R2

Updaters:
Updater By Name: Framework\Bin\aaDCOMTransport.exe
Updater Checksum(for aaDCOMTransport.exe):
64695e7b00763efb0ea975950f566078e0445c39
Updater By Name: c:\program files
(x86)\archestra\framework\filerepository\t_object.msi

Wonderware Conference. Schneider Electric confidential.

Whitelisting Specifics for WSP 2014 R2

Updaters

Wonderware Conference. Schneider Electric confidential.

Whitelisting Specifics for WSP 2014 R2

Installers:
aaGR.exe
aaEngine.exe
aaDCOMTransport.exe
aaPim.exe
******_Temp.msi
****** = Platform node name (an entry for each node)
T_Object.msi
AAMXCore.msm
MxAccess.msm
LmxProxy.msm

Wonderware Conference. Schneider Electric confidential.

Whitelisting Specifics for WSP 2014 R2

Installers:
SmartCardAL.msm
RTCommon_IDEGR_Runtime.msm
Security_IDEGR_Runtime.msm
SysObject_IDEGR_Common_Deploy.msm
SysObject_GR_Common_Deploy.msm
ObjectIcons_Common.msm
PFServer_GR_Runtime.msm
LegacyIGDSupport.msm
DASClientRedist.msm
DCOMConfig.msm
DASRedist.msm
Wonderware Conference. Schneider Electric confidential.

Whitelisting Specifics for WSP 2014 R2

Installers

Wonderware Conference. Schneider Electric confidential.

Whitelisting Specifics for WSP 2014 R2

To enable installers, set the following in Solidcore 6.1.3: Application Control Options
(Windows) on the Features tab for your policy in the System Tree of the ePO:
Package Control #
Bypass Package Control

Wonderware Conference. Schneider Electric confidential.

Whitelisting Specifics for WSP 2014 R2

An option to manually creating the Rules noted is to import the data
outlined here via an export of a previously configured system.
The Solidcore Rules Import / Export feature creates an xml file that can
be imported back into the ePO system or into another system. This file
can be used as a backup reference once your specific Rules are
configured or modified.

Wonderware Conference. Schneider Electric confidential.

Whitelisting Specifics for FS Gateway

FS Gateway is included in the WSP installation which is digitally signed.
Once the WSP setup.exe is added as a Publisher, FS Gateway is
allowed to run and update the system.
Nothing additional is needed for FS Gateway in the Whitelisting
process.

Wonderware Conference. Schneider Electric confidential.

Whitelisting Specifics for DAS ABCIP

Updaters:
Updater Checksum(for Setup.exe DASABCIP): 36c05f9fad9971aee17a631cce7d117bb09e8774

Wonderware Conference. Schneider Electric confidential.

Installing Updates, Hot Fixes, Patches and

Upgrades
Service packs, updates, hotfixes and patches from WSP can only be installed during
completed runtime and the activation of the update mode of McAfee Application Control.
1.
2.
3.

Power down and close all WSP applications.

Computer restart. Note that if Autologin and Autostart have been
configured for WSP systems, they must be deactivated prior to the restart.
Switching on update mode of Application Control via: "sadmin bu"
Depending on the system, centrally via the ePO through a task
(recommended).

Wonderware Conference. Schneider Electric confidential.

Installing Updates, Hot Fixes, Patches and

Upgrades
Service packs, updates, hotfixes and patches from WSP can only be installed during
completed runtime and the activation of the update mode of McAfee Application Control.
4.
5.
6.
7.
8.

Installing of WSP update

Computer restart
Start the complete, updated WSP application
Activate the Autologin and Autostart if those have been deactivated previously
Terminating update mode of AC via "sadmin eu"
Depending on the system centrally via the ePO through a task (or locally
on the respective PC).

Wonderware Conference. Schneider Electric confidential.

Defense-In-Depth Security Recommendations

Cyber Security Framework: ISA-62443

Wonderware Conference. Schneider Electric confidential.

Defense-In-Depth Security Recommendations

People, Policies and Procedures, Technologies

People
Training

Wonderware Conference. Schneider Electric confidential.

Policies

SOPs and
Tools

Technology

Defense-In-Depth Security Recommendations

Common Attack Vectors
External/Removable Media:
Attack executed from removable media (e.g., flash drive, CD) or a peripheral device.
Attrition:
Attack that employs brute force methods to compromise, degrade, or destroy systems, networks,
or services.
Web:
Attack executed from a website or web-based application.
Email:
An attack executed via an email message or attachment.
Improper Usage
Any incident resulting from violation of an organizations acceptable usage policies by an
authorized user
Loss or Theft of Equipment
The loss or theft of a computing device or media used by the organization, such as a laptop or
smartphone.
Wonderware Conference. Schneider Electric confidential.

Defense-In-Depth Security Recommendations

Incident Response - Prepare Capability
Create an Incident response policy and plan
Develop procedures performing incident handling and reporting
Set guidelines for communicating with outside parties
Select a team structure and staffing model
Establish relationships and lines of communication between the incident
response team and other groups
Determine what services the incident response team should provide
Staff and train the incident response team

Wonderware Conference. Schneider Electric confidential.

Defense-In-Depth Security Resources

McAfee Application Control Software
http://www.mcafee.com/us/products/application-control.aspx
ICS CERT Targeted Cyber Intrusion Detection and Mitigation Strategies Update B
https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B
National Security Agency Central Security Service
www.nsa.gov

Wonderware Conference. Schneider Electric confidential.

Thank you!

2015 Schneider Electric. All Rights Reserved.

Wonderware
Conference.
Schneider
Electric
confidential.
All trademarks
are owned by
Schneider
Electric
Industries SAS or its affiliated companies or their respective owners.

Wonderware Conference. Schneider Electric confidential.