Kaspersky To Build Secure OS For SCADA Systems 165
Trailrunner7 writes "Attacks against SCADA and industrial-control systems have become a major concern for private companies as well as government agencies, with executives and officials worried about the potential effects of a major compromise. Security experts in some circles have been warning about the possible ramifications of such an attack for some time now, and researchers have found scores of vulnerabilities in SCADA and ICS systems in the last couple of years. Now, engineers at Kaspersky Lab have begun work on new operating system designed to be a secure-by-design environment for the operation of SCADA and ICS systems. 'Well, re-designing ICS applications is not really an option. Again, too long, too pricey and no guarantees it will fit the process without any surprises. At the same time, the crux of the problem can be solved in a different way. OK, here is a vulnerable ICS but it does its job pretty well in controlling the process. We can leave the ICS as is but instead run it in a special environment developed with security in mind! Yes, I'm talking about a highly-tailored secure operating system dedicated to critical infrastructure,' Eugene Kaspersky said in an interview."
Free with every purchase... (Score:5, Funny)
Monitoring and "remote support" by KGB included free with every purchase!
Re: (Score:3)
Sumerians? A bunch of amateurs! If you want a great OS, you have to with a Hittite OS.
I'm sorry, we're Medes and we're lost in this desert of a web board. Could you direct us to the exit? And sorry about the arrows.
Re: (Score:1)
When you say "Monitoring and "remote support" by KGB included free with every purchase!", are you Putin us on?
Re: (Score:3)
This is a good idea with countless benefits. (Score:4, Insightful)
Re: (Score:2)
Re:This is a good idea with countless benefits. (Score:5, Informative)
I think a Linux system that used PaX would be easy. Actually I used to maintain the list of incompatible apps--mostly Java itself, a handful of other things that turned out to be broken (and occasionally have critical security holes, none of which I personally found)--for Gentoo Linux. Thing about PaX is when something is killed, it's logged, and you get a wealth of debug data--when your program misbehaves, it usually dies from it early and it's easier to find the problem. This means developers have an easier time getting their software more correct, and the system doesn't do odd unexpected things (by bad software or by being hacked and worm-infested), and so the more secure system becomes the more usable system and the more maintainable system.
Similarly, for Unix environments, you could work on building out Minix and bolt on services that supply security guarantees as PaX does, and that interface between the user space utilities and the OS (because the OS Syscall handler is itself a service, you run the program under a DIFFERENT SERVICE) to implement namespaces and act as functional jails--virtualization, semi-virtualization. Services supplied under full microkernels like GNU HURD, L4, or Minix are small and thus easily audited for correctness--and thus improve security.
It all requires policy, of course. The PaX stuff is policy: no write/execute and no !execute to execute. If that crashes the program, you need to fix the program or remove that policy restriction. Semi-virtualization is mainly a file access policy--hide (can't see it), read-through (can see it, writes are redirected a la UnionFS), read-write (can see and change it, object is shared)--and a resource policy--PIDs, network devices/addresses, etc are hidden or shared. It's on the developer to do that, although forced policy on deployment is possible (you can externally generate a policy). grsecurity has always supplied a learning mode that logs and then develops policy automatically, which you can then audit for monkey business.
Re:This is a good idea with countless benefits. (Score:5, Insightful)
And right there you've put your finger precisely on the problem. Fixing the program is hard--if you got it from a vendor, it might well be impossible. Removing the policy, on the other hand, is easy.
Re: (Score:2)
Re: (Score:2)
No, that's stupid. As I said, the stricter guarantees that you must follow under PaX-alikes tend to make programs easier to debug. ASLR and W^X policies cause hard failures to happen more often and earlier in the failure process, rather than letting the program off-by-one and get away with it or just hobble along half-dead until it sputters out and dies miles away from where the error actually occurred. Debugger intervention and proper core dumps (with library layouts and other memory mappings) can be us
Re: (Score:2)
Re: (Score:2)
Narrow class? 86% of the first 60 security exploits published as advisories by Ubuntu were covered by ASLR and W^X supplied by PaX.
