News & Events.

Demanding Software Security Assurance Article

  February 11, 2011

---

Users Wonder, “How Dependable, Trustworthy and Resilient Is My Supplier’s Software?”

By John Cusimano, Director, exida Security Services Division

In an October 2010 article at SearchSecurity.com, Mark Weatherford, vice president and chief security officer at NERC, was quoted as saying, “Addressing Stuxnet goes beyond using quality security controls. The industry needs to demand higher quality software that is free from defects. Companies who develop products and write code need to continue to mature their development processes to become more secure.”

He went on to say, “This is not an indictment of [the] control system industry; it’s an indictment of the IT business in general. We’re still seeing products that come out that are susceptible to vulnerabilities that quite frankly have been in the wild for quite some time.”

It is refreshing to see a point of view that recognizes that industrial control system security is not just a problem that owners and operators of industrial facilities need to address. Of course, owners/operators are ultimately responsible for the safety and security of their facilities, but that responsibility needs to be shared with their automation equipment suppliers.

These suppliers have a responsibility to ensure that their products are safe, secure and reliable. But, while they undoubtedly all strive to meet this expectation, achieving it has become increasingly difficult, as even the simplest of products have evolved to rely on sophisticated software that often isn’t even written by the supplier. Couple the increased vulnerability of automation products due to software complexity with the emerging threat posed by viruses such as Stuxnet, and it is easy to see why Weatherford is calling for suppliers to focus on software security assurance for their customers.

Wikipedia defines software security assurance (SSA) as “the process of ensuring that software is designed to operate at a level of security consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability or misuse of the data and resources that it uses, controls and protects.”

Read more by clicking the link below.

More News

• April 10, 2024
  exida Exhibiting at Transport Research Arena (TRA) in Dublin
• April 09, 2024
  Qualcomm Receives ISO 26262 Certification for Semiconductor Components
• March 12, 2024
  Three YORK® Chiller Solutions Earn ISASecure® Certifications for Embedded Cybersecurity
• March 04, 2024
  2024 exida PAMR Symposium to be held in Germany
• January 18, 2024
  exida Authored Article in December 2023 Process Safety Progress
• January 17, 2024
  Green Hills Software Is First Embedded Software Company to Receive ISO/SAE 21434 Certificate
• January 16, 2024
  Qualcomm Receives ISO 26262 Certification for Semiconductor Components