October 17, 2012, 4:53 AM — Russian security firm Kaspersky Lab is developing a secure operating system for industrial control systems, its chairman and CEO Eugene Kaspersky said on Tuesday.
"Quite a few rumors about this project have appeared already on the Internet, so I guess it's time to lift the curtain (a little) on our secret project and let you know (a bit) about what's really going on," Kaspersky said in a blog post.
The new operating system aims to protect complex industrial systems that have become the target of a variety of high-profile cyberweapons such as Stuxnet, Duqu, Flame and Gauss. Governments are also concerned that the systems that keep critical infrastructure running could be compromised.
U.S. Secretary of Defense Leon Panetta said last week at a meeting of the Business Executives for National Security (BENS) in New York that aggressor nations or extremist groups could use cybertools to derail passenger trains, or even more dangerously trains loaded with lethal chemicals. "They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country," he added.
In running industrial systems the priority so far has been to maintain operation under any circumstances and not to secure the systems, and very often this leads to industrial control system (ICS) software not being updated at all, just to make sure it stays running, Kaspersky said. Manufacturers of specialized software are also not interested in constant source code analysis and patching holes, and typically respond after an exploit is found and exposed on the Internet, he added.
Most automated control systems were not created with security in mind, which is the reason for example that most protocols used for the exchange of information used in SCADA (Supervisory Control and Data Acquisition) and PLCs (Programmable Logic Controllers) don't require any user identification or authorization, according to a separate analysis by Kaspersky Lab.
The vulnerability of control software, programmed controllers, and industrial communication networks leads to operators of industrial and infrastructure systems not being able to receive information on the system's total operation, Kaspersky said.
While ideally all ICS software would need to be rewritten, incorporating all the security technologies available and taking into account the new realities of cyberattacks, the costly effort would still not guarantee the stable operation of systems, Kaspersky said.