Will software revamp guard grid against cyberattack?
Hear the word “cyberattack”, and gas pipelines, factories and power stations aren’t necessarily the first targets that spring to mind. But such facilities are often controlled by software that lacks the appropriate defences. Now the cybersecurity company Kaspersky Labs, based in Moscow, Russia, is developing an operating system that it claims will block hacker or malware attacks on critical infrastructure.
Such attacks are not merely a theoretical possibility. In 2010, the Stuxnet worm, which some observers suspect was developed by US and Israeli intelligence agencies, exploited vulnerabilities in supervisory control and data acquisition (SCADA) software. The worm wrecked hundreds of centrifuges at Iran’s Natanz nuclear facility, temporarily derailing its uranium enrichment programme.
Eugene Kaspersky, the firm’s co-founder, says itssecure operating system will prevent such attacks by stopping SCADA software from sending malicious commands to programmable logic controllers. PLCs are specialised computers that operate pumps, relays, motors, vents, circuit breakers and other industrial equipment.
SCADA software often runs on Windows-based PCs. To avoid downtime, these computers are rarely given software updates and antivirus patches – making them vulnerable to attack.
Kaspersky’s solution is to build an operating system dedicated to running SCADA software and controlling PLCs. It will be built from scratch – so will be not be based on existing software – and will contain a bare minimum of code, making it possible to verify mathematically that the system is free of vulnerabilities that could be exploited in an attack.
This so-called “formal verification” procedure will ensure it is “categorically impossible” for the operating system to run unauthorised malicious commands, says Kaspersky.
While details on how the system will work are scant, Robert Ghanea-Hercock, chief security researcher at BT Laboratories in Ipswich, UK, reckons the new operating system will run existing SCADA software in a safe “sandbox” module that is constantly monitored for malicious activity. “I hope it succeeds,” he says. “Something needs to be done to protect global critical infrastructure from hacktivist groups.”
Some critics, however, think Kaspersky may have the wrong target in his crosshairs. Ralph Langner, the security engineer based in Hamburg, Germany, who first worked out how Stuxnet launched its assault, thinks that instead of focusing on the operating system, we should be concentrating on fortifying the SCADA software. “The security problems of production plant controllers are not at the operating system level, they are at the application level,” Langner says.
There may also be a more fundamental problem. Formal verification may simply be the wrong choice, says Boldizsár Bencsáth, a researcher at the Laboratory for Cryptography and Systems Security in Budapest, Hungary, which has been in the vanguard of investigating Stuxnet and its ilk. Bencsáth warns that only small programs can be mathematically verified, limiting the versatility of the systems in question. While Kaspersky’s efforts may stymie some attacks on the low-hanging fruit, “there is no uncrackable system”, he says.
Indeed, some attackers are trying novel tricks, says Victor Sheymov, a former Soviet KGB cryptographer who defected to the US in 1980 and who, after a stint at the US National Security Agency, now works in computer security. He says that Kaspersky’s system fails to address the emerging attack trend, which bypasses software entirely to target hardware. “Whatever attacks are possible in software can now be done with maliciously corrupted hardware,” he says. “Fortifying operating systems, like robust versions of Linux, only helps against primitive attacks.”
Whether or not Kaspersky succeeds, however, there may be a larger benefit. Langner predicts one benefit of a commercial antivirus vendor like Kaspersky entering this space: it could motivate SCADA companies like Rockwell and Siemens to finally address the issue of cybersecurity at industrial sites and utilities. With more sophisticated attacks on the rise, perhaps commercial competition is the best hope.