Amid scenarios of hackers seizing control of “critical” infrastructure like nuclear power plants and transportation control systems, a security firm is developing a secure operating system for computers that control such facilities.
In a blog post, Kaspersky Labs chairman and CEO Eugene Kaspersky confirmed such rumors circulating on the Internet – but made clear this early the OS will not be for playing video games, social networking or editing home videos.
Kaspersky said that unlike office systems where an infected computer can be taken offline if a malware is detected, this cannot be done in industrial systems, whose main priority is to maintain constant operation “come hell or high water.”
He also said industrial systems must keep an “always on” environment and may thus not be open to frequent software updates.
Because of these, he said some industrial systems are kept unchanged for decades.
Fighting Stuxnet, Duqu successors
Yet, he said the threat of cyberattacks on industrial systems is very real in this age, saying the perpetrators could go beyond disgruntled employees and now include state-sponsored attacks.
“(I)n recent years there have been departments created for developing cyber-weapons used for attacking opponents’ systems, whomever they may be – perhaps commercial competitors, but more likely other countries in general,” he said.
“I mean things like Stuxnet and the subsequent Duqu, Flame and Gauss – malware so vastly complex that it’s clear it was developed with the support of nation states. And it doesn’t really matter who’s being targeted at present; what matters is that such cyber-weapons are being developed and deployed at all. And once Pandora’s Box is open, there’s no way of getting it closed again,” he said.
While Kaspersky revealed little about the OS they are working on, he indicated this early that it will be nothing like Windows or OS X.
He said his firm’s OS will be “highly tailored,” and not for playing video games or editing vacation videos – or “blathering on social media.”
Also, it will not be able to carry out “behind-the-scenes, undeclared activity” and will not execute third-party code, thus minimizing the chances of code breaking into the system or running unauthorized applications.
Kaspersky said the reality of cyberattacks cannot be taken lightly, citing a direct attack on SCADA systems in 2000 in Australia.
In that incident, an employee of a contractor working on the control systems of Maroochy Shire Council attacked the control system 46 times and causing the pumps to malfunction or stop working.
“Only after months did companies and the authorities manage to work out what had happened. It turned out that the worker really wanted to get a job at the sewage firm, was rejected, and so decided to flood a huge area of Queensland with sewage!” he noted.
Present methods not enough
Kaspersky said present methods – isolating critical systems and disconnecting them from the Internet, and physical isolation from the outside world – are no longer enough.
He said that while makers of systems keep their blueprints secret, information about vulnerabilities is freely available on the Internet. — TJD, GMA News
Kaspersky making its own operating system