Protecting critical infrastructure from a cyber attack has become a major software security concern in recent years, particularly following the discovery of the Stuxnet worm in 2011. The issue gained new prominence recently when President Obama passed a cybersecurity executive order and referenced the topic in his State of the Union address.
As many eyes in the security world turned toward protecting critical systems, Kaspersky Labs, the security firm that discovered Stuxnet, announced last fall that it was developing an industrial operating system. In a recent interview with O'Reilly Radar, Kaspersky analyst Roel Schouwenberg discussed some of the challenges in protecting against vulnerabilities in the industrial control world.
According to Schouwenberg, the idea for a vulnerability-free operating system had been brewing at Kaspersky for years. The discovery of Stuxnet brought industrial control systems (ICS) to the forefront of the company's attention, and it realized that a secure OS would work best within the narrow parameters of the ICS environment.
"If you work on consumer machines and say, 'here is this completely different operating system, have fun with that,' that obviously doesn't work, but in the industrial control world there are different sets of requirements that place a big emphasis on security above all else," Schouwenberg told O'Reilly Radar.
Security challenges in a connected world
Central to the growing critical infrastructure cybersecurity threat is the fact that many systems that were never designed for internet connectivity are coming online. Schouwenberg noted that many industrial experts say productivity decreases by 20 to 30 percent if they have no connectivity. As a result, tools that enable remote management through devices such as smartphones and tablets are increasingly common. This type of functionality creates more points of connectivity to these systems and introduces the risk of mobile malware from a personal device infecting an industrial facility.
"We have this situation where, as you pointed out, these systems were not designed with Internet connectivity in mind and now there should be connectivity, at least to the corporate network," Schouwenberg explained. "I think that can be more or less manageable. But now, all of a sudden, these systems are Internet accessible – directly Internet accessible, and not even just that, but there are dedicated apps for it. That's going to get messy real soon."
Building an impenetrable system
While Schouwenberg did not discuss specific approaches being taken in the Kaspersky industrial OS, he explained that the basic idea is to make the system capable of generically detecting a potentially malicious command and blocking it. He noted the challenge of creating a vulnerability-free system but suggested that it could eventually be vetted by sharing the source code and opening it up to code review from other companies and governments.
At the heart of the effort is the fact that Kaspersky is approaching the code from its perspective as a security vendor. As compared to the desktop world, development in the ICS world is rarely analyzed from a security angle, Schouwenberg noted.
"When you build something with security in mind, then that is basically synonymous with saying, 'Trust no one, trust nothing,'" he said. "You can argue that the cause of nearly every security vulnerability that we can see is that some code is assumed to be trusted. When you say, 'What if somebody tries to do this or that?' the response should not be, 'Why would they do that?'"
While creating a vulnerability-free environment that fully considers possible angles of intrusion is a major challenge, developers can use tools such as source code analysis software to help them catch potential weaknesses. As the goal of creating a fully secure OS advances, the use of static analysis software and other vulnerability prevention approaches will be essential to successfully protecting critical infrastructure and other connected systems.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.