The latest analyses of malware targeting automation systems, published in early June, are yet another reminder of the ability of such online threats to cause physical damage. While it is not new, this malware known as CrashOverride or Industroyer, has remained relatively unknown to the general public. It is thought to have made its debut in a cyber attack against a power grid in Ukraine in December 2016, causing an outage in Kiev lasting about an hour.
Remember the days when software developers did not worry about release deadlines? Neither do I. Brutal competition and innovation inevitably drives companies to add complex features to their products, without the luxury of extending product release deadlines. With a setup like this, it’s clear that companies are required to shorten their product time-to-market by making their R&D organizations more efficient - in order to be the first on the market while meeting and exceeding customer expectations. New processes, methodologies and automation play a significant role in this equation, but as the emphasis is traditionally on development and functional testing, it seems that security is not usually recognized as a critical factor for on-time product release.
Applying cybersecurity in your R&D is mostly a question of skills and culture, rather than technology; it’s quite hard to defend when you don’t understand the ways you may be attacked. No one can expect an architect, developer or a tester without up-to-date knowledge in the cybersecurity field to know the threats that his/her product will be facing once out on the market. Especially when the threat surface, exploitation techniques and hacking tools are developing all the time (because it’s a good business): https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#48ddeb6c3a91
So how can one design, implement and maintain products while taking cybersecurity and privacy into consideration from the very beginning? It’s not as hard as you may think.
You may be surprised to find out that security can be implemented everywhere in the development lifecycle. You might want to take a look at the Secure Development Lifecycle (SDL) or BSIMM.
There’re a bunch of tools out there (fuzzing, vulnerability scanning, etc.) that focus on validating your system’s integrity under different attack vectors and searching for vulnerabilities that can be utilized to penetrate your product. These tools are efficient at finding potential errors that may be used to infect your product. Test automation can also be adopted for security, as (good) cybersecurity experts themselves already have a lot of ready-made scripts that they run against applications/systems with minor modifications.
The human factor plays the biggest role in the architecture design. As I’ve mentioned earlier, knowing what you are up against enables you to design and develop your products accordingly. Consider adding privacy and cybersecurity experts to your team at least just to spar with your developers and architects. Threat modeling, Business- and Privacy impact analysis will help you to make decisions related to cybersecurity at the very earliest phases and throughout your development lifecycle. Additionally, developing feasible cybersecurity requirements for software development teams or special product security features will definitely help you in creating safe products.