By Gregory Hale
In light of the vulnerabilities found in SCADA packages from some major players in the industry, software security is coming more to the forefront than ever before.
On the heels of the SCADA vulnerabilities, software security was the topic of a talk from John Cusimano, director of security solutions at exida, entitled “Achieving Software Security Assurance in Safety and Security Critical Applications” at the ICSJWG Spring Conference in Dallas last week.
“Software in our industry needs to be robust and reliable,” Cusimano said.
There is essential software, then there is vitally essential software and the industrial automation sector falls into the later category.
He said software is life critical/safety critical in industries such as aviation, medical, nuclear, recreation (in areas like high-speed amusement park rides and things like ski lifts), transportation, automotive, and industrial automation.
Software, like anything else in a control system, is always going to have inherent risks. However, understanding those risks and assessing where your needs are is an important task. He said some of the risks include:
• Size and complexity of the software
• Relying on unvetted software
• Attack sophistication eases exploitation of software weaknesses and vulnerabilities
Developers need to have the mindset where they incorporate security into software from the beginning and not just add it in at the end. It needs to work with the entire programming.
“When adding in security to software, you don’t need to reduce the software development cycle, you can add security along in the development process,” he said. “Adding security into the development cycle will add some time to the development phase, but looking at the cost of fixing software after release versus in development is very dramatic.”
When you talk about reducing costs, that catches the ear of the software developer, however, when you talk about ensuring the software is secure and does not cause unplanned downtime, then the user will pay attention.
He said there have been instances where even when a software developer sent out a patch to fix a hole in their software, it caused a crash. “One software vendor patched its software and crashed a SCADA system and took out three plants,” Cusimano said.
In another case, faulty software opened a dam and drained a lake, he said.
“The industry needs to demand software security assurance,” he said.
Suppliers can achieve this security assurance by incorporating security practices into the software development lifecycle.
One area to ensure secure software is to certify, like ISASecure, “which provides the mechanism to recognize products that have been developed following a secure process.”