Achieving software security assurance in ICS applications


Published on

The security vulnerability of industrial automation products is certainly a high-profile topic in today's world. Software complexity coupled with the emerging threat posed by viruses like Stuxnet makes it is easy to see why end-users are calling for suppliers to focus on Software Security Assurance. This is particularly the case in products used in safety-critical and security-critical applications.

Join exida's Director of Security Services for a no cost webinar that will describe industry best practices and programs available that provide guidance for end-users on how to request, and for suppliers on how to achieve Software Security Assurance.
This is an encore of the presentation featured at the ICSJWG 2011 Spring Conference, which is sponsored by the US Department of Homeland Security

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Achieving software security assurance in ICS applications

  1. 1. e ida Achieving Software Security Assurance (in Safety and Security Critical Applications) ICSJWG Spring Meeting May 2-5, 2011 Dallas, TX
  2. 2. e ida John A. Cusimano, CFSE, CISSP • Director of Security Solutions for exida • 20+ years experience in industrial automation • Employment History: • Eastman Kodak • Moore Products • Siemens • Certifications: • CFSE, Certified Functional Safety Expert • CISSP, Certified Information Systems Security Professional • Industry Associations: • ISA S99 Committee (WG4, WG5, WG7, WG8) • ISA S84 Committee (WG9) • ISA Security Compliance Institute • ICSJWG Workforce Development & Vendor SubgroupsCopyright © 2010 - exida
  3. 3. e ida Stuxnet Response“Addressing Stuxnet goes beyond usingquality security controls. The industry needsto demand higher quality software that isfree from defects. Companies who developproducts and write code need to continue tomature their development processes tobecome more secure.” Mark Weatherford Vice President and Chief Security Officer NERC
  4. 4. e ida Control System Security Layers of Responsibility End User (Security management system) System Integrator (System engineering practices, Qualified Personnel) Automation Supplier (Software Development, Vendor Practices) Automation Products (Security features, Testing) Copyri
  5. 5. e ida Software Security Assurance (SSA)“Software Security Assurance (SSA) is theprocess of ensuring that software is designedto operate at a level of security that isconsistent with the potential harm that couldresult from the loss, inaccuracy, alteration,unavailability, or misuse of the data andresources that it uses, controls, andprotects.” 6
  6. 6. e ida Life-critical / Safety-critical Applications• Aviation• Medical• Nuclear Engineering• Recreation• Transportation• Automotive• Industrial Automation 7
  7. 7. e ida Software related SCADA incidents• Software Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Power Outage• Faulty Software Causes Torrens Lake Drain• SCADA System Collapse Leads to Tunnel Closure• Computer Software Faults May Have Caused Chinook Helicopter Crash• Gas Leak Caused by Computer Malfunction Incidents from the Repository of Industrial Security Incidents (RISI) database ( 8
  8. 8. e ida Risks to Software Security Assurance• Size and complexity of software• Outsourcing of software development and reliance on unvetted software supply chains;• Attack sophistication that eases exploitation of software weaknesses and vulnerabilities;• Reuse and interfacing of legacy software with newer applications in increasingly complex, disparate networked environments resulting in unintended consequences and the increase of vulnerable software targets. 9
  9. 9. e ida Supplier Expansion & Foreign Involvement 10
  10. 10. e ida Software Security Assurance Objectives• Dependability (Correct and Predictable Execution) – Justifiable confidence can be attained that software, when executed, functions only as intended;• Trustworthiness – No exploitable vulnerabilities or malicious logic exist in the software, either intentionally or unintentionally inserted;• Resilience (and Survivability) – If compromised, damage to the software will be minimized, and it will recover quickly to an acceptable level of operating capacity;• Conformance – A planned and systematic set of multi-disciplinary activities will be undertaken to ensure software processes and products conform to requirements and applicable standards and procedures. Goertzel, Karen, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 2008 11
  11. 11. e ida Objectives• Reduce the number of security vulnerabilities• Reduce the severity of remaining vulnerabilities Howard, Michael, and Steve Lipner. The Security Development Lifecycle: SDL, a Process for Developing Demonstrably More Secure Software. Redmond, WA: Microsoft, 2006. Print. 12
  12. 12. e ida Incorporating Security into the Software Development Lifecycle Security Security Response Training Planning and Security ExecutionRequirements Security Validation Security Testing Architecture Design Security Integration Security Risk Testing Assessment and Threat Modeling Security Code Reviews & Security Static Analysis Coding Guidelines 13
