More Secure Software Needed for Utilities, NERC CSO Says

It took a malware attack with an unprecedented level of sophistication to make it happen, but officials in charge of the security of much of the country’s electrical grid have come ot the conclusion that there is a need for more secure software and better security processes and procedures to prevent future attacks in the vein of Stuxnet.

It took a malware attack with an unprecedented level of sophistication to make it happen, but officials in charge of the security of much of the country’s electrical grid have come ot the conclusion that there is a need for more secure software and better security processes and procedures to prevent future attacks in the vein of Stuxnet.

Although the Stuxnet worm apparently didn’t infect any of the electric utilities in the United States, the top security official at the North American Electric Reliability Corporation said in an interview with SearchSecurity.com that there is a clear need for not just better procedures to respond to serious attacks on critical systems, but better software-development practices to produce more resilient applications. Mark Weatherford, the CSO of NERC, which helps oversee reliability for much of the U.S. electrical grid, said that Stuxnet demonstrated a need for more secure products for critical applications in the power industry.

“This is not an indictment on [the] control system industry; it’s an
indictment on the IT business in general,” Weatherford told SearchSecurity’s Rob Westervelt. “We’re
still seeing products that come out that are susceptible to
vulnerabilities that quite frankly have been in the wild for quite some
time. 

“Companies who develop products and write code need to continue to
mature their development processes to become more secure,” he said.

Weatherford said the the Stuxnet attack served as a warning bell, spurring the creation of a so-called Tiger Team at NERC to respond rapidly to serious attacks and malware threats in the future. Most large enterprises and government agencies have similar incident-response teams that are pulled together to handle emerging attacks.

Stuxnet was the first large-scale attack to go after industrial-control systems, but given the huge reliance of most countries on computerized control systems in their utilities, it certainly will not be the last.

Suggested articles