When it comes to control systems, a common question has long been: Is Linux inherently more secure than Windows? Being a fan of Linux/Unix systems, I desperately want to answer “yes” to this question. During the 1980s and 1990s, so much of the work I was involved in ran under Unix. These days I run Linux on my home computer, and once a year I boot up a Windows XP virtual machine running under Virtual Box, to run my tax software. In the office, I rant about the lousy Windows operating system (OS) and ask why the world doesn’t switch to Linux. And as much as I hate to admit it, as a system integrator I am mostly locked into dealing with Microsoft’s flavor of the month operating system because of customer standards and the tools available.
From the appearance of “Brain,” which is recognized as the first computer virus, in 1986, to Stuxnet to the Zotob worm (the virus that knocked 13 of DaimlerChrysler’s U.S. automobile manufacturing plants offline), one thing all these viruses have in common is that they were directed at Microsoft’s operating systems. However, according to Zone-H (an archive of defaced websites), in a statistics report for the period 2005-2007: “In the past the most attacked operating system was Windows, but many servers were migrated from Windows to Linux… Therefore the attacks migrated as well, as Linux is now the most attacked operating system with 1, 485,280 defacements against 815,119 in Windows systems (numbers calculated since 2000).”
These statistics are no longer posted on Zone-H, hence the lack of recent data.
According to the U.S. Department of Homeland Security (DHS), the equation for determining risk is: Risk = Vulnerability X Threat X Consequence.
Eliminate any one of these and you no longer have a risk. Much publicity centers on the vulnerability of operating systems, but clearly other factors can be minimized to reduce the overall risk. The DHS issued a report titled 21 Steps to Improve Cyber Security of SCADA Networks during the Bush administration. Not one of the “steps” was “switch to a more secure operating system.”
So, is a Linux-based industrial control system (ICS) more secure? Going into this I wanted to say “yes,” but now I have to say that I am not convinced it is any more or less secure. Both Microsoft and the Linux communities distribute security patches frequently, indicating that there are vulnerabilities being discovered regularly. The operating system is only one piece of the ICS. A comprehensive security program must be defined and executed. The Guide to Industrial Control Systems (ICS) Security, published by the DHS, recommends the following steps:
- Obtain senior management buy-in;
- Build and train a cross-functional team;
- Define charter and scope;
- Define specific ICS policies and procedures;
- Define and inventory ICS assets;
- Perform a risk and vulnerability assessment;
- Define the mitigation controls; and
- Provide training and raise security awareness for the ICS staff
It reminds me of the Navy recruiting poster showing a sailor and the statement “Eternal Vigilance is the Price of Freedom.” Regardless of the operating system, we must be remain vigilant in defining and assessing risk, as well as taking action to mitigate it.
*See Guide to Industrial Control Systems Security, NIST Special Publication 800-82 rev 1.
David K. Anderson is senior project manager at Loman Controls Inc., a Certified member of the Control System Integrators Association. See Loman Controls’ profile on the Industrial Automation Exchange by CSIA.