Security must evolve along with the industrial Internet. The Stuxnet attack on Iran’s centrifuges in 2010 highlighted both the risks of web-borne attacks and the futility of avoiding them by disconnecting from the Internet (the worm spread, in part, using USB keys). Potential attackers range from small-time corporate spies to sophisticated government units that might use infrastructure disruption as a weapon.
Comparing industrial Internet security to consumer and enterprise web security is difficult; requirements, challenges, and approaches differ significantly. In industrial systems, stability is crucial, and isolating an infected system — or adding an air gap as a preventative measure — can be enormously costly. Some tools that are difficult to apply to the unstructured web are effective in industry, though: since industrial systems usually have known, simplified network structures with highly regular traffic patterns, anomaly detection and other machine-learning techniques hold great promise as ways to find and stop attacks. The addition of more computing power at the network level as companies connect their industrial systems will make these approaches more powerful.
Back in October, Eugene Kaspersky announced that his security firm is developing an industrial operating system — a “highly-tailored system,” one that “by design won’t be able to carry out any behind-the-scenes, undeclared activity.” Last fall, I interviewed Roel Schouwenberg (@Schouw), a researcher at Kaspersky Lab who is working on the new industrial OS. What follows is a lightly-edited transcript of our wide-ranging conversation.
Tell me a bit about how the OS project came about — does it have its origins in Kaspersky’s Stuxnet research?
Roel Schouwenberg: Eugene [Kaspersky] and a few others started talking about this a decade ago, actually. Eugene’s idea was that the only way to solve the malware problem would be to build something that was constructed with security in mind — what he called secure OS. That was just a concept for a while, and then Stuxnet came along and it became increasingly clear that the secure OS implementation would be best suited for the industrial control world, where you have this very specific set of circumstances where it would just work best.
If you work on consumer machines and say, “here is this completely different operating system, have fun with that,” that obviously doesn’t work, but in the industrial control world there are different sets of requirements that place a big emphasis on security above all else.
Saudi Aramco was in the news recently saying that they very strongly believe that the goal of the Shamoon malware was to sabotage production of oil. That didn’t happen, obviously, but the company was crippled. They said the object of Shamoon was to actually mess with the oil production and hurt the company and the global economy that way. Shamoon doesn’t come close in any way, shape or form to Stuxnet, but I think that the significance of Shamoon cannot be understated. It was a relatively simple piece of malware with very silly programming errors that was still very effective in wiping all those machines. Even though it didn’t affect oil production itself, Saudi Aramco really struggled to recover from that attack. I think that was maybe the most significant event in that part of the cyber war this year.
So, it was a sabotage attempt, not an espionage attempt?
Roel Schouwenberg: Right, it was a sabotage attempt pretty much from the get-go. Shamoon wiped the data off of any computer that it infected. The goal — or the hope of the attackers — was that Shamoon would be able to bridge the air gap and get onto the industrial control network, and then wipe machines on that network, or any Windows machine on the network, at least.
A lot of industrial systems have been designed without Internet connectivity in mind. Now managers want to connect their systems to the Internet for remote monitoring and emergency control, and even if it’s through a VPN to some control center, it still multiplies the number of entry points and complicates security immensely, right?
Roel Schouwenberg: There are a number of issues here. One of the issues is that actual air gaps really decrease productivity. A lot of people in the industrial world say their efficiency goes down by 20 or 30 percent if they really have no connectivity whatsoever. At that point, you have to employ sneakernets, and people are not so happy about that.
Actually, at one industrial control conference recently, people were telling me that it’s now possible to control certain systems with an app on your iPhone or on your iPad, which is obviously crazy when you think about it. The idea of managing a water or electrical facility with your smartphone is absolutely crazy, but from the fact that it’s now available, you can see that there’s demand for it.
It makes sense when you think about it. If there’s a huge blizzard or something like Sandy happens, you don’t want to go out into that kind of weather, and it would be safer and faster to do that kind of administration from home. But that obviously introduces very interesting security risks.