Also, as I"ve stated repeatedly, the development changes under ASLR policy are: DON'T MAKE BROKEN CODE (really, the only break here is to assume an address for a dynamically allocated resource is always the same and hard-code it; or subtle corruption that semi-works because generally things don't move around). For the W^X protections supplied by PaX, W^X, ExecShield, and a
Re: (Score:2)
This is actually not as much of a problem as you think. Programs don't last forever, and they get rewritten a lot. Upgrades. New features. Refactoring, replacement. Remember the shiny new thing is more attractive, so businesses throw out the old and make new just for the sake of being more up-to-date than the competition.
As such, a feature that says "Requires you to disable the security features of your OS for this particular program" and a big scary warning box that says "Program is requesting policy
Re: (Score:2)
Not so much for SCADA systems and the like. I worked at a place that still had a knee-high pile of 386 laptops in 2005, because the control program for their half million dollar radio tower wouldn't run on any other architecture. Finding a SCADA system that runs, for example, a power dam which is less than five years old will be difficult, since that's really a situation where "if it's not broke d
Re: (Score:2)
businesses throw out the old and make new just for the sake of being more up-to-date than the competition. Not so much for SCADA systems and the like.
Your entire argument becomes irrelevant because such systems aren't going to upgrade the underlying OS into a "secure OS" anyway. The OS is going to rot away with the underlying program because the WHOLE PACKAGE works, and if management wants it upgraded they're going to want the WHOLE PACKAGE upgraded--why the hell would you move a program from the 90s off an NT4 box onto an XP box? You get a NEW program and install it on shiny new Server 2008r2.
You want a secure architecture without bolt-on bullshit,
Re: (Score:2)
Well, maybe YOU can, but I can't. I just install the stuff and make it work, I rely on folks like to give me the parts to put it together. I don't really **want** to move that 2002 package from NT to Server 2008 or Red Hat version whatever, and then repeat the exercise again in a few years. If the underlying OS is secure enough that it doesn't have to go through a major upgrade every two years (with all the necessary testing and downtime that involves) we can start poking vendors wit
Re: (Score:2)
Well, maybe YOU can, but I can't. I just install the stuff and make it work, I rely on folks like to give me the parts to put it together.
Bolt-on bullshit is bolt-on bullshit because refactoring a huge multi-million-line codebase is really freaking hard. Microkernels and other modular programming designs rely on small, specialized tasks so that the pieces can be shuffled, improved, and have other pieces interposed without the whole system needing a reworking front-to-back. Even Andrew Morton would have an easier time adding stuff like LSM to Minix rather than the (already completed, obviously) task of adding it to Linux.
Micro-modular soft
an actual secure architecture (Score:2)
Qubes OS, previously seen on Slashdot, ought to do nicely.
It looks like Linux, but it isn't. It's more like VMWare ESX Server. It's a tiny kernel that provides a desktop consisting of composited windows from guest VMs. Each window is labled according to the VM it runs in, with window borders colored according to security compartment.
Re: (Score:2)
Re: (Score:2)
It won't work. SCADA was built off the assumption of physical security. It would take firing everyone who ever worked in SCADA to design the next generation of applications to get anything with security in it. Why would anyone switch to this "secure" system, when it's already more secure (physically) than any "program" can make it?
That's a bit of a stretch. I work in SCADA and it's not the developer's who are the problem. I, myself, harp on about security every other week. However, the marketing and development managers don't give a rats arse. If it's not a new "shiny" or something the competition has, then no money gets put into it.
