Software security is a critical consideration for countless organizations today, and with good reason. In recent years, the ubiquity of software in general has grown tremendously, as virtually every business now operates largely on a software-based foundation. Consumers, too, rely on software security, as they trust more and more of their sensitive data to websites, apps and other digital channels.
Perhaps most significant of all, though, is the question of national security. Software plays a key role in many national systems, and any vulnerabilities in these areas can pose a severe threat.
That is why the recent news of software security flaws in programs used in power plants around the world is such cause for alarm, as this may put numerous countries' energy infrastructure at risk of a hostile takeover.
A serious flaw
The flaw was first discovered by Juan Vazquez and Julian Diaz, both researchers at security firm Rapid7, the BBC reported. The software in question is the Centum CS 3000, which is used by approximately 7,600 oil rigs, refineries and power plants around the world.
According to Vazquez, the discovery of this vulnerability came as a shock.
"We went from zero to total compromise," he said, according to the news source.
In recognition of the severity of this issue, the U.S. Department of Homeland Security's Computer Emergency Response Team issued an alert, warning affected organizations that a cyberattacker with relatively minimal skills may be able take advantage of the software bug and gain control of a target's computer system.
"If you are able to exploit the vulnerabilities we have identified you get control of the Human Interface Station," explained Diaz, the BBC reported. "If you have control of that station as an attacker you have the same level of control as someone standing on the plant floor wearing a security badge."
Yokogawa, the company that created the Centum CS 3000, issued a statement indicating that not all users of this software program need to apply patches immediately. However, the organization said that it is in the process of alerting affected customers and urging them to take the necessary steps to protect themselves against this flaw, the BBC reported. Since then, Yokogawa has issued a patch but “strongly suggests all customers to introduce appropriate security measures not only for the vulnerabilities identified but also to the overall systems.”
Speaking to the news source, Mark O'Neill, a spokesman for data management firm Axway, indicated that many organizations are struggling to adapt, even as more software bugs are discovered all the time. In some cases, he said, the primary problem is the age of the code being used, as well as the equipment that it runs. In such cases, firms often choose to invest in software "wrappers." These programs essentially surround and protect older, vulnerable code.
Such tactics may provide some reassurance, but they are likely not a long-term solution. Billy Rios, a security research with Qualys, told the BBC that serious security flaws such as the one affecting the Centum CS 3000 are becoming "more and more common."
"The security of software like iTunes is much more robust than the software supporting our critical infrastructure," said Rios, according to the news source.
New tools, new strategies
The prevalence and seriousness of these software security flaws suggest that a new approach is needed.
Specifically, firms in this and other fields may need to invest in high-end software security tools, such as comprehensive source code analysis solutions. These resources are invaluable for both identifying and resolving security issues before they evolve into full-blown vulnerabilities and thereby saving time, money and headaches.