Abstract
Industrial Control Systems (ICS) are the vital part of modern critical infrastructures. Recent attacks to ICS indicate that these systems have various types of vulnerabilities. A large number of vulnerabilities are due to secure coding problems in industrial applications. Several international and national organizations like: NIST, DHS, and US-CERT have provided extensive documentation on securing ICS; however proper details on securing software application for industrial setting were not presented. The notable point that makes securing a difficult task is the contradictions between security priorities in ICS and IT systems. In addition, none of the guidelines highlights the implications on modification of general IT security solutions to industrial settings. Moreover based on the best of our knowledge, steps to develop a successful real-world secure industrial application have not been reported. In this paper, the first attempts to employ secure coding best practices into a real world industrial application (Supervisory Control and Data Acquisition) called OpenSCADA is presented. Experiments indicate that resolving the vulnerabilities of OpenSCADA in addition to possible improvement in its availability, does not jeopardize other dimensions of security. In addition, all experiments are backed up with proper statistical tests to see whether or not, improvements are statistically significant.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Cheminod M, Durante L, Valenzano A (2013) Review of security issues in industrial networks. IEEE Trans on Ind Inform 9:277–293
Common Weakness Enumeration (CWE) http://cwe.mitre.org/. Accessed 23 February 2013.
Department of Homeland Security (DHS) Report (2009) Recommended practice: improving industrial control systems cyber security with defense-in-depth strategies. Control Systems Security Program, National Cyber Security Division, USA Homeland Security
ICS-CERT incident response summary report (2012) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). https://ics-cert.us-cert.gov/pdf/ICS-CERT_Incident_Response_Summary_Report_09_11.pdf. Accessed 16 June 2013
Khalili, A, Sami, A, Ghiasi, M, Moshtari, S, Salehi, S, Azimi, M (2014) Software engineering issues regarding securing ICS: an industrial case study. Proceedings of the 1st International Workshop on Modern Software Engineering Methods for Industrial Automation. Hyderabad, India, ACM 2014
Kissel R et al. (2008) Security considerations in the system development life cycle. NIST Special Publication 800–64 Revision 2
National Cyber Security Division (NCSD) (2009). Common cyber security vulnerabilities in Industrial Control Systems. https://ics-cert.uscert.gov/pdf/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf. Accessed 10 May 2013
Seacord R C (2005) Secure coding in C and C++. Addison Wesley. 2005
Stouffer K, Falco J and Kent K (2006) Guide to supervisory control and data acquisition (SCADA) and industrial control systems security, SP800-82, NIST
Top 25 CWEs: 2011 CWE/SANS Top 25 Most Dangerous Software Errors (2011) http://cwe.mitre.org/top25/. Accessed 3 October 2013
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by: Laurie Williams
Rights and permissions
About this article
Cite this article
Khalili, A., Sami, A., Azimi, M. et al. Employing secure coding practices into industrial applications: a case study. Empir Software Eng 21, 4–16 (2016). https://doi.org/10.1007/s10664-014-9341-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10664-014-9341-9