Is the security risk principally a malware risk introduced by the mobile device, or is it just a generic risk that comes from having more points of connection to the system?
Roel Schouwenberg: It’s both, really. The idea of somebody maybe even using their personal phone to manage critical infrastructure is obviously crazy, but it seems that’s becoming more or less mainstream. If all it takes to get access to that type of facility is to infect somebody’s smartphone, that will really be pretty easy because people don’t think about security on smartphones too much at this point. So, we expect more of these targeted attacks.
We have this situation where, as you pointed out, these systems were not designed with Internet connectivity in mind and now there should be connectivity, at least to the corporate network. I think that can be more or less manageable. But now, all of a sudden, these systems are Internet accessible — directly Internet accessible, and not even just that, but there are dedicated apps for it. That’s going to get messy real soon.
There’s a price to IT security in general. Right now, we have a security situation that is basically suboptimal. We’re at a reasonably stable place, but it’s not an easy fight, and all of a sudden you’re adding mobile and cloud and all of these convenience features into the equation and it becomes exponentially more complex.
As you’re working on the secure OS, what is the vision for that? Is it actually something like a SCADA or PLC operating system, or does it sit at a layer in the air gap?
Roel Schouwenberg: Right now, we’re not yet at a point where we can fully disclose what our implementation is going to be, but the idea is basically that the code is quote-unquote perfect. The level of quality that we need in the code is extremely high and is unlike anything that we’ve seen before. So, basically the goal really is for this OS to have no vulnerabilities, which is clearly a very, very high goal and very hard to achieve. The idea is basically to generically detect if some instruction or some command could be malicious, and to block it.
So, it would use machine learning in order to detect the baseline operation of something like a machine tool, and then understand when it’s been instructed to carry out an unusual operation?
Roel Schouwenberg: That would be one of the approaches that one would take for that, yes. But as I mentioned, I can’t go into any specifics at this point, as we are in the very early stage, and I think we are trying to approach some things from a very different perspective.
When we do have a finalized product, we will be sharing source code with whoever is interested. Obviously, we are talking about critical infrastructure here. The stakes could not be higher. We believe that transparency is extremely important, so we will share source code with governments so that they can confirm that the code is solid.
Big industrial firms are often very conservative in how they approach these things, and they have an old system that works. From what you hear, are they receptive to the idea of a completely new operating system?
Roel Schouwenberg: I think there’s been a lot of positive response, and a lot of people are interested. People really trust our expertise; they’ve read the articles that we’ve published in the last few years with regard to Stuxnet. I think many companies are interested in seeing what we’ll be able to come up with, and I think we’ll definitely be given a shot, if you will, especially if we’re sharing source code, and there will be true vetting of the code.
Do you imagine that it would take a generic enough form that a client could install it on its own?
Roel Schouwenberg: We are working with a number of partners to optimize integration. That is something that is needed, and we’re working on that right now.
What are the shortcomings in the industrial operating systems that are out there and being sold in new systems now?
Roel Schouwenberg: Basically, we are a security company. Everything we do and build is with security in mind, and in the industrial control world they are not there. It took Microsoft many years to become an acknowledged player in terms of security development and, and when you look at the types of vulnerabilities being discovered in SCADA and ICS software today, those are very basic issues. They’re basically at the same level that we saw 10 years ago for Windows. So, there is a very big gap between where most vendors are and where reality is, if you will.
How similar is an OS that runs in a railroad locomotive to an OS that runs in an automotive factory or an OS that runs in a dam? Do they all face the same problems at some generic level that you can approach the same way?
Roel Schouwenberg: I think most of the problems are generic enough that you can approach them in the same way.
Are there any generic approaches to this kind of security in place at the moment? Is there an industry standard that’s in use?
