Employing secure coding practices into industrial applications: a case study
Industrial Control Systems (ICS) are the vital part of modern critical infrastructures. Recent attacks to ICS indicate that these systems have various types of vulnerabilities. A large number of vulnerabilities are due to secure coding problems in industrial applications. Several international and national organizations like: NIST, DHS, and US-CERT have provided extensive documentation on securing ICS; however proper details on securing software application for industrial setting were not presented. The notable point that makes securing a difficult task is the contradictions between security priorities in ICS and IT systems. In addition, none of the guidelines highlights the implications on modification of general IT security solutions to industrial settings. Moreover based on the best of our knowledge, steps to develop a successful real-world secure industrial application have not been reported. In this paper, the first attempts to employ secure coding best practices into a real world industrial application (Supervisory Control and Data Acquisition) called OpenSCADA is presented. Experiments indicate that resolving the vulnerabilities of OpenSCADA in addition to possible improvement in its availability, does not jeopardize other dimensions of security. In addition, all experiments are backed up with proper statistical tests to see whether or not, improvements are statistically significant.
KeywordsIndustrial control system SCADA Secure coding Memory leak Availability Time critical process
- Common Weakness Enumeration (CWE) http://cwe.mitre.org/. Accessed 23 February 2013.
- Department of Homeland Security (DHS) Report (2009) Recommended practice: improving industrial control systems cyber security with defense-in-depth strategies. Control Systems Security Program, National Cyber Security Division, USA Homeland SecurityGoogle Scholar
- ICS-CERT incident response summary report (2012) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). https://ics-cert.us-cert.gov/pdf/ICS-CERT_Incident_Response_Summary_Report_09_11.pdf. Accessed 16 June 2013
- Khalili, A, Sami, A, Ghiasi, M, Moshtari, S, Salehi, S, Azimi, M (2014) Software engineering issues regarding securing ICS: an industrial case study. Proceedings of the 1st International Workshop on Modern Software Engineering Methods for Industrial Automation. Hyderabad, India, ACM 2014Google Scholar
- Kissel R et al. (2008) Security considerations in the system development life cycle. NIST Special Publication 800–64 Revision 2Google Scholar
- National Cyber Security Division (NCSD) (2009). Common cyber security vulnerabilities in Industrial Control Systems. https://ics-cert.uscert.gov/pdf/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf. Accessed 10 May 2013
- Seacord R C (2005) Secure coding in C and C++. Addison Wesley. 2005Google Scholar
- Stouffer K, Falco J and Kent K (2006) Guide to supervisory control and data acquisition (SCADA) and industrial control systems security, SP800-82, NISTGoogle Scholar
- Top 25 CWEs: 2011 CWE/SANS Top 25 Most Dangerous Software Errors (2011) http://cwe.mitre.org/top25/. Accessed 3 October 2013