Even when security is called out in the standards or client specifications, it's usually just security theater. The maintainers and end users don't want security and tend to bypass the token metho
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Why do critical control systems need to be connected to the Internet? Computerized control systems such as SCADA have existed far longer than the Internet. There is also a difference between allowing critical quantities to be controlled remotely and these same critical quantities being monitored remotely. It MAY be permissible to allow read only monitoring over the Internet, but certainly, critical controls should never, ever at any time under any circumstances, be accessible from the Internet, so that some
Re: (Score:2)
It's cheaper to run traffic over an Internet link that it is to buy a dedicated line. Knew one oil company who wanted to run an RGB composite video cable all the way underwater from an oil rig to the head office, just so the CEO's could see what was happening on the control system offshore. Fortunately, the consultants persuaded him that converting the video signal to digital and running that through the existing fibre-optic network would do just as well.
Re: (Score:2)
Internet passports (Score:3)
Just take them off the internet (Score:5, Insightful)
Make the client OS use DNS SEC and encrypted traffic for a secure network that is not physically connected to the internet or any network with a gateway to the internet. Why is this so hard?
This secure OS will eventually get compromised too if it has USB ports enabled, physically access to the machine, or be on a network.
Re:Just take them off the internet (Score:4, Interesting)
All of the SCADA systems I have installed are wireless. A potential hacker doesn't need physical access, they just need to be in range.
True story: The largest wireless SCADA system I did was for an oilfield company. I originally set up passwords made of random letters and numbers, making them as secure as possible. But less than a week after the system was up and running, they complained the passwords were too difficult to remember. So I was forced to change them all to something similar to President Skroob's luggage combination or not get paid.
(The SCADA radios ran Linux, in case you're interested...)
Re: (Score:3, Funny)
No it wasn't WEP, and I'm in Canada. Iranians would never survive our winters.
Re: (Score:2)
Re: (Score:3, Interesting)
For one I can install a network sniffer on it to gain passwords. Then upload my own program to interact with the SCADA and destroy your equipment. With slashdot's earlier story of Iran planning a 9-11 like attack on American Infrastructure this is a very real concern.
Even Linux has security holes. They are not exploited on the net like Flash or Java ones but a rogue government or terrorists can use them to gain access.
Re: (Score:3)
For one I can install a network sniffer on it to gain passwords
Not if youre using a secure application like SSH, which was his point.
Re: (Score:1)
Then someone will find another. The point is exploits do exist and the best solution is to focus on the problem. Not the symptoms. That is access. A more secure app or OS just reduces the symptoms that are totally preventable.
Power, telecommunications, water, nuclear, and oil/gas need regulation as dirty as that word is in the US because of idiot managers who love real time reports and remote manageability to cut down on costs. Something horrible will happen one of these days and it will be a very expensive
Re: (Score:1)
For one I can install a network sniffer on it to gain passwords.
How do you sniff gain passwords of a properly encrypted and secured application?
With slashdot's earlier story of Iran planning a 9-11 like attack on American Infrastructure this is a very real concern.
You give me 20 Iranians willing to die following my every order, and I'll collapse any single industry you choose in the USA. One suicide bombing a week at various fast food restaurants, and after 2 months, the cashflow for Yum! Brands, and McDonalds franchisees, and even Macaroni Grill and Darden, though I couldn't guarantee a collapse of something like McDonalds or Subway, as those are mainly franchised restaurants, but Darde
Re: (Score:1)
Please explain to me how you can destroy equipment, if none of that equipment is connected to the Internet? Why do the controls say for a generator in a power station be made accessible over the Internet?
Re: (Score:2)
Easy to reduce costs and PHB can get their real time reports. If you have lets say 45 oil wells out in the field over a 700 mile area it is much more cost effective to have them on the internet where Bob with IE 6 with is all secure non signed activeX control, can work on each of them and check settings etc.
In the old days you would need 20 people doing Bob's job driving to oil well after oil well doing work, shutting off leaky valves, and documenting paperwork. Nuclear powerplants love internet enabled con
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Just like the nuclear powerplant disaster in Japan the PHBs and cost accountants only care about costs as in have it all wireless so we can have 1 guy do the work of 20 by having it on the internet instead instead of having someone there.
