Kaspersky has announced that it is in the process of developing a secure operating system (OS) to protect industrial control systems used in industry/infrastructure.
According to a blog by Kaspersky Lab CEO Eugene Kaspersky, while it was still in development he said it is ‘a truly secure environment'.
“It's a sophisticated project, and almost impracticable without active interaction with ICS operators and vendors. We can't reveal many details of the project now because of the confidentiality of such cooperation and we don't want to talk about some stuff so competitors won't jump on our ideas and nick the know-how,” he said.
Kaspersky also admitted that the OS will not be for gaming or social networking, as the company was working on methods of writing software which by design, will not be able to carry out any behind-the-scenes, undeclared activity.
The idea and development has come from the recognition that ‘always on' environments cannot be switched off due to them maintaining constant operation where ‘security is relegated to second place', especially when it comes to patching and vulnerability management.
He said: “As experience has shown, corners (costs) are normally cut on this kind of activity and patches are released only if a certain exploit has been found and put on the internet. In fairness, this is true for common, garden-variety software, not just specialised software; today we're talking about specifically industrial software.-
“Specialists at industrial/infrastructure organisations also apply traditional methods of protection of vulnerable software and operating systems through control over program behaviour and also over actions of users. But a 100 per cent guarantee of protection can't be provided, again because of vulnerability-by-default in the software doing the controlling. But for critical infrastructure a guarantee is what is needed most of all.”
Kaspersky said that to solve the problem in an ideal world, all industrial control system software would need to be rewritten to incorporate all of the security technologies available, also taking into account the new realities of cyber-attacks.
“Alas, such a colossal effort coupled with the huge investments that would be required in testing and fine-tuning would still not guarantee sufficiently stable operation of systems,” he said.
This is why a secure operating system is a ‘fully realisable alternative', one onto which industrial control systems can be installed and can be built into the existing infrastructure to control ‘healthy' existing systems and guarantee the receipt of reliable data reports on the systems' operation.
Kaspersky said that it was quite simple to create a secure OS, as it was working on methods of writing software which by design won't be able to carry out any behind-the-scenes, undeclared activity.
“This is the important bit: the impossibility of executing third-party code, or of breaking into the system or running unauthorised applications on our OS; and this is both provable and testable,” he said.
“In anticipation of the multitude of questions from colleagues, partners, media and simply curious folks, a few basics: the development is a truly secure environment."