Demanding Software Security Assurance Article | exida

News & Events.

Demanding Software Security Assurance Article

  February 11, 2011

Users Wonder, “How Dependable, Trustworthy and Resilient Is My Supplier’s Software?”

By John Cusimano, Director, exida Security Services Division

In an October 2010 article at, Mark Weatherford, vice president and chief security officer at NERC, was quoted as saying, “Addressing Stuxnet goes beyond using quality security controls. The industry needs to demand higher quality software that is free from defects. Companies who develop products and write code need to continue to mature their development processes to become more secure.”

He went on to say, “This is not an indictment of [the] control system industry; it’s an indictment of the IT business in general. We’re still seeing products that come out that are susceptible to vulnerabilities that quite frankly have been in the wild for quite some time.”

It is refreshing to see a point of view that recognizes that industrial control system security is not just a problem that owners and operators of industrial facilities need to address. Of course, owners/operators are ultimately responsible for the safety and security of their facilities, but that responsibility needs to be shared with their automation equipment suppliers.

These suppliers have a responsibility to ensure that their products are safe, secure and reliable. But, while they undoubtedly all strive to meet this expectation, achieving it has become increasingly difficult, as even the simplest of products have evolved to rely on sophisticated software that often isn’t even written by the supplier. Couple the increased vulnerability of automation products due to software complexity with the emerging threat posed by viruses such as Stuxnet, and it is easy to see why Weatherford is calling for suppliers to focus on software security assurance for their customers.

Wikipedia defines software security assurance (SSA) as “the process of ensuring that software is designed to operate at a level of security consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability or misuse of the data and resources that it uses, controls and protects.”

Read more by clicking the link below.