Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Security Guru Pledges to Strengthen Critical Computers

Computer-security researcher Eugene Kaspersky says he is testing control software that won’t run malicious code.

Industrial systems and critical infrastructure are vulnerable to attack by malicious software. Specially designed operating systems might protect them.

Stuxnet, a piece of malicious software discovered in 2010, targeted industrial software controlling Iran’s uranium-enrichment centrifuges. But the code got loose—and it continues to spread: Chevron, for example, said last week that its network had been infected by Stuxnet.

Malware fighter: Eugene Kaspersky says his company is developing a secure operating system for industrial control systems.

The prospect that malware like Stuxnet could infect and disrupt critical pieces of infrastructure worries government officials (see “Old-Fashioned Control Systems Make U.S. Power Grids, Water Plants a Hacking Target”) and computer scientists like Eugene Kaspersky, CEO of the Moscow-based antivirus company Kaspersky Lab. He has been talking about building secure operating systems for industrial systems, a subject he discussed with MIT Technology Review.

How far has Stuxnet or similar malicious software spread beyond the intended target? What damage or costs are known to have resulted?

I am sure there are more critical companies, critical to national economic and national security, infected by Stuxnet. Unfortunately I don’t have any hard data on this. Stuxnet had infected an estimated 100,000 machines in approximately 30,000 organizations in the month of September 2010.

You say youre working on a secure operating system for industrial systems. What is your proposed solution?

There is only one way to ensure sufficient protection—a secure OS to guarantee there is no unwanted code executed in this environment. This is achieved with a micro-kernel system that, by design, will not allow execution of unauthorized code.

Where does your secure OS stand?

A prototype is ready. We are working with a couple of companies—I cannot disclose which ones yet, but one of them is a large energy-generating company—in developing the prototype to protect the industrial environment, to make sure there are no critical mistakes in our system. Yes, there will be flaws in the current code, but I want to be sure the core ideas of the OS work. These companies also have to develop secure applications to run on the platform.

What “ideas of the OS” are you referring to?

The main idea is that any and all activity will be visible to administrators, and that undeclared functions will be impossible. Existing operating systems have not been created with security in mind. For the majority of them, security is an optional extra, meaning vulnerabilities are inherent in their underlying architecture. The new OS is based on the principles of security.

Of course, we are not ignoring what other operating systems have already achieved [in becoming more secure], but we believe the level of security afforded to them is not enough given the rate at which today’s threats are progressing.

Why can’t we have this level of security on all computers, and not just ones in critical infrastructure?

Use of our secure OS could certainly extend beyond critical infrastructure, and include any organization who values security. We expect that enhanced security requirements will be promoted primarily by government agencies and will apply both to private and to government-owned facilities.

What about defending critical infrastructure with redundant systems, or manual ones?

Hybrid redundant systems and manual systems can help, but new industrial systems are more and more computer controlled. It is cheaper and easier to design. Even the newer American prisons are controlled digitally, and not manually, so these systems are also vulnerable for Stuxnet-like attacks.

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.