Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:26 PM
Connect Directly

SCADA/Smart-Grid Vendor Adopts Microsoft's Secure Software Development Program

Meanwhile, utilities lag when it comes to cyberattack preparedness and risk management at the executive and board level

Microsoft today added two new recruits to its Secure Development Lifecycle (SDL) -- a SCADA and smart-grid supplier and the government of India.

The software giant named the latest adopters of its process for writing secure applications today at its first-ever Security Development Conference. in Washington, D.C. The announcement follows that of BITS, the technology division of The Financial Services Roundtable and the Financial Services Information Sharing and Analysis Center (FS-ISAC), which in February issued an SDL-based blueprint for financial-services firms to write more secure internal and customer-facing applications.

Liberty Lake, Wash.-based Itron, which sells smart meters, data collection, and software solutions to around 8,000 utilities in more than 130 countries and regions worldwide, has made SDL mandatory in all hardware and software development. Its first SDL-based products were an encryption server and a new family of smart meters. "We are really delighted that a major critical infrastructure firm is making the software it supplies more secure," says Steve Lipner, partner director of program management in Microsoft's Trustworthy Computing group.

Itron isn't the first company in the utility industry to go SDL: MidAmerican Energy Company also uses the framework in its application development process. The government of India's Computer Emergency Response Team (CERT-IN), meanwhile, has begun deploying SDL for application security, as well, Microsoft also announced today, and the Indian government's National Informatics Centre is mandating SDL training for 10,000 cyberforensic investigators there.

"The government of India has included SDL practices in its [draft] five-year economic plan," Lipner says. "This is the strongest endorsement yet of the SDL by a government," Microsoft's Lipner says.

[ Rather than preaching to the choir in security or trying to attract developers to security conferences, a few security experts have begun stepping into the developer's world -- or at least meeting them where they live. See Walking In The Application Developer's Shoes. ]

Secure SCADA coding?
Scores of holes in SCADA software have been exposed by security researchers since all eyes began to focus on the power grid in the wake of the discovery of the Stuxnet worm, and concerns about attacks on the power grid have escalated. But utilities remain behind the curve when it comes to readiness for an attack, according to a newly published study by Carnegie Mellon University and RSA (PDF) on how boards and senior execs in various industries are managing security risks. The CMU/RSA study found that utilities are one of the least-prepared organizations when it comes to risk management and executive board-level knowledge of IT issues -- and they don't properly review cyberinsurance coverage.

"The utilities/energy sector and the industrial sector came in last in numerous areas. It's stunning because they are what I call supercritical infrastructure, meaning if there's a problem with electricity and communications with them, all other critical infrastructure doesn't operate," says report author Jody Westby, adjunct distinguished fellow at CMU's CyLab and CEO of Global Cyber Risk LLC.

Eddie Schwartz, CSO at RSA, says some utilities are more mature about cyber-risks than others, and the survey highlights a gap in some where their boards may know plenty about physical outage costs and risks, but aren't considering the big picture of cybersecurity risk management, as well.

It's also a matter of trade-offs and priorities in their budgets. It's the old story where IT security can't really cost-justify itself, and uppe-management funds what it best understands: the tangibles. "Do I allocate resources to cybersecurity, or do I cut down trees hanging on high wires? ... They have to realize the net expense," Schwartz says.

Meanwhile, Microsoft's Lipner says Itron's SDL adoption could make a major impact on smart grid security. "They have one-third of the smart meters in the U.S. and Canada," he notes, and smart-grid adoption will be more widespread in the next five years.

"It's really important we move forward" with secure development of these products, Lipner says. Then the next wave of these products will be built more securely from the ground up, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.