You are Home   »   News   »   View Article

Managing security throughout development

Friday, November 8, 2013

A ''holistic'' approach to security in application development - or managing security throughout the software development process, rather than just at the end - can make a big difference to your security

By Tim Rains, director, Trustworthy Computing Group, Microsoft

A holistic approach to software development - incorporating security throughout the development process, rather than wait until the end - can help mitigate many of the software application security risks that oil and gas companies face.

To assist, Microsoft has put together a free application security development process called ''Security Development Lifecycle''.


According to a 2011 study by security firm McAfee, the average cost of 24 hours downtime in the oil and gas industry due to cyberattacks is around $8.4m.

Another 2011 study by research firm Aberdeen Group estimates that the average cost of remediating an application security-related vulnerability is around $300,000 per incident, but the average annual investment developers make in deploying a comprehensive approach to application security, including people, processes and training, totals about $400,000.

The study found that companies that incorporate security throughout the development process, rather than wait until the end of the process to perform reviews and tests, made four times the return on their annual investments in application security.

Corporations can lose millions of dollars in sensitive data, or worse, control over parts of their networks, by simply opening a malicious email attachment.

Still vulnerable

Major portions of the oil and gas industry remain vulnerable to cyberattacks, ranging from state-sponsored corporate espionage to so-called ''hacktivists'' seeking to make political statements through their choice of target.

In May 2012, the U.S. Department of Homeland Security confirmed an ongoing campaign of attacks from state-sponsored actors against oil pipeline companies extending through the first half of that year. Companies'' systems were invaded and proprietary information was stolen.

In July 2012, Wired magazine reported that the ''hacktivist'' group Anonymous published some 1,000 email addresses for accounts belonging to energy firms, as well as hashed and unencrypted passwords.

In August 2012, a limited number of oil and gas companies in the Gulf region were put on the front page following an apparent spate of Trojan malware infections.


In this evolving threat landscape, companies can easily find themselves outgunned, said Paul Williams, executive director of security services at White Badger Group, who has experience advising clients in the oil and gas industry.

''When you''re talking about economic espionage from a foreign intelligence agency, it might be thousands attacking forty guys who know what they''re doing on defence side,'' Mr Williams said.

In the face of these daunting security challenges, industry leaders, outside security analysts, consultants and software experts have been calling for a comprehensive approach to cybersecurity in the oil and gas industry. Their message: given the nature of the threats, companies must install a bottom-up, company-wide security culture.

This includes procedures and policies to let all firms in the sprawling, decentralized industry respond to and defend against agile enemies, because any weak link in the overall supply chain can be a significant problem.


''Security is everybody''s responsibility in the company,'' said Aaron Merrick, vice president of information technology at Apache Corporation.

''I don''t want people on the network thinking, ''Oh that''s somebody else''s job,'''' he said. ''It''s everybody''s job because it can''t be done without the participation and cooperation of everybody in the company that has access.''

But ultimately, Mr Merrick believes security is an iterative process that will continue to rely on time-tested security skills such as the ability to locate and address dangers and to learn from security breaches if they do occur.

Apache Corporation uses a modified security framework that considers everything from physical to logical access to application security to data protection to data continuity, Mr Merrick said. The company also expects its key suppliers to address security concerns in a logical, holistic manner.

Mr Merrick expects to see more cooperation and standardization across the industry, with the possibility of federated authentication systems to help companies know what is safe and what is not when transferring data.

It is important to be able to identify real threats amidst the buzz and the type, Mr Merrick said, citing one prominent example in Illinois, where a pump failure at a water plant in 2011, first reported to be caused by hackers, was later revealed to be a false alarm.

''You can never be satisfied that you know everything, or that will be your Achilles heel,'' he said. ''Anything out there that has been exploited is just teaching us the lesson that we don''t know what will be exploited in the future.''

Open architecture

The oil and gas industry has unique needs that set it apart from other infrastructure, such as the nuclear power industry, where regulation is much tighter and protocols are more closed.

