Microsoft today added two new recruits to its Secure Development Lifecycle (SDL) -- a SCADA and smart-grid supplier and the government of India.

The software giant named the latest adopters of its process for writing secure applications today at its first-ever Security Development Conference. in Washington, D.C. The announcement follows that of BITS, the technology division of The Financial Services Roundtable and the Financial Services Information Sharing and Analysis Center (FS-ISAC), which in February issued an SDL-based blueprint for financial-services firms to write more secure internal and customer-facing applications.

Liberty Lake, Wash.-based Itron, which sells smart meters, data collection, and software solutions to around 8,000 utilities in more than 130 countries and regions worldwide, has made SDL mandatory in all hardware and software development. Its first SDL-based products were an encryption server and a new family of smart meters. "We are really delighted that a major critical infrastructure firm is making the software it supplies more secure," says Steve Lipner, partner director of program management in Microsoft's Trustworthy Computing group.

Itron isn't the first company in the utility industry to go SDL: MidAmerican Energy Company also uses the framework in its application development process. The government of India's Computer Emergency Response Team (CERT-IN), meanwhile, has begun deploying SDL for application security, as well, Microsoft also announced today, and the Indian government's National Informatics Centre is mandating SDL training for 10,000 cyberforensic investigators there.

"The government of India has included SDL practices in its [draft] five-year economic plan," Lipner says. "This is the strongest endorsement yet of the SDL by a government," Microsoft's Lipner says.

[ Rather than preaching to the choir in security or trying to attract developers to security conferences, a few security experts have begun stepping into the developer's world -- or at least meeting them where they live. See Walking In The Application Developer's Shoes. ]

Secure SCADA coding?
Scores of holes in SCADA software have been exposed by security researchers since all eyes began to focus on the power grid in the wake of the discovery of the Stuxnet worm, and concerns about attacks on the power grid have escalated. But utilities remain behind the curve when it comes to readiness for an attack, according to a newly published study by Carnegie Mellon University and RSA (PDF) on how boards and senior execs in various industries are managing security risks. The CMU/RSA study found that utilities are one of the least-prepared organizations when it comes to risk management and executive board-level knowledge of IT issues -- and they don't properly review cyberinsurance coverage.

"The utilities/energy sector and the industrial sector came in last in numerous areas. It's stunning because they are what I call supercritical infrastructure, meaning if there's a problem with electricity and communications with them, all other critical infrastructure doesn't operate," says report author Jody Westby, adjunct distinguished fellow at CMU's CyLab and CEO of Global Cyber Risk LLC.

Eddie Schwartz, CSO at RSA, says some utilities are more mature about cyber-risks than others, and the survey highlights a gap in some where their boards may know plenty about physical outage costs and risks, but aren't considering the big picture of cybersecurity risk management, as well.

It's also a matter of trade-offs and priorities in their budgets. It's the old story where IT security can't really cost-justify itself, and uppe-management funds what it best understands: the tangibles. "Do I allocate resources to cybersecurity, or do I cut down trees hanging on high wires? ... They have to realize the net expense," Schwartz says.

Meanwhile, Microsoft's Lipner says Itron's SDL adoption could make a major impact on smart grid security. "They have one-third of the smart meters in the U.S. and Canada," he notes, and smart-grid adoption will be more widespread in the next five years.

"It's really important we move forward" with secure development of these products, Lipner says. Then the next wave of these products will be built more securely from the ground up, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.