Skip to main content

ControlGuard

Introduction

Whitelisting is a foundational cybersecurity control within the First Watch® platform, designed to ensure that only verified, authorised, and trusted code components execute within operational environments. In critical infrastructure systems — such as water treatment, energy, and manufacturing — where availability and safety are paramount, deterministic protection is essential to prevent unauthorised code execution, tampering, and downtime.

Unlike blacklisting approaches, which reactively block known threats, whitelisting enforces a positive security model. Every executable or library must be explicitly approved before it can run. This guarantees that no unknown or unvalidated software can interfere with control logic, operator workstations, or industrial processes.

Application control (whitelisting or allowlisting) changes Windows from a place where all code runs unless your AV solution confidently predicts it's bad, to one where code runs only if your policy says so. Government and security organisations, such as the Australian Signals Directorate, frequently cite application control as one of the most effective ways to address the threat of executable file-based malware (.exe, .dll, etc.). It works alongside existing AV solutions to help mitigate security threats by restricting the applications that users can run and even what code runs in the System Core (kernel).

Whitelisting Across the Platform

The First Watch whitelisting framework operates across multiple layers of the OT environment:

ComponentRole
First Watch ControllerCentralised event collection, policy distribution, and enforcement across ControlGuards and PLC Guards
ControlGuardProtects Windows-based assets such as SCADA/HMI systems by applying whitelisting to executables before they are loaded into memory
PLC GuardMonitors and controls communications from OSI Layer 2 to Layer 7 — for instance, detecting and blocking unauthorised firmware updates or project downloads

Primary Objectives

  • Deterministic Execution (Application Control) — only pre-approved code runs on critical hosts
  • Integrity Assurance — detect unauthorised modifications or tampering of executables
  • Operational Continuity — maintain uninterrupted plant or grid operation
  • Compliance Alignment — support cybersecurity frameworks such as IEC 62443 and NIST SP 800-82 through demonstrable system hardening and event traceability

Through this mechanism, First Watch transforms endpoint protection in industrial networks — moving from reactive detection to proactive prevention.

Engineering Architecture

From an engineering standpoint, whitelisting in First Watch is implemented as a multi-tier control policy system governed by the Controller. The policy set determines which processes, modules, and libraries can execute, based on various trust indicators:

  • SHA-256 (SHA-2) hashes
  • Digital signatures
  • File metadata — Product Name, Company Name, File Description
  • Parent process relationships
  • Executable paths and directories
  • Command line arguments

Each protection layer uses YAML-based policy files stored in a structured format.

Policy Engine Flexibility

The First Watch policy engine is designed with extreme flexibility, allowing administrators to combine policy templates in multiple configurations.

Recommendation

It is strongly recommended to design the whitelisting strategy in collaboration with a First Watch engineer before deploying it in a production environment.

This flexible architecture provides multiple ways to achieve the desired protection outcome. However, once the approach is implemented, thorough testing is essential to validate stability and coverage.

The policy engine also supports an advanced ControlGuard policy language for complex rules. This capability can be used to define custom conditions not covered by standard configurations, providing almost unlimited potential to build complex, context-aware rules.

Application Control Strategies

The overall design can adapt to the organisation's preferred application control strategy:

  • Centralised approved list — maintaining a central database of approved executables that are allowed by hash across all systems
  • Host- or group-specific whitelists — defining rules that differ depending on the function of the device or department

All these scenarios are fully supported within the First Watch Policy Framework, offering both consistency and flexibility to match any organisation's operational model.