The lack of security in the number of Internet of Things (IoT) devices is increasingly worrying to CISOs trying to protect corporate networks, particularly after the distributed denial of service attacks marshalled last year by the Mirai botnet.
So developers and manufacturers of IoT devices will be interested in the release announced Monday of KasperskyOS, which the namesake company calls a secure operating system for network devices, industrial control systems, and the IoT.
“Our OS is not an out-of-the-box product; it’s a project offering,” company CEO Eugene Kaspersky said in a blog. “We’re not selling a boxed solution with a cure-all for everyone. Instead, we collaborate with vendors and developers who provide, say, networking equipment, industrial automation systems, automotive solutions, even smart fridges. We provide the code and help configure the system based on their requirements.”
Because solutions are customized he didn’t cite a price.
While he doesn’t claim the OS cannot be hacked, Kaspersky says security is enhanced because the OS does only what it’s instructed to do; it can’t do anything else. Developers can look at the source code and immediately see if anything has been added that they don’t want. The kernel does not transmit data, the company says, and the microkernel “has practically nothing in it. All drivers are kept isolated. So to pass any data, one has to write another piece of code. It will be seen quite clearly — you don’t even have to look at the source code to see it. All of this is written in security policies. And the customer will always be able to audit those policies, regardless of the code. If the policies contain no instructions to send data, the system doesn’t do it.”
The OS is made up of three components: An OS (KOS), a standalone secure hypervisor (KSH), and a dedicated system for secure interaction among OS components (KSS). Developers can licence any of them for the purpose they need. For example, the blog says, a German company licensed KSS for its own operating system. The blog says some vendors are interested only in the KSH hypervisor, which lets them securely run existing applications without modification.
The solution is one that developers should consider when designing new network devices. Unfortunately, it won’t help fix the millions of unpatched and insecure devices already on the Internet. It will be a while before they are retired. Meanwhile such devices will continue to be a menace.