SCADA/Smart-Grid Vendor Adopts Microsofts Secure Software Development Program

Meanwhile, utilities lag when it comes to cyberattack preparedness and risk management at the executive and board level

Microsoft today added two new recruits to its Secure Development Lifecycle (SDL) -- a SCADA and smart-grid supplier and the government of India.
The software giant named the latest adopters of its process for writing secure applications today at its first-ever
Security Development Conference. in Washington, D.C.
The announcement follows that of BITS, the technology division of The Financial Services Roundtable and the Financial Services Information Sharing and Analysis Center (FS-ISAC), which in February
issued an SDL-based blueprint for financial-services firms
to write more secure internal and customer-facing applications.
Liberty Lake, Wash.-based Itron, which sells smart meters, data collection, and software solutions to around 8,000 utilities in more than 130 countries and regions worldwide, has made SDL mandatory in all hardware and software development. Its first SDL-based products were an encryption server and a new family of smart meters. We are really delighted that a major critical infrastructure firm is making the software it supplies more secure, says Steve Lipner, partner director of program management in Microsofts Trustworthy Computing group.
Itron isnt the first company in the utility industry to go SDL: MidAmerican Energy Company also uses the framework in its application development process. The government of Indias Computer Emergency Response Team (CERT-IN), meanwhile, has begun deploying SDL for application security, as well, Microsoft also announced today, and the Indian governments National Informatics Centre is mandating SDL training for 10,000 cyberforensic investigators there.
The government of India has included SDL practices in its [draft] five-year economic plan, Lipner says. This is the strongest endorsement yet of the SDL by a government, Microsofts Lipner says.
[ Rather than preaching to the choir in security or trying to attract developers to security conferences, a few security experts have begun stepping into the developers world -- or at least meeting them where they live. See
Walking In The Application Developers Shoes
. ]
Secure SCADA coding?
Scores of holes in SCADA software have been exposed by security researchers since all eyes began to focus on the power grid in the wake of the discovery of the Stuxnet worm, and concerns about attacks on the power grid have escalated. But utilities remain behind the curve when it comes to readiness for an attack, according to
a newly published study by Carnegie Mellon University and RSA
(PDF) on how boards and senior execs in various industries are managing security risks. The CMU/RSA study found that utilities are one of the least-prepared organizations when it comes to risk management and executive board-level knowledge of IT issues -- and they dont properly review cyberinsurance coverage.
The utilities/energy sector and the industrial sector came in last in numerous areas. Its stunning because they are what I call supercritical infrastructure, meaning if theres a problem with electricity and communications with them, all other critical infrastructure doesnt operate, says report author Jody Westby, adjunct distinguished fellow at CMUs CyLab and CEO of Global Cyber Risk LLC.
Eddie Schwartz, CSO at RSA, says some utilities are more mature about cyber-risks than others, and the survey highlights a gap in some where their boards may know plenty about physical outage costs and risks, but arent considering the big picture of cybersecurity risk management, as well.
Its also a matter of trade-offs and priorities in their budgets. Its the old story where IT security cant really cost-justify itself, and uppe-management funds what it best understands: the tangibles. Do I allocate resources to cybersecurity, or do I cut down trees hanging on high wires? ... They have to realize the net expense, Schwartz says.
Meanwhile, Microsofts Lipner says Itrons SDL adoption could make a major impact on smart grid security. They have one-third of the smart meters in the U.S. and Canada, he notes, and smart-grid adoption will be more widespread in the next five years.
Its really important we move forward with secure development of these products, Lipner says. Then the next wave of these products will be built more securely from the ground up, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ UK study shows rapid increase in IT security salaries. ◂ Discovered: 05/01/2025 Category: security	▸ Pioneer introduces 128GB Blu-ray Drive ◂ Discovered: 05/01/2025 Category: security	▸ Cyberwar expert believes China responsible for Stuxnet attack. ◂ Discovered: 05/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
SCADA/Smart-Grid Vendor Adopts Microsofts Secure Software Development Program