You are here
Unikernel Isolation for Secure SCADA
Phone: (833) 626-6867
Phone: (833) 626-6867
SCADA and ICS systems compose large parts of critical infrastructure. In particular power systems settings are trivial to find and maliciously alter. There are many problems such as using outdated protocols such as MODBUS and connecting end systems directly to the internet so they may be found on vulnerability search engines such as Shodan, however, one of the larger issues is the outdated notion of having remote login capabilities on end systems and allowing attackers to run malicious programs on the end system that were not supposed to be ran. Many RTUs built by large electrical companies have embedded Linux as the base operating system. This is precisely what gives attackers the ability to login to remote systems and run arbitrary commands. We propose building a sample POC SCADA system using unikernels. Unikernels isolate each individual application into single purpose VMs that explicitly cannot run other commands in them nor do they have the notion of users or remote login. For the Phase 1 effort we plan on creating a proof of concept SCADA network utilizing unikernels. The example network will be composed of two or more arm based devices serving as a RTU and a MTU but the software being provisioned as unikernels instead of on legacy Linux. While we have have plenty of experience building X86 based unikernel systems the work here would involve adding ARM support, as most RTUs built by large electrical companies are based on that architecture. Today we have no ARM support. For this initial work we would have them talk via MODBUS (MODBUS security concerns withstanding). SCADA and ICS systems aren't used just for power systems but a very wide range of industrial controls from refineries to manufacturing to sewage plants and even railroad systems. All of these can benefit greatly from having RTUs deployed as unikernels. Future work could address other commonly used protocols such as DNP3 or ICCP to provide deeper integration to other SCADA use-cases. While we don't see the business, itself evolving into a SCADA systems hardware provider, software licenses could be sold to incumbent vendors and their network of system integrators. Finally, there are many other non-SCADA activities for adding ARM support to the unikernel such as all of the edge compute being deployed.
* Information listed above is at the time of submission. *