Attacks against SCADA and industrial-control systems have become a major concern for private companies as well as government agencies, with executives and officials worried about the potential effects of a major compromise. Security experts in some circles have been warning about the possible ramifications of such an attack for some time now, and researchers have found scores of vulnerabilities in SCADA and ICS systems in the last couple of years. Now, engineers at Kaspersky Lab have begun work on new operating system designed to be a secure-by-design environment for the operation of SCADA and ICS systems.
Threatpost editor-in-chief Dennis Fisher spoke with Eugene Kaspersky, CEO of the company, about the origins of the project, how the new OS will be deployed and why he decided to green-light the project.
Threatpost: Why did you decide to undertake this project?
Eugene Kaspersky: The gloomy scenario you may have seen in many movies around (Live Free Or Die Hard being a perfect example when the modern way of life is literally being hit by cyber attacks) is not really that futuristic. In fact the civilization has already reached a level of development when critical infrastructure is totally managed by automated control systems. No, I’m far from considering another sci-fi gloomy scenario depicted in The Terminator, luckily we’re still not that developed. However, it is highly possible that people or groups with bad intentions may quickly change the way of our lives by disrupting these processes with highly-tailored cyber attacks. Intentionally, I didn’t mention “sophisticated” because if you dive deeply inside the details how the modern industrial control systems (ICS) are protected you will understand they are far beyond the enterprise security level.
There is another side of the story. Ok, here is a power station, here is an ICS that supervises the process and it has a number of security vulnerabilities. First of all ICS manufacturers are way too slow in developing patches. Secondly, every single patch should pass a very long and thorough testing process to be applied to the working process. Thirdly, ICS users still prefer not to apply patches in order not to interrupt the process! The first rule of ICS is “Don’t touch. Ever.” Which is quite reasonable from their perspective. But not from the security point of view. And currently no security vendors address this pain point effectively, but rather apply traditional enterprise security technologies in the ICS area, which is completely different in many respects.
Threatpost: How do you plan to solve this problem?
Eugene Kaspersky: Really, is there a way to overcome this vicious circle? Well, re-designing ICS applications is not really an option. Again, too long, too pricey and no guarantees it will fit the process without any surprises. At the same time, the crux of the problem can be solved in a different way. OK, here is a vulnerable ICS but it does its job pretty well in controlling the process. We can leave the ICS as is but instead run it in a special environment developed with security in mind! Yes, I’m talking about a highly-tailored secure operating system dedicated to critical infrastructure.
Threatpost: What are the most important features for the new OS?
Eugene Kaspersky: Alas, I cannot disclose many details about it. The main thing is the OS is based on a software architecture model that allows developing an application that by default is not able to run any undeclared functionality and guarantees delivery of trustworthy data between different nodes. In this case the vulnerability of an ICS that runs on this OS is not really a problem anymore as an external or internal evil-intended human factor simply cannot get use of this vulnerability.
Threatpost: How is it possible for Kaspersky Lab to develop this kind of secure OS while no one else could manage it?
Eugene Kaspersky: It's true no one else ever tried to make a secure operating system. This may sound weird because of the many efforts Microsoft, Apple and the open source community have made to make their platforms as secure as possible. With all respect, we should admit they were developing a universal solution for a wide range of application and various kinds of users. And security and usability is always a matter of compromise! With a universal OS a developer inevitably sacrifices security for usability. We aim to develop a highly tailored OS specifically for ICS without any compromise in usability. As a matter of fact, we are somewhat lucky here as usability was never a point in the industrial control systems. What is really valued in this market is a guarantee and our business model will include such guarantees.
Threatpost: How long has the company been working on it?
Eugene Kaspersky: The internal codename of the development project for ICS is titled 11.11 Guess what? Right, it was November 11 when we started it 10 years ago. We started it as just an idea within one of our regular brainstorms to model security trends and prioritize the security technology development. The project was basically a theory that became embodied in software code many years after, once we understood we were right with our predictions. In fact, Stuxnet was the ‘first swallow’ that signaled a new era of cyber attacks against critical infrastructure has begun. The project has already passed many stages from a deep thought towards a prototype piloting on a dedicated industrial installation. Still much to do to make it happen – we will keep you updated about the progress.
Threatpost: Have you had discussions with potential customers about this and what kind of security features they’d like in the OS?
Eugene Kaspersky: The whole design of the OS was made with customer requirements in mind. We are in constant contact with a number of our strategic customers supervising critical infrastructure around the world.
Threatpost: Will there be any restrictions on which companies or countries can buy the product once it’s finished?
Eugene Kaspersky: We are a truly international company and we are open for cooperation with any industry, any country and any government in compliance with international regulations to ensure the security of their critical infrastructure. Once the OS is ready we plan to get official certifications in the countries we currently operate in to start marketing the solution.
Threatpost: Do you have an anticipated completion date for it?
Eugene Kaspersky: At the moment it is still too early to talk about the commercial release as too much things still need to be done. Will keep you posted.
More information on the project is available on Eugene Kaspersky's personal blog