Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:26 PM
Connect Directly

SCADA/Smart-Grid Vendor Adopts Microsoft's Secure Software Development Program

Meanwhile, utilities lag when it comes to cyberattack preparedness and risk management at the executive and board level

Microsoft today added two new recruits to its Secure Development Lifecycle (SDL) -- a SCADA and smart-grid supplier and the government of India.

The software giant named the latest adopters of its process for writing secure applications today at its first-ever Security Development Conference. in Washington, D.C. The announcement follows that of BITS, the technology division of The Financial Services Roundtable and the Financial Services Information Sharing and Analysis Center (FS-ISAC), which in February issued an SDL-based blueprint for financial-services firms to write more secure internal and customer-facing applications.

Liberty Lake, Wash.-based Itron, which sells smart meters, data collection, and software solutions to around 8,000 utilities in more than 130 countries and regions worldwide, has made SDL mandatory in all hardware and software development. Its first SDL-based products were an encryption server and a new family of smart meters. "We are really delighted that a major critical infrastructure firm is making the software it supplies more secure," says Steve Lipner, partner director of program management in Microsoft's Trustworthy Computing group.

Itron isn't the first company in the utility industry to go SDL: MidAmerican Energy Company also uses the framework in its application development process. The government of India's Computer Emergency Response Team (CERT-IN), meanwhile, has begun deploying SDL for application security, as well, Microsoft also announced today, and the Indian government's National Informatics Centre is mandating SDL training for 10,000 cyberforensic investigators there.

"The government of India has included SDL practices in its [draft] five-year economic plan," Lipner says. "This is the strongest endorsement yet of the SDL by a government," Microsoft's Lipner says.

[ Rather than preaching to the choir in security or trying to attract developers to security conferences, a few security experts have begun stepping into the developer's world -- or at least meeting them where they live. See Walking In The Application Developer's Shoes. ]

Secure SCADA coding?
Scores of holes in SCADA software have been exposed by security researchers since all eyes began to focus on the power grid in the wake of the discovery of the Stuxnet worm, and concerns about attacks on the power grid have escalated. But utilities remain behind the curve when it comes to readiness for an attack, according to a newly published study by Carnegie Mellon University and RSA (PDF) on how boards and senior execs in various industries are managing security risks. The CMU/RSA study found that utilities are one of the least-prepared organizations when it comes to risk management and executive board-level knowledge of IT issues -- and they don't properly review cyberinsurance coverage.

"The utilities/energy sector and the industrial sector came in last in numerous areas. It's stunning because they are what I call supercritical infrastructure, meaning if there's a problem with electricity and communications with them, all other critical infrastructure doesn't operate," says report author Jody Westby, adjunct distinguished fellow at CMU's CyLab and CEO of Global Cyber Risk LLC.

Eddie Schwartz, CSO at RSA, says some utilities are more mature about cyber-risks than others, and the survey highlights a gap in some where their boards may know plenty about physical outage costs and risks, but aren't considering the big picture of cybersecurity risk management, as well.

It's also a matter of trade-offs and priorities in their budgets. It's the old story where IT security can't really cost-justify itself, and uppe-management funds what it best understands: the tangibles. "Do I allocate resources to cybersecurity, or do I cut down trees hanging on high wires? ... They have to realize the net expense," Schwartz says.

Meanwhile, Microsoft's Lipner says Itron's SDL adoption could make a major impact on smart grid security. "They have one-third of the smart meters in the U.S. and Canada," he notes, and smart-grid adoption will be more widespread in the next five years.

"It's really important we move forward" with secure development of these products, Lipner says. Then the next wave of these products will be built more securely from the ground up, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...