Roel Schouwenberg: There definitely are a number of rules and guidelines that we see, but they only have limited effects. Sometimes regulations make people jump through hoops that they really shouldn’t have to jump through. On the other hand, we see that there is a lot of leeway when it comes to the air gap. Sometimes air gap systems aren’t as air-gapped as they’re supposed to be, and that’s one of the challenges for these types of things.
You mentioned regulation. What are you facing in that respect?
Roel Schouwenberg: I’ve heard stories from some people in the field saying, “I don’t have a Windows environment, but because of regulations, all of a sudden I have to install a Windows virus scanner” or something along those lines. That’s just one example.
I think that’s definitely one of the other major struggles. Governments are trying to see how they can help with this problem, but environments are different, and it’s tough for them to come up with something that’s generic enough that it actually helps everybody and doesn’t slow people down. But with that in mind, I do expect that in the course of next year [2013] there will be some developments from the U.S. government, or governments elsewhere, that talk more specifically about regulation in the ICS space that would encourage people to be more secure.
To be more secure in a productive way, you think, or is the approach in the case of U.S. regulation counterproductive?
Roel Schouwenberg: I think the U.S. government realizes that just pushing through regulations that aren’t going to help is not going to be productive. From what I’ve seen so far, they are definitely trying to come up with a balanced way, but it’s a very complicated field.
I think one of the things we may see is some stricter enforcement of air gaps, but that is a very complicated question, and as I mentioned, a lot of the people I talk to say their efficiency takes a serious hit between a partially air-gapped system and a full air gap. That’s a very tough question for the government. Would the government want to more strongly enforce full air gaps and take that productivity hit? I think that would be very highly debated, and I’m not sure we’re going to see an answer there soon because taking a 20 or 30 percent efficiency hit is obviously rather substantial.
Is there a set of industry guidelines today that you think is sensible?
Roel Schouwenberg: There is a lot of common sense in the NIST guidelines, but we do hear that there are some environment-specific issues that cannot be addressed in the broad-guideline kind of way. There are different challenges that you may face being a water utility versus an electric utility. Those situations are not mentioned. So, the question will be whether we’ll see more specific guidelines for that moving forward, or whether this will be something that remains untouched. Right now, I don’t have an answer for that.
In the balance between security and productivity, one of the difficult elements is the human who gets frustrated and circumvents his employer’s security systems. Do you have a sense of the approach you might take there? You see this all the time in consumer security.
Roel Schouwenberg: I think that’s human nature. I’ve heard crazy stories of people bringing in their own computers and connecting them to the control network. Maybe they were bored at night and wanted to play a game on the network, and that wasn’t good enough, so they put in another network card and hooked up that server to the Internet. So, all of a sudden, the control network was directly accessible from the Internet. That stuff happens.
There’s only so much you can do when it comes to that. Obviously, education is important — explaining to people, “Look, you’re putting things in serious jeopardy here.” I think some companies have said it’s grounds for immediate dismissal, and that generally gets the job done.
This is also where the generic security approach becomes important, right? Because the idea is that the software never trusts a particular security measure that’s taken. It’s not aware that there’s an air gap, so it doesn’t trust the air gap.
Roel Schouwenberg: Right. When you build something with security in mind, then that is basically synonymous with saying, “Trust no one, trust nothing.” You can argue that the cause of nearly every security vulnerability that we can see is that some code is assumed to be trusted. When you say, “What if somebody tries to do this or that?” the response should not be, “Why would they do that?”
This is where you see that the industrial control world is really different from the IT world. There are not enough people who know a lot about both worlds. Incidents such as Stuxnet and now Shamoon are obviously destructive, but they are major catalysts when it comes to educating people. More people really need to see proof of things going wrong before they say, “OK, I’ll wear a safety belt, I’ll wear a helmet,” and so on. Both fortunately and unfortunately, moving forward we’ll see more such bad events. Hopefully they will help people be more aware of security.
Industrial controls are headed for the consumer area in fairly short order. Cars today have Microsoft operating systems with cellular connectivity that control just the radio and navigation system, but in something like the Google driverless car, the same operating system is also controlling brakes and acceleration.
