Eugene Kaspersky had something of a Larry Ellison impulse this week, creation a confidant explain that he and his association are doing what no one else has ever even attempted: building a secure handling system. Not usually is a avowal false (of march companies have attempted to rise secure OSes in a past), though a oath of delivering a totally secure OS — even for something as privately nichey as SCADA systems and ICSes — borders on insane in that it’s all though unfit to keep.
By approach of context, Kaspersky used Threatpost (The Kaspersky Lab Security News Service) and his personal blog to speak adult a plan underneath approach during Kaspersky Labs: a new secure-by-design handling complement for a operation of SCADA and ICSes. The box for such a complement is extravagantly clear. In new months, hackers have successfully infiltrated superannuated controls systems for water utilities, power plants, complicated industry, and other vicious infrastructure. The trend points to an increasingly realistic doomsday scenarios, such as cyber terrorists pulling off a concurrent penetrate on America’s energy grid, causing large blackouts and withdrawal some-more than 300 million people but electricity for days. Or maybe worse yet, a U.S.-based chief energy plant could be targeted with a Stuxnet-like virus, heading to a inauspicious meltdown.
Kaspersky’s prophesy to exterminate these threats is to rise a secure-by-design handling system, “one onto that [existing] ICS can be installed, and that could be built into a existent infrastructure — determining ‘healthy’ existent systems and guaranteeing a receipt of arguable information reports on a systems’ operation,” he explained in his blog.
There are several pivotal mixture to this system, per Kaspersky. “First: Our complement is rarely tailored, grown for elucidate a specific slight task, and not dictated for personification Half-Life on, modifying your vacation videos, or blathering on amicable media. Second: We’re operative on methods of essay program that by pattern won’t be means to lift out any behind-the-scenes, undeclared activity. This is a critical bit: The stupidity of executing third-party code, or of violation into a complement or using unapproved applications on a OS; and this is both provable and testable.”
Maintaining privacy for a consequence of confidence is also partial of a plan: “There are some sum that will sojourn for certain customers’ eyes usually forever, to sentinel off cyber-terrorist abuses.”
Kaspersky’s prophesy is excellent (if not rather opportunistic). Yes, we need to improved secure old-fashioned ICSes and SCADA systems that weren’t built with a Internet in mind. Also, Kaspersky is still in a early stages of development, so it’s incautious to decider a merits of a project. Still, there are some issues that need addressing.
First, Kaspersky done a rather extended and dubious assertion. He told Threatpost that “no one else ever attempted to make a secure handling system. This might sound uncanny since of a many efforts Microsoft, Apple, and a open source village have done to make their platforms as secure as possible.”