The latest analyses of malware targeting automation systems, published in early June, are yet another reminder of the ability of such online threats to cause physical damage. While it is not new, this malware known as CrashOverride or Industroyer, has remained relatively unknown to the general public. It is thought to have made its debut in a cyber attack against a power grid in Ukraine in December 2016, causing an outage in Kiev lasting about an hour.
How to adopt cybersecurity in R&D and why?
October 8, 2017 at 11:30
Remember the days when software developers did not worry about release deadlines? Neither do I. Brutal competition and innovation inevitably drives companies to add complex features to their products, without the luxury of extending product release deadlines. With a setup like this, it’s clear that companies are required to shorten their product time-to-market by making their R&D organizations more efficient - in order to be the first on the market while meeting and exceeding customer expectations. New processes, methodologies and automation play a significant role in this equation, but as the emphasis is traditionally on development and functional testing, it seems that security is not usually recognized as a critical factor for on-time product release.
Typically, security assessments are done at the last stage of a product development phase. As most critical security issues are often related to bad architectural decisions (from a security perspective), it could take only one vulnerability to mix up your go-to-market deadlines, which of course is bad news for you and a good one for your competition. Some companies tend to ‘go live’ before fixing the issues, and plan to patch their product before anyone can exploit them. Quite a dangerous game if you consider consequences such as product recalls, lawsuits and other not-so-great results like share price drops. http://www.cityam.com/228714/talktalk-share-price-plunges-twice-as-deep-as-sony-carphone-warehouse-barclays-and-ebay-after-cyber-attacks
Applying cybersecurity in your R&D is mostly a question of skills and culture, rather than technology; it’s quite hard to defend when you don’t understand the ways you may be attacked. No one can expect an architect, developer or a tester without up-to-date knowledge in the cybersecurity field to know the threats that his/her product will be facing once out on the market. Especially when the threat surface, exploitation techniques and hacking tools are developing all the time (because it’s a good business): https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#48ddeb6c3a91
So how can one design, implement and maintain products while taking cybersecurity and privacy into consideration from the very beginning? It’s not as hard as you may think.
Processes
You may be surprised to find out that security can be implemented everywhere in the development lifecycle. You might want to take a look at the Secure Development Lifecycle (SDL) or BSIMM.
Tools
There’re a bunch of tools out there (fuzzing, vulnerability scanning, etc.) that focus on validating your system’s integrity under different attack vectors and searching for vulnerabilities that can be utilized to penetrate your product. These tools are efficient at finding potential errors that may be used to infect your product. Test automation can also be adopted for security, as (good) cybersecurity experts themselves already have a lot of ready-made scripts that they run against applications/systems with minor modifications.
People
The human factor plays the biggest role in the architecture design. As I’ve mentioned earlier, knowing what you are up against enables you to design and develop your products accordingly. Consider adding privacy and cybersecurity experts to your team at least just to spar with your developers and architects. Threat modeling, Business- and Privacy impact analysis will help you to make decisions related to cybersecurity at the very earliest phases and throughout your development lifecycle. Additionally, developing feasible cybersecurity requirements for software development teams or special product security features will definitely help you in creating safe products.