My own involvement in the software assurance domain is skewed towards IT and data center systems, but our work appears to intersect in a document referenced in the article. "Enhancing the Development Lifecycle to Produce Secure Software, version 2.0" was published in 2008 by the DoD's Data and Analysis Center. Here's an excerpt:
Software Assurance has emerged in response to the dramatic increases in business and mission risks that are now known to be attributable to exploitable software, including:
Asking utilities to detect and protect every weakness in every system they deploy is unrealistic. More manageable, is to ask (or better, demand) suppliers develop and deliver secure systems to their customers, especially those running components of critical national infrastructure. As Cusimano says:
- Dependence on software components of systems despite their being the weakest link in those systems
- Size and complexity of software that obscures its intent and precludes exhaustive testing
- Outsourcing of software development and reliance on unvetted software supply chains
- Attack sophistication that eases exploitation of software weaknesses and vulnerabilities
- Reuse and interfacing of legacy software with newer applications in increasingly complex, disparate networked environments resulting in unintended consequences and the increase of vulnerable software targets
It is refreshing to see a point of view that recognizes that industrial control system security is not just a problem that owners and operators of industrial facilities need to address. Of course, owners/operators are ultimately responsible for the safety and security of their facilities, but that responsibility needs to be shared with their automation equipment suppliers.For a lighter treatment on a related subject, you can see and hear a webcast I did on Smart Grid software security last September by following this LINK.
1 comment:
Your post is very nice, it helped me to gather important and new information on cyber security SCADA. Thanks for sharing information
Post a Comment