Sharing the responsibility for a secure critical infrastructure

?The critical infrastructure assets that protect our public safety and modern societal functions have become increasingly interconnected through IT networks. A compromise of the systems that run, for example, a nation’s energy distribution, banking and finance, air traffic controls or transportation could have crippling and widespread effects on an entire country. Recent attacks on the Kuwaiti Stock Exchange and natural gas pipeline companies show that critical infrastructure systems are being successfully targeted and exposing vulnerabilities in the economy, public safety and national security.

A recent report by Good Harbor Consulting, Confronting Cyber Risk in Critical Infrastructure, explores the role of cyber risk in critical infrastructure and how leaders can work together to defend national assets. With more at stake than ever before, it is crucial for application developers and vendors to begin taking responsibility for these networks – and shift the approach from one focused on providers utilizing primarily defensive technologies like firewalls, antivirus and intrusion detection systems to one where application developers and vendors begin with building security into their coding and development processes.

Implementing a systemic change such as this is a huge and complex undertaking, though, and the task can seem overwhelming to many organizations. To those unsure where to begin, my advice is start with your people.

Ten years ago, in the midst of a “perfect storm” of explosive growth in home PC use and a rise in malicious software, Microsoft saw a critical need to develop more secure code. In response, Bill Gates issued a now-famous memo that effectively froze Microsoft’s software and application development – imagine a manufacturing giant like General Motors shutting down its factories – while its Trustworthy Computing team created the concepts that ultimately became the Security Development Lifecycle (SDL) and developers and testers completed mandatory security training. SDL renewed Microsoft’s commitment to security, privacy, reliability and business integrity, and has been built into every company process since.

Not many organizations can completely halt operations in order to address security risks; in fact, it would be impossible for any national defense agency to do so. In this case I recommend starting with your highest priority: training your development team to identify and mitigate vulnerabilities, starting with the legacy systems at the highest risk. Or, if you’re early in the process of system development, making sure that your developers know how to write and design secure code upfront, which will lead to significant long-term benefits in time and cost savings.

The Microsoft SDL is an example of a strategic approach to application security that begins with training your team on basic security principles and also provides them with a holistic view of the secure development lifecycle – from risk assessment and program design through development, testing and distribution. The Government of India believes the issue of proactive application security is so vital that it has incorporated the concept into the next draft five-year economic plan for the country.

We hope that that incorporating security into the application development lifecycle will continue to grow, particularly in the systems used to protect public safety, and that vendors will continue to recognize their crucial role in defending our critical infrastructure assets.

Have a comment or opinion on this post or a question for the author? Let me know @MicrosoftPSNS or email us at