This should be regulated if SCADA is used for any public infrastructure and one of them is no networking. Even a fiber link can get spliced. It is more difficult and expensive to do but Iran has the dough to do it and would be a target.
Re: (Score:2)
Just like the nuclear powerplant disaster in Japan the PHBs and cost accountants only care about costs as in have it all wireless so we can have 1 guy do the work of 20 by having it on the internet instead instead of having someone there.
This should be regulated if SCADA is used for any public infrastructure and one of them is no networking. Even a fiber link can get spliced. It is more difficult and expensive to do but Iran has the dough to do it and would be a target.
Splicing is a mechanical action, and since humans do not move faster than light, that means that you can detect the signal alteration/disruption resulting from tampering with fiber.
I will concede that ability to safeguard the nation's SCADA networks does not rule out the possibility...the likelihood...that one or more CEOs will/have decided that short term profits - that is, increasing the value of their stock options, which is called "increasing shareholder value" for public consumption - outweighs the pu
Re: (Score:2)
Re: (Score:2)
There's more than one way to infect a system, and yes, most of them require user stupidity but there is no end to the supply of stupid users. The most commonly described example is to drop a few USB thumb drives in the parking lot with your worm on them, then just wait for some well intentioned (or not) employee to pick it up and either plug it in to see who it might belong to or start using it for day to day activities, such as updating software on the 'secure', air-gapped systems.
Re: (Score:2)
Re:Just take them off the internet (Score:4, Insightful)
Because management wants the real-time reports on their desks. What do mean it's not secure? Everybody else does it. You're the only one who seems to have trouble doing this!
Re: (Score:2)
What's so hard about a one way dump of data? Open an outgoing port and send the data. Block all incoming requests.
(another) BSD fork()? (Score:5, Insightful)
Why waste the time in new development. Start with one of the BSD systems (already approved under iso9001/9002 type stuff) and either set up custom configurations, or fix what needs fixing.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Once again the OpenBSD clan has stepped forward with a reasonable plan for saving the world, unfortunately as is par for the course with OpenBSD, their chosen representative refers to himself as buttfuckinpimpnugget to which the world replied with "oh god, what is wrong with you, go away, just go away!" and promptly returned to their course of apathetic self destruction.
I like the idea (Score:4, Interesting)
As far as security goes, I think one important aspect is transparency. Code running on the operating system should probably not have much freedom to modify the underlying system, but it is crucial that they can see what is going on, such that you can monitor that nothing unexpected is running on the system.
I guess for most SCADA systems the risk of bad stuff happening due to unauthorized changes is a much greater concern than leaking information from the system.
Are Kaspersky the right people to build the OS? Time will show.
The 1970's called (Score:1)
They want their capabilities architecture back.
Re: (Score:1)
They want their capabilities architecture back.
Capabilities leads to complexity, complexity leads to bugs, bugs leads to vulnerabilities.
To build something secure, you need to aim for simplicity.
Re: (Score:3)
As far as security goes, I think one important aspect is transparency.
FTFA:
Threatpost: What are the most important features for the new OS?
Eugene Kaspersky: Alas, I cannot disclose many details about it.
A secure OS shouldn't need to be kept secret.
It should be publicly vetted like an encryption algorithm
Re: (Score:2)
As far as security goes, I think one important aspect is transparency.
FTFA:
Threatpost: What are the most important features for the new OS?
Eugene Kaspersky: Alas, I cannot disclose many details about it.
A secure OS shouldn't need to be kept secret. It should be publicly vetted like an encryption algorithm
That wasn't the sort of transparency I had in mind, when writing my comment. But I still agree with you. However I don't see a problem with it being kept secret in their design phase, as long as it is publicly vetted before being put in production. A bug bounty would also be a good idea.