Roel Schouwenberg: All this hardware around us is becoming soft. It’s all software these days.
A few months ago, I was dropping off my car at the garage and they said, “We updated the software for your transmission.” It’s absolutely crazy. They’d have had to use a cable for that, but at the same time more and more people have apps on their phones that can remotely start their cars or unlock them.
That’s the bigger picture in today’s world. Everything is becoming wired or, rather, wireless. The field, the scope, the domain of potential software vulnerabilities is just growing and growing. Ten years ago it was just your desktop. Now we have smartphones, cars, you name it. That’s part of why Stuxnet was a landmark event. There was just a handful of people looking into that before, and now a lot of people are interested in it.
All these systems that were basically living in their own little world based on security ideas from the 1970s and 80s are inadequate in 2012.
A car is a lot like an industrial control in a power plant where the security assumption is that if you have access to a port, then you have the authority to be there — you’ve been admitted to the plant floor. And that’s changing when you make it wireless. What should the approach there be?
Roel Schouwenberg: Segregation is very important. On some planes, there is a common link between the flight deck and the entertainment system for the passengers, which is all sorts of crazy.
If you deny people access in the first place, that makes things a lot better. A few years ago, we heard that a malicious music file that you burned on a CD and put in a car would cause a denial of service, not just against the radio but against the car’s entire electrical system.
That’s very clearly a case of non-proper segregation. The radio should not touch the critical systems. Now you have these up-and-coming vehicles, like Tesla, that are really more software than anything else, and the big question is, how secure are they? Right now, I’m not sure that there’s anything to answer that question, really. Which is maybe the reason why I went for a relatively simple car; it doesn’t have any wireless options, even though I was offered the feature where you can turn on your car with your smart phone. Maybe I can expense that.
There’s a human security flaw, too, with some of these wireless services where there’s a giant call center somewhere with hundreds of people switching on cars remotely or downloading their diagnostic information. It’s an extremely complicated environment, and it’s exactly what we were talking about earlier where the connectivity takes these systems that used to have just a few entry points and increases the number of entry points exponentially.
Roel Schouwenberg: I was on a plane the summer before last, waiting for the restroom and I looked around, and I suddenly noticed right next to the console that flight attendants use to turn on and off the lighting that there was a USB port. I can only imagine what that USB port could bring me. It’s hiding in plain sight. Obviously, I did not do anything to it, but I’m very curious.
One of O’Reilly’s authors, Alasdair Allan, was staying in a hotel last fall and managed to download the access records for his room’s electronic lock. He only read it, but the lock also probably had APIs for reprogramming the lock, resetting it, and things like that. People seem not to have given a great deal of thought to what it means to provide these entry points.
Roel Schouwenberg: At offensive security conferences, there are some people who look into those sorts of things, and generally the findings are quite scary; these systems are easily infiltrated because nobody ever designed them with security in mind. All these systems are increasingly electronic, increasingly interoperable, and security is not high on their priority lists.
If you want to take another route, look at TV. If you buy a fancy new Samsung, it comes with Skype and whatnot that integrate into the TV. And underneath Skype is Android. So, you’re looking at a device that’s going to be connected to the Internet for the next five or maybe 10 years. When is it going to receive security updates? You’re looking at millions of peripheral electronics. Treadmills, even, run Android now and are going to be without security updates for a very, very long time.
The great thing about Android is that it’s open and you can basically plug it into any device. But it’s so easy that it’s showing up in all sorts of applications where people haven’t thought about its environment very carefully. On a TV, maybe the worst thing that happens is that you miss your favorite TV show for a week. But looking at it from more of a cyber crime perspective, there’s definitely use for cybercriminals there. It’s obviously not critical infrastructure, but it’s something to think about.
This is a post in our industrial Internet series, an ongoing exploration of big machines and big data. The series is produced as part of a collaboration between O’Reilly and GE. This interview was edited and condensed.