Secure Software (by Design): Is that possible? Part 1
The issues of software security and vulnerabilities in software have long been seen across international media headlines. In the summer of 2010, the malware program “Stuxnet”, which was specially developed to attack industrial facilities, received attention and increased the call for heightened security precautions.
Even though the discussion is rightly increasingly focused on security-related “systems” – a combination of several components such as hardware, machines, humans and of course the software too – it is only when these elements are adapted to one another in an overall concept that a secure application of modern IT and product technologies is possible. As a manufacturer of professional software, we consider it to be one of our core tasks to contribute to the creation and further development of modern security concepts. International standards are also covering the issue of security and are making the “Security System“, which also includes modern software components, a part of their requirements set out in standards. These in turn have a significant influence on the development and quality assurance processes employed by manufacturers. Examples of these regulation requirements can be found in the following standards, among others. They are mostly still draft standards in the development stage:
- IEC 62443
- ISO 27019
- IEC 62351
- and many more
With all these regulated requirements, the question nevertheless remains:
How can zenon contribute to a secure IT / production system?
It is a fact that as a result of the increased networking of sites and production via the internet and the resultant increased risk for applications, the developers of modern software have for some time been forced to increase the consideration of security aspects in the software development process.
It is software that is widespread (off-the-shelf software) where weak points can sometimes have disastrous effects. One single security loophole can often allow several thousand installations to be targeted. With programs that are used for the control or monitoring of automation processes – such as zenon – we talk of attack scenarios that make it possible to manipulate complete production processes. For malicious employees or external attackers (for example in cases of industrial espionage or organized crime), the industrial manufacturing environment is a welcome opportunity for attacks.
For COPA-DATA and the zenon Product Family, this has meant that the issue of “security in the design and creation of software” has already been a point of intensive consideration for many years. In our research and development we are often supported by external research institutions, universities and universities of applied sciences.
One of the basic findings from our many years of experience and numerous joint projects is the fact that it is better to integrate security and quality from the start, rather than subsequently “adding it on”. Quality assurance procedures such as reviews, having another person check somebody’s work etc. should be a binding part of any production process.