Tuesday, February 15, 2011

Software Security for Energy Sector Control Systems

John Cusimano has just written a great piece for anyone concerned with the software that runs energy (and other) sector control systems. It's called "Demanding Software Security Assurance" and you can read it HERE.

My own involvement in the software assurance domain is skewed towards IT and data center systems, but our work appears to intersect in a document referenced in the article. "Enhancing the Development Lifecycle to Produce Secure Software, version 2.0" was published in 2008 by the DoD's Data and Analysis Center. Here's an excerpt:
Software Assurance has emerged in response to the dramatic increases in business and mission risks that are now known to be attributable to exploitable software, including:
  • Dependence on software components of systems despite their being the weakest link in those systems
  • Size and complexity of software that obscures its intent and precludes exhaustive testing
  • Outsourcing of software development and reliance on unvetted software supply chains
  • Attack sophistication that eases exploitation of software weaknesses and vulnerabilities
  • Reuse and interfacing of legacy software with newer applications in increasingly complex, disparate networked environments resulting in unintended consequences and the increase of vulnerable software targets
Asking utilities to detect and protect every weakness in every system they deploy is unrealistic. More manageable, is to ask (or better, demand) suppliers develop and deliver secure systems to their customers, especially those running components of critical national infrastructure. As Cusimano says:
It is refreshing to see a point of view that recognizes that industrial control system security is not just a problem that owners and operators of industrial facilities need to address. Of course, owners/operators are ultimately responsible for the safety and security of their facilities, but that responsibility needs to be shared with their automation equipment suppliers.
For a lighter treatment on a related subject, you can see and hear a webcast I did on Smart Grid software security last September by following this LINK

1 comment:

shakil hossain said...

We know that one of the most important and challenging goals for small businesses and buildings is to lower energy costs with little financial investment in expensive or technology or other tools that require a lot of support, training, and resources. Small businesses often do not have the financial or physical resources necessary for such an undertaking. Best Energy efficiency software Service