Linked by Thom Holwerda on Wed 17th Oct 2012 23:48 UTC, submitted by poundsmack
Privacy, Security, Encryption Kaspersky is working on its own secure operating system for highly specialised tasks. "We're developing a secure operating system for protecting key information systems (industrial control systems) used in industry/infrastructure. Quite a few rumors about this project have appeared already on the Internet, so I guess it's time to lift the curtain (a little) on our secret project and let you know (a bit) about what's really going on." More here.
Permalink for comment 539095
To read all comments associated with this story, please click here.
This is likely going nowhere
by coreyography on Fri 19th Oct 2012 02:08 UTC
coreyography
Member since:
2009-03-06

Industrial control systems used to use purpose-built OSes at all levels, primarily to achieve the realtime performance required. (Some of these still exist, like VxWorks and QNX -- well, I assume QNX, if RIM hasn't made it into a smartphone toy.) A bit later, they moved the console/server layer to VMS or commercial Unix (Solaris, HP/UX). Now, almost all such systems have devolved into running some Windows variant at the server/console layer, despite the frequent objections of technically-minded users. The vendors could enjoy wide compatibility, and cut their costs by relying on prebuilt tools and libraries for Windows (though Microsoft's API-du-jour mentality burned them more than once). And of course Windows had a lot of CEA - clueless executive appeal.

Even though malware has made Windows a much bigger liability, I don't see the ICS vendors going back. There's no widely used, commercially-supported alternative OS, and the vendors are happy to sell you add-ons (virus scanners, whitelisting software, firewalls, and $ecurity $ervice$) to protect your control system's soft underbelly. Further, you can do a reasonably good job of protecting your system through good security practices and procedures; most of the ICS "hacks" are a result of weaknesses in these practices and procedures. If that's not enough, there are even pricey, physically-enforced one-way firewalls for certain segregation requirements (e.g., NERC). And contrary to what Kaspersky says, you _can_ run these systems isolated, or at least on their own private (control) network. Plants I worked in did it for years; all this connectivity is a relatively recent phenomenon.

At the controller level, the proprietary, realtime OSes are still used. I don't think Kaspersky even tries to address the realtime requirements; I didn't see it mentioned in their article.

Reply Score: 1