Tuesday, February 15, 2011

Software Security for Energy Sector Control Systems

John Cusimano has just written a great piece for anyone concerned with the software that runs energy (and other) sector control systems. It's called "Demanding Software Security Assurance" and you can read it HERE.

My own involvement in the software assurance domain is skewed towards IT and data center systems, but our work appears to intersect in a document referenced in the article. "Enhancing the Development Lifecycle to Produce Secure Software, version 2.0" was published in 2008 by the DoD's Data and Analysis Center. Here's an excerpt:
Software Assurance has emerged in response to the dramatic increases in business and mission risks that are now known to be attributable to exploitable software, including:
  • Dependence on software components of systems despite their being the weakest link in those systems
  • Size and complexity of software that obscures its intent and precludes exhaustive testing
  • Outsourcing of software development and reliance on unvetted software supply chains
  • Attack sophistication that eases exploitation of software weaknesses and vulnerabilities
  • Reuse and interfacing of legacy software with newer applications in increasingly complex, disparate networked environments resulting in unintended consequences and the increase of vulnerable software targets
Asking utilities to detect and protect every weakness in every system they deploy is unrealistic. More manageable, is to ask (or better, demand) suppliers develop and deliver secure systems to their customers, especially those running components of critical national infrastructure. As Cusimano says:
It is refreshing to see a point of view that recognizes that industrial control system security is not just a problem that owners and operators of industrial facilities need to address. Of course, owners/operators are ultimately responsible for the safety and security of their facilities, but that responsibility needs to be shared with their automation equipment suppliers.
For a lighter treatment on a related subject, you can see and hear a webcast I did on Smart Grid software security last September by following this LINK
Posted by at 6:43 PM
Labels: , , ,

1 comment:

Cyber Security SCADA said...

Your post is very nice, it helped me to gather important and new information on cyber security SCADA. Thanks for sharing information

September 24, 2018 at 11:52 PM

Post a Comment

Subscribe to: Post Comments (Atom)