EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  <20152016  2017  2018  2019  2020  2021  2022  2023  2024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  <20152016  2017  2018  2019  2020  2021  2022  2023  2024 
<== Date ==> <== Thread ==>

Subject: Re: Linux vs. RTOS: cost and security; was: Stepper Motor Controllers
From: Benjamin Franksen <[email protected]>
To: "[email protected]" <[email protected]>
Date: Thu, 16 Jul 2015 18:38:22 +0200
On Wednesday 15 July 2015 14:24:17 you wrote:
> On 07/15/2015 07:56 AM, Benjamin Franksen wrote:
> > On Tuesday 14 July 2015 12:16:38 Pete Jemian wrote:
> > It may also be a potential security risk, given that the amount of
> > readily available tools for an attack is much larger on Linux (or
> > any
> > other general purpose OS like Windows or MacOSX), compared to
> > VxWorks
> > or RTEMS.
>
> You are right: The amount of malware targeted on Linux is bigger than
> the amount of malware targeted on RTOS. However, the number of attacks
> on industrial devices has been grown dramatically within the last
> years. Also note that security issues affecting a Linux base
> installation are usually fixed much faster and can be deployed much
> easier/faster using tools like share libraries and software packages.
>
> > And cutting something like Linux down to the essentials
> > needed for running one or more soft IOCs (in order to avoid these
> > risks) is not something I'd take on lightly.
>
> On the other hand most VxWorks/RTEMS machines I've seen so far were
> using technology like telnet (instead of SSH), NFS (no encryption,
> single point of failure) and did not provide any useful IT monitoring
> (fan speed? temperature? free disk space? ECC errors?)... RTEMS is
> also lacking support for time synchronization using PTP which will be
> the default for FRIB.
>
> Our answer is a combination of real time tasks in PLCs/motor
> controllers/FPGAs + high-level processes on Linux leveraging the
> latest tools to help the administrator maintain it.

I don't plan to insist on my point (which is a bit weak, granted).
Nevertheless, let me clarify what I meant with "the amount of readily
available tools for an attack": it was not to say that RTOSes like
VxWorks or RTEMS are more secure than Linux. That would be a ridiculous
statement as indeed they are certainly much easier to subvert than
Linux. Neither did I mean that the amount of tools available to subvert
them is smaller (even though that is probably the case, as you
admitted).

What I meant to say is that once they have been subverted, it is easier
to spread the subversion to the rest of the network with Linux machine,
due to much larger amount of available tooling, and also the typically
much larger processing power of the underlying machine.

The attack scenario I imagine here is that the IOC (whether it runs a
traditional RTOS or Linux or whatever) is not of primary interest to the
attacker, but rather a convenient entry point to subvert other machines
that contain more interesting information (personal files and
communications, e-mail addresses, access keys, etc etc).

Cheers
Ben
--
"Make it so they have to reboot after every typo." ― Scott Adams

________________________________

Helmholtz-Zentrum Berlin für Materialien und Energie GmbH

Mitglied der Hermann von Helmholtz-Gemeinschaft Deutscher Forschungszentren e.V.

Aufsichtsrat: Vorsitzender Prof. Dr. Dr. h.c. mult. Joachim Treusch, stv. Vorsitzende Dr. Beatrix Vierkorn-Rudolph
Geschäftsführung: Prof. Dr. Anke Rita Kaysser-Pyzalla, Thomas Frederking

Sitz Berlin, AG Charlottenburg, 89 HRB 5583

Postadresse:
Hahn-Meitner-Platz 1
D-14109 Berlin

http://www.helmholtz-berlin.de


References:
Stepper Motor Controllers Mark Davis
Linux vs. RTOS: cost and security; was: Stepper Motor Controllers Konrad, Martin

Navigate by Date:
Prev: Re: record to record ... Ralph Lange
Next: Re: Stepper Motor Controllers Mark Davis
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  <20152016  2017  2018  2019  2020  2021  2022  2023  2024 
Navigate by Thread:
Prev: Linux vs. RTOS: cost and security; was: Stepper Motor Controllers Konrad, Martin
Next: Re: Stepper Motor Controllers Torsten Bögershausen
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  <20152016  2017  2018  2019  2020  2021  2022  2023  2024 
ANJ, 16 Dec 2015 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·