Russian Firm Works to Prevent 'Die Hard' Cyberattacks
A researcher testing industrial-control-system security at Idaho National Laboratory.
CREDIT: Idaho National Laboratory
The most successful doctors are often those who diagnose a disease, and then provide the cure.
Moscow's Kaspersky Lab may have that adage in mind. The anti-virus software maker, the third-largest in the world, has been at the forefront of finding and exposing state-sponsored malware that targets industrial control systems running supervisory control and data acquisition (SCADA) software.
Now Kaspersky Labs has revealed that it's spent 10 years developing a brand-new operating system aimed at greatly beefing up the security of industrial control systems — and possibly minimizing the threat of cyberwarfare.
"You could think back to 'Die Hard 4' — where an attack on infrastructure plunged pretty much the whole country into chaos," wrote company co-founder and CEO Eugene Kaspersky on his personal blog yesterday (Oct. 16). "Alas, John McClane isn't around to solve the problem of vulnerable industrial systems, and even if he were — his usual methods of choice wouldn't work. So it comes down to KL to save the world, naturally!"
Kaspersky told the tech-news blog Threatpost (which his company owns) that the operating system, code-named "11.11," is being written from scratch and will wrap around existing ICS and SCADA applications so that they can run unaltered in a secure environment.
"The project has already passed many stages from a deep thought towards a prototype piloting on a dedicated industrial installation," Kaspersky told Threatpost. "Still much to do to make it happen — we will keep you updated about the progress."
So how can an anti-virus company succeed where traditional operating-system makers like Microsoft, Apple or the UNIX community have failed?
"Our system is highly tailored, developed for solving a specific narrow task, and not intended for playing Half-Life on, editing your vacation videos, or blathering on social media," Kaspersky said on his blog. "We're working on methods of writing software which by design won't be able to carry out any behind-the-scenes, undeclared activity."
Still, no matter how good Kaspersky's OS turns out to be, it's unlikely to find broad acceptance in the Western world.
The U.S. government, already worried about Chinese networking software and hardware, would be very reluctant to allow American critical infrastructure to be controlled by software built in Russia — especially by a firm rumored, perhaps unfairly, to have ties to the Kremlin.
Addressing a basic need
That doesn't mean that Eugene Kaspersky and his company are wrong in identifying, and trying to fix, a problem. Fundamentally, industrial control systems are designed for robust reliability, not security.
"Uninterrupted continuity of production is of paramount importance at any industrial object in the world," Kaspersky pointed out in his personal-blog posting. "Security is relegated to second place."
Ever since the Stuxnet worm took over an Iranian nuclear-fuel processing facility in the summer of 2010, causing millions of dollars in damage, security researchers have had fun demonstrating the weaknesses of industrial control systems.
One group showed how a standard software problem could cause all the cell doors in a prison to open at once. Another researcher has found and publicized flaws in software made by several major manufacturers of industrial-control devices.
A second problem is that few industrial control systems were ever meant to be connected to the Internet. But for reasons of cost and convenience, many, if not most, have been, allowing an easy method of infiltration by remote attackers.
Yet even network isolation doesn't fully protect a system. Stuxnet infected the Iranian facility by riding in aboard a USB flash drive.
Yippie kay yay
Kaspersky's not alone in channeling Bruce Willis when trying to making a point about the insecurity of industrial control systems.
Scenarios resembling "Die Hard 4" have been invoked several times in the past few months by top American officials, including President Barack Obama and Defense Secretary Leon Panetta, as part of an overall White House and Pentagon campaign to pressure private industry into strengthening the security of "critical infrastructure" computer systems.
Last week, Panetta warned business executives that a "cyber Pearl Harbor" loomed in which enemy hackers would derail trains, contaminate water supplies and knock out power grids. In July, Obama penned a Wall Street Journal op-ed piece that painted a similar nightmare.
American officials may be uniquely qualified to understand industrial control system vulnerabilities. It was almost certainly the U.S. that designed and deployed the Stuxnet worm.
Locking down the world
Yet even as the American government has been preparing to defend itself against cyberwarfare, the Russian government has been taking an opposite tack, at least publicly.
The Kremlin, along with the United Nations' International Telecommunication Union (ITU), wants an international treaty forbidding cyberweapons, along the lines of long-standing bans on chemical and biological weapons. The U.S. has wavered between opposing such a treaty and agreeing to at least talk about one.
Kaspersky Lab is a privately held company, but Eugene Kaspersky has been very vocal about supporting the Kremlin's line. He's been an active campaigner for a cyberweapons treaty.
On the research front, Kaspersky Lab has worked closely with the ITU in tracking down and identifying one piece of state-sponsored malware after another: Flame, Gauss and, just this week, miniFlame.
All three have attacked computer systems in Iran and Lebanon, and all — according to Kaspersky Lab — are linked to Stuxnet. Kaspersky Lab won't explicitly say the pieces of malware are American creations, but the inference is clear.
On the online tech forum Slashdot, commenters were having a grand time discussing the Kaspersky SCADA OS.
"Monitoring and 'remote support' by KGB included free with every purchase!" wrote one.
Another responded, "Are you Putin us on?"
"I was Russian to say the same thing, but you beat me to it," wrote a third. "I'm Stalin to think that this whole thing is a hoax."