Discovering vulnerabilities in control system human-machine interface software

Authors:
Robert Wesley McGrew;Rayford B. Vaughn
Affiliations:
Department of Computer Science and Engineering, Critical Infrastructure Protection Center, Mississippi State University, Butler Hall, Box 9637, Mississippi 39762, United States;Department of Computer Science and Engineering, Critical Infrastructure Protection Center, Mississippi State University, Butler Hall, Box 9637, Mississippi 39762, United States
Venue:
Journal of Systems and Software
Year:
2009

Citing 5
Cited 3

Application of security tot he computing science classroom

Proceedings of the thirty-first SIGCSE technical symposium on Computer science education
Integration of computer security into the software engineering and computer science programs

Journal of Systems and Software - Special issue on software engineering education and training for the next millennium
An empirical study of industrial security-engineering practices

Journal of Systems and Software
Software Engineering and Security Engineering - An Argument for Merger

CSEET '99 Proceedings of the 12th Conference on Software Engineering Education and Training
A Report on Industrial Transfer of Software Engineering to the Classroom Environment

CSEET '00 Proceedings of the 13th Conference on Software Engineering Education & Training

A testbed for SCADA control system cybersecurity research and pedagogy

Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research
Development & expansion of an industrial control system security laboratory and an international research collaboration

Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop
Advances in the protection of critical infrastructure by improvement in industrial control system security

AISC '13 Proceedings of the Eleventh Australasian Information Security Conference - Volume 138

Quantified Score

Hi-index	0.00

Visualization

Abstract

As educators plan for curriculum enhancement and modifications to address the net-generation of software engineers, it will be important to communicate the necessity of considering software security engineering as applications are net-enabled. This paper presents a case study where commonly accepted software security engineering principles that have been published and employed for approximately 30 years, are not often seen in an important class of application software today. That class of software is commonly referred to as control system software or supervisory control and data acquisition (SCADA) software which is being used today within critical infrastructures and being net-enabled as it is modernized. This circumstance is driven by evolution and not intention. This paper details several vulnerabilities existing in a specific software application as a case study. These vulnerabilities are a result of not following widely-accepted secure software engineering practices which should have been considered by the software engineers developing the product studied. The applicability of these lessons to the classroom are also established with examples of how they are integrated into software engineering and computer science curricula.