Experts say energy network hacks could be avoided with code auditing

Fortify says energy network hacks can be avoided through the use of code auditing and analysis

26th March 09 - Commenting on the reported vulnerability of the energy and utility networks to external attacks by hackers, Fortify Software, the software security assurance experts, says that the custom code seen in many energy applications means that program code auditing and analysis is now a must for security.

"The problem facing IT managers within energy companies is that a lot of programs they use on their IT resources are either heavily customised or written from scratch, such as SCADA applications," said Rob Rachwald, Fortify's Director of Product Marketing.

"Because of this, the code auditing and review process must involve building security into the software from the ground level upwards. The problem is, however, that this is not a frequently used mantra in the energy industries, many of whom use modified Windows 98 and even DOS applications dating back several years," he added.

According to Rachwald, the process of integrating security within the program code of energy companies is not to build operational standards, but preventative ones.

Rachwald says that Fortify has been working with Cigital, a consulting firm specialising in software security, to develop the 'Building Security In Maturity Model (BSIMM),' a set of benchmarks for developing and growing an enterprise-wide software security programme.
The BSIMM programme, details of which were released in early March,says Rachwald, are highly applicable to the reported security worries surrounding the vulnerability of utility, and in particular, energy networks, since they create benchmarks where none existed previously.
Under BSIMM, he explained, Fortify and Cigital have developed a structured set of practices based on real-world data and which provides an insight on what successful organisations actually do to build security into their software.

It also, he says, gives developers an understanding of how to mitigate the business risk associated with insecure applications.

"The North American Electric Reliability Corporation - NERC - has also been working on required source code reviews. This is especially relevant given the trend to using open source programs as a baseline for energy company customised software," he said.

"Using the NERC approach to code auditing and reviewing is an excellent starting point on which to build a program audit process and a great step towards engendering a preventative mindset on the software development front," he added.

For more on the energy network security debate:

For more on Fortify Software:

Yvonne Eskenzi, Eskenzi PR