Re: (Score:2)
Security through obscurity (Score:5, Insightful)
Re: (Score:3)
I'm assuming they want to sandbox access to lower level hardware, which can be done with a modified OS.
Except SCADA's a strange bird in that respect. While low level access to network hardware might not be needed by the control interface, low level access to the controllers and monitoring systems is needed.
They're onto something when they're talking about a custom OS. But that problem had largely been solved in the past, until all the engineers and operators wanted SCADA interfaces that ran on Windows. A
Re: (Score:2)
Re: (Score:2)
I would guess the new OS would be binary compatible with the old OS; just like you can run Windows 1.0 applications on Windows 7 (subject to quirks...)
Which would also be why just using BSD wouldn't work.
Re: (Score:2)
how would a new OS help?
Magic.
Re: (Score:3)
I'm confused about what, exactly, is supposed to run on top of this new operating system.
Is it supposed to be a new OS for devices with physical-layer control capability like PLCs (Programmable Logic Controllers), DCSs (Distributed Control Systems) and RTUs (Remote Terminal Units)?
If so, I don't see how it would help, since each of these devices has its own unique proprietary hardware architecture. It's highly unlikely Kaspersky could effectively support the hardware.
Or is it supposed to be for hosting cent
Re: (Score:2)
If I had the points, I'd mod you up. Basically summed up all I was thinking
Won't help much.. (Score:1)
The problem isn't the os. The problem is the programmers.
The culture, the style, the programming best practices.. It needs to change when it comes to embedded systems that need high security.
You need high standards for these things.. Instead mostly they are still slapped together like the crappiest web apps.
So now you're going to build an idiotproof os?
Well you know what they say about that...
Good - keep mickey out (Score:1)
Re: (Score:1)
I'm confused... GP never mentioned a hosts file...
Re: (Score:2)
One the one hand we're told, "don't feed the trolls", and this person is an obvious troll. But, some part of me wishes to implore them to see the bigger picture.
To whoever you are: circumstance should dictate the tools you use - sometimes this means Windows, sometimes this means Linux. You will rarely see Linux running the domain of a large business, but you would equa
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
For the sake of brevity, I'm going to say you're not a troll.
Now, I've read many of the links you've posted and found them quite interesting and informative. What is your opinion of the Linux kernel? Also, what do you think of my opinion of the state of all the major OS kernels out there?
Re: (Score:2)
Just to help out your posts for future benefit (the ones that are concrete, verifiable, & undeniable facts as per your post: http://it.slashdot.org/comments.pl?sid=3189435&cid=41672457 [slashdot.org]), it is worth noting that the second item on th
15krpm (Score:2)
That's how my eyes are rolling right now.
Kaspersky Lab is a company that has its whole business centered around digging through compromised insecure systems. They wouldn't know a secure design if it bit them in their faces.
Re: (Score:2)
That's how my eyes are rolling right now.
Kaspersky Lab is a company that has its whole business centered around digging through compromised insecure systems. They wouldn't know a secure design if it bit them in their faces.
Man, I've still got this head-ache...
Well, damn, man. Don't you think you should see about getting that bear trap removed from your head.
What bear trap?!
Take your time, please (Score:2)
Surely the military has solved this problem (Score:1)
But then again, anyone who knows the solution would have to kill you if they told you.
first, redesign the assumptions. (Score:2)
assumption 1: we can have remote control work. FALSE. any backdoor anywhere will open.
assumption 2: the vendor is secure. FALSE. any fixed system password is known to somebody bad.
assumption 3: we can use lowest-cost hardware. FALSE. there will be flash drives and dongles and games placed on these machines from who knows where.
assumption 4: we can firewall the net and have Smart Grid work safely. FALSE. it's >ALL fixed passwords out there in StupidGrid, wireless here and there, customer acces
But Windows is secure - NOT! (Score:2)
Those of us who have been around a while will remember Microsoft trumpeting Windows NT's security.