  13. 13. e ida Justification• Reduce support costs, vulnerabilities and delivery delays• Reduce loss of revenue and reputation due to a breach resulting from insecure software• Ensure compliance with government or industry regulations• Enhance the credibility of your organization and its development team• Break the penetrate and patch testing approach 14
  14. 14. e ida ISA Security Compliance Institute (ISCI)Consortium of Asset Owners, Suppliers, and IndustryOrganizations formed in 2007 under the ISA AutomationStandards Compliance Institute (ASCI):MissionEstablish a set of well-engineered specifications and processes for thetesting and certification of critical control systems productsDecrease the time, cost, and risk of developing, acquiring, anddeploying control systems by establishing a collaborative industry-based program among asset owners, suppliers, and other stakeholders
  15. 15. e ida ANSI/ACLASS Accredited Conformance SchemeISASecure Embedded Device Security Assurance (EDSA)certification is accredited as an ISO/IEC Guide 65conformance scheme by ANSI/ACLASS. This includes bothISO/IEC 17025 and ISO/IEC 17011. Go to for details. 1.Provides global recognition for ISASecure certification 2.Independent CB accreditation by ANSI/ACLASS 3.ISASecure can scale on a global basis 4.Ensures certification process is open, fair, credible, and robust.
  16. 16. e ida Embedded Device• Special purpose device running embedded software designed to directly monitor, control or actuate an industrial process• Examples: – Programmable Logic Controller (PLC) – Distributed Control System (DCS) controller – Safety Logic Solver – Programmable Automation Controller (PAC) – Intelligent Electronic Device (IED) – Digital Protective Relay – Smart Motor Starter/Controller – SCADA Controller – Remote Terminal Unit (RTU) – Turbine controller – Vibration monitoring controller
  17. 17. e ida ISASecure Embedded Device Certification Provides a common perspective on how threat scenarios can be sufficiently covered • Documents the expected resistance of the system to potential threat agents and threat scenarios • Clearly documents expected user measures versus Integrated Threat Analysis inherent product protection measures (ITA) Detects and Avoids systematic design faults • The vendor’s software development and maintenance processes are audited Software Development Security Assurance (SDSA) • Ensures the organization follows a robust, secure software development process Detects Implementation Errors / Omissions Functional Security • A component’s security functionality is audited against Assessment (FSA) its derived requirements for its target security level • Ensures the product has properly implemented the security functional requirements Communications Identifies vulnerabilities in networks and devices Robustness Testing (CRT) • A component’s communication robustness is tested against communication robustness requirements • Tests for vulnerabilities in the 4 layers of OSI Reference Model
  18. 18. e ida ISASecure Levels LEVEL 3 LEVEL 2 Software Development Security Assessment Software Development Security Assessment LEVEL 1 Software Development Functional Security Security Assessment Assessment Functional Security Functional Security Assessment Assessment Communication Robustness Testing
  19. 19. e ida SDSA Reference Standards Reference Standards for Software Development Security AssessmentISO/IEC 15408-1 Information technology — Security techniques — Evaluationthrough I5408-3 criteria for IT security — Part 1 through Part 3IEC 61508 Part 3 Functional safety of electrical/electronic/programmable electronic safety-related systems: Software DevelopmentRTCA/DO-178B Software Considerations in Airborne Systems and Equipment CertificationsISBN-13: 978- The Security Development Lifecycle, M. Howard, S. Lipner,0735622142 Microsoft Press (June 28, 2006)OWASP CLASP OWASP CLASP (Comprehensive, Lightweight Application Security Process)
  20. 20. e ida SDSA Phases1. Security Management Process2. Security Requirements Specification3. Software Architecture Design4. Security Risk Assessment (Threat Model)5. Detailed Software Design6. Document Security Guidelines7. Software Module Implementation & Verification8. Security Integration Testing9. Security Process Verification10. Security Response Planning11. Security Validation Testing12. Security Response Execution 22
  21. 21. e ida ISA 99 Work Products
  22. 22. e ida Proposed Organization (2011) Copyright © 2011 - ISA 25
  23. 23. e ida Summary• The industry needs to demand software security assurance• Supplier can achieve this by incorporating security practices into their software development life cycle• ISASecure provides a mechanism to recognize products that have been developed following secure process 26
  24. 24. e ida References• Build Security In (• Data & Analysis Center for Software (• ISASecure (• Software Engineering Institute (• Microsoft SDL Threat Modeling Tool ( pt/threatmodeling.aspx) 27