''In oil and gas the culture is very open. You have a lot more work done by consultants, vendors and suppliers,'' said Jonathan Pollet, founder and principal of Red Tiger Security, a data security consultancy with extensive experience in the oil and gas industry.

Increasingly, the applications companies use to conduct day-to-day business and control business processes in the field are becoming the major points of attack because that is where valuable data is stored.

Few companies have complete control over the application lifecycle, Mr Pollet said. Therefore, building transparency into security processes is a challenge.

Companies tend to develop unique approaches to security. That makes it tricky for best practices to flow through such a large infrastructure, which can make each company more vulnerable rather than less. ''It only takes one weak link in the chain to take down the system,'' he said.

More and more, oil and gas companies are becoming integrators for a wide range of services and technologies they purchase to help them deliver their final product, said Alan Hasling, an account technology strategist for Microsoft who works with the oil and gas industry.

Mr Hasling cites the example of the compression process used to pressurize and transport natural gas. In previous years, a company might have bought a gas compressor and done the job in-house, but companies now are more likely to purchase a compression service, Mr Hasling said.

Practical steps

Mr Pollet said there are practical steps he would advise any company to take in order to make itself more secure.

First off, he said companies must identify key assets and then do threat modelling on how to protect those assets.

Examples might include doing secure application development differently or dividing their network control assets into different sectors so breaches can be localized.

Companies must also determine how they securely manage outside access to their data systems and, after their systems are protected, how they will be continuously monitored.

This kind of integrated, disciplined approach to security needs to be built, Mr Pollet said, into the basics of system architecture and development practices. That includes access to secure infrastructure, rudimentary network security and the updating of software.

The next obvious steps are integrating these basic procedures into more sophisticated software security challenges, Mr Pollet said, which include managing access to directories, developing strong passwords and, finally, securing the actual deployed applications through better development practices.

Microsoft's SDL

Microsoft offers a free security development process called the Security Development Lifecycle or SDL, to help address both software security and broader infrastructure design, incorporating security into applications from conception to release and beyond.

This approach can be used in companies of every size and in every industry, from small software development firms to global enterprises.

The Simplified SDL is a 17 page document designed as an accessible way to help managers create a long-term framework for creating secure software.

The SDL is general enough that it can be adapted to a wide range of security environments, but rigorous enough to meet exacting standards in the most security-sensitive industries.

One of the key constructs of the SDL is threat modelling, which helps prioritize mitigations and resources. This concept is now being looked at broadly in the industry.

''I believe we shouldn''t even approve a project without doing threat modelling first,'' said one security executive from a major oil field services company who requested anonymity due to the sensitive nature of the strategic infrastructure the executive supervises. ''If there is a project, security should be part of the project lifecycle; that is very clear.''

''I still see a lot of projects where security is an afterthought,'' the executive said. ''People need to understand that security needs to be part of the process from the beginning.''

Some companies don''t use the SDL in its entirety. Incremental application of SDL processes leads to incremental improvements in security. It''s not an all or nothing equation.

SDL is a process-based approach that is flexible and designed to be incorporated into any organization''s product lifecycle - even outside the software industry.

The SDL has been successfully adapted and deployed at infrastructure companies such as Iowa-based MidAmerican Energy Co. and at Itron, a global technology company and builder of smart grid electricity and water meters based in Liberty Lake, Washington.

At MidAmerican, executives held company-wide SDL training in response to attacks on company websites. Not only did the SDL-inspired security approach reduce the impact of attempted attacks, it also increased efficiency, including a 20 per cent productivity gain resulting from less change during testing and fewer after-the-fact fixes to code.

Itron, a company with explicit parallels to the oil and gas industry, adapted its utility meters, which are meant to live in the field for decades.

Its engineers adapted the SDL to the design of the smart meter, from how to prevent it from being broken into physically - securing seals and closures - to how to protect its electrical systems and software.

Associated Companies
» Microsoft Oil and Gas
comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Latest Edition Jul-Aug 2021
Jul 2021

Download latest and back issues


Learn more about supporting Digital Energy Journal