"Microsoft included security as part of the initial design specifications for Windows NT, and it is pervasive in the operating system"
The whole Orange Book / Red book, C2 security level and so on,
They would be better off improving the failings of the existing system, rather than inventing a whole new set of ways to fail.
TCP for SCADA (Score:2)
Wow.... You know what I really want... Trusted Computing Platform for SCADA. Because, hey... If I don't have verifiable challenge-response between a sensor and controller, how can I really trust it. Maybe they can even make the Thunderbiolt connector the standard, with authentication for all the cables! That would be great... Then we could just blame system failure in a bug on the authentication layer!
The need for interoperability is where most of the problems seem to come from. Properly securing and ma
Secure OS from ground up? (Score:2)
Kaspersky should also take into account solutions like L4 or Minix3. I fear that really witing an OS from zero would be overkilling.
ICS? (Score:1)
Ice Cream Sandwich? Android?
Will only work if we get rid of the biggest issue (Score:2)
This is all good in theory, but let's not forget WHY we have ended up here:
The Customer.
The Customer WANTED to have Windows based servers, the customer wanted to have integration on to their business networks using Windows protocols and standards.
DCS vendors for DECADES had their own OS's from the PLC up to the HMI , granted they were not secure, but they didn't need to be as they were not externally accessible, nor could they run anything untoward.
When the customer sees this new OS and can't get the data t
Qubes: the secure OS (Score:2)
It's in C/C++. Can't be taken seriously. (Score:2)
They're writing it in C/C++. What could possibly go wrong? There are already embedded operating systems with reasonably good levels of assurance, such as LynxOS and QNX.
Re: (Score:2)
Re:Good Luck (Score:4, Interesting)
That is exactly the same problem general desktop computing has. The OS is secure, the hardware is secure, it is the poorly engineered browser addons (and sometimes browsers) which bring the system to its knees from a security persepective.
Yes, this embedded OS is secure, but what gives me the ability to trust it? Old Cold War tensions aside, if someone hands me a lock and says, "trust me, its secure", that doesn't give me much assurance. Having source code available for peer review (even if it is commercial like PGP's source) would go a long way in assuring.
Otherwise, I don't see that much improvement between what it offers, and Linux's AppArmor/SELinux. I do like the fact that writes can be redirected elsewhere which isn't a part of any UNIX OS, but if need be, that functionality could be sort of cobbled together by making a snapshot and having a clone be a new filesystem.
Re: (Score:2)
That is exactly the same problem general desktop computing has. The OS is secure, the hardware is secure, it is the poorly engineered browser addons (and sometimes browsers) which bring the system to its knees from a security persepective.
If an operating system is written in such a way that it blindly gives full root-level access to untrusted third-party binary add-ons -- then your definition of "secure OS" is not the same as mine.
Seriously, it seems like in the last 20 years we've forgotten (or deliberately chosen to unlearn) everything we knew in the 1980s about security. The trend then was away from monolithic kernels towards microkernels, because, well, it's the only mathematically possible way to achieve security and reliability. (In th
Re: (Score:2)
Even though SELinux and AppArmor provide limits on executables so something that has full root really doesn't, I will agree with you on the general point.
In the 1980s, we had many CPU architectures, with many varying bit lengths from 4 bits on up.
Come the 1990s and 2000s, we ended up with a fairly limited set of CPU architectures in the mainstream. Basically, ARM, x86, x86 with AMD 64 bit extensions, Itanium, SPARC, and POWER.
Yes, they are "good enough". However, these architectures were either designed f
Re: (Score:2)
QNX has had some security issues in the past, weaknesses built-in access control mechanisms and legacy capabilities that I think are dangerous to the uninformed, maybe giving you enough rope to hang yourself.
But he certainly seems to be reinventing the wheel; if security is paramount I'd recommend GHS Integrity RTOS. If you need something more well-known, it's certainly possible to develop secure firmware with VxWorks as a base.
The real security comes from a sound design on top of the COTS product(s), and a