Employing secure coding practices into industrial applications: a case study


Industrial Control Systems (ICS) are the vital part of modern critical infrastructures. Recent attacks to ICS indicate that these systems have various types of vulnerabilities. A large number of vulnerabilities are due to secure coding problems in industrial applications. Several international and national organizations like: NIST, DHS, and US-CERT have provided extensive documentation on securing ICS; however proper details on securing software application for industrial setting were not presented. The notable point that makes securing a difficult task is the contradictions between security priorities in ICS and IT systems. In addition, none of the guidelines highlights the implications on modification of general IT security solutions to industrial settings. Moreover based on the best of our knowledge, steps to develop a successful real-world secure industrial application have not been reported. In this paper, the first attempts to employ secure coding best practices into a real world industrial application (Supervisory Control and Data Acquisition) called OpenSCADA is presented. Experiments indicate that resolving the vulnerabilities of OpenSCADA in addition to possible improvement in its availability, does not jeopardize other dimensions of security. In addition, all experiments are backed up with proper statistical tests to see whether or not, improvements are statistically significant.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2


  1. Cheminod M, Durante L, Valenzano A (2013) Review of security issues in industrial networks. IEEE Trans on Ind Inform 9:277–293

    Article  Google Scholar 

  2. Common Weakness Enumeration (CWE) http://cwe.mitre.org/. Accessed 23 February 2013.

  3. Department of Homeland Security (DHS) Report (2009) Recommended practice: improving industrial control systems cyber security with defense-in-depth strategies. Control Systems Security Program, National Cyber Security Division, USA Homeland Security

  4. ICS-CERT incident response summary report (2012) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). https://ics-cert.us-cert.gov/pdf/ICS-CERT_Incident_Response_Summary_Report_09_11.pdf. Accessed 16 June 2013

  5. Khalili, A, Sami, A, Ghiasi, M, Moshtari, S, Salehi, S, Azimi, M (2014) Software engineering issues regarding securing ICS: an industrial case study. Proceedings of the 1st International Workshop on Modern Software Engineering Methods for Industrial Automation. Hyderabad, India, ACM 2014

  6. Kissel R et al. (2008) Security considerations in the system development life cycle. NIST Special Publication 800–64 Revision 2

  7. National Cyber Security Division (NCSD) (2009). Common cyber security vulnerabilities in Industrial Control Systems. https://ics-cert.uscert.gov/pdf/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf. Accessed 10 May 2013

  8. Seacord R C (2005) Secure coding in C and C++. Addison Wesley. 2005

  9. Stouffer K, Falco J and Kent K (2006) Guide to supervisory control and data acquisition (SCADA) and industrial control systems security, SP800-82, NIST

  10. Top 25 CWEs: 2011 CWE/SANS Top 25 Most Dangerous Software Errors (2011) http://cwe.mitre.org/top25/. Accessed 3 October 2013

Download references

Author information



Corresponding author

Correspondence to Ashkan Sami.

Additional information

Communicated by: Laurie Williams

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Khalili, A., Sami, A., Azimi, M. et al. Employing secure coding practices into industrial applications: a case study. Empir Software Eng 21, 4–16 (2016). https://doi.org/10.1007/s10664-014-9341-9

Download citation


  • Industrial control system
  • Secure coding
  • Memory leak
  • Availability
  • Time critical process