Over the past several years there have been a number of highly publicized cyberattacks on the oil and gas industry. In an industry that manages critical infrastructure needs, software application security has become absolutely essential and must be a top priority.

In the face of these security challenges, industry leaders, outside security analysts, consultants, and software experts have been calling for a comprehensive approach to cybersecurity in the oil and gas industry. Their message: Given the nature of the threats, companies must instill a bottom-up, company-wide security culture. This includes procedures and policies to let all firms in the sprawling, decentralized industry respond to and defend against agile enemies because any weak link in the overall supply chain can be a significant problem.

“Security is everybody’s responsibility in the company,” said Aaron Merrick, vice president of information technology at Apache Corp.

“I don’t want people on the network thinking, ‘Oh that’s somebody else’s job,’” he said. “It’s everybody’s job because it can’t be done without the participation and cooperation of everybody in the company that has access.”

A holistic approach to secure development

As companies in the oil and gas industry move to address their specific security concerns – to remain secure while still allowing business systems to function and be collaborative with outside consultants, vendors, and suppliers – they are looking for frameworks that will help them implement prescriptive process changes. Several have discovered that an existing software security development process known as the security development life cycle (SDL) can address many of these issues.

The SDL was developed by Microsoft to help the company build more secure software and has been honed and refined during the past 10 years. This approach is used by companies across all industries, from small software development firms to global enterprises. The SDL framework, guidance, and tools also are made available free of cost for anyone to use and can be adopted and adapted to meet the needs of organizations large and small.

Microsoft provides the SDL to customers and the industry to help create a more secure environment for everyone. The basics of the SDL are relatively easy to introduce and are designed to help developers whether they have security experience or not. The simplified SDL is a very accessible 17-page document designed to be a practical and actionable introduction to secure software development.

Significant return on investment

Using a comprehensive approach to developing more secure software can sometimes be perceived as an additional project cost – a development “tax,” in other words. However, it is important to realize that building security in from the project initiation can in fact cost significantly less than addressing vulnerabilities in software once it has been deployed in production. A 2011 study by the research firm Aberdeen Group found that companies that incorporate security throughout the development process rather than waiting until the end of the process to perform reviews and tests made four times the return on their annual investments in application security.

The same study estimates that the average cost of remediating an application security-related vulnerability is around US $300,000 per incident, but the average annual investment developers make in deploying a comprehensive approach to application security – including people, processes, and training – totals about $400,000. Add in the costs of potential downtime caused by a successful cyberattack, and it quickly becomes clear that investing in secure development is a smart business decision.

The industry is recognizing the usefulness of a process framework like the SDL for helping prioritize risk and guide secure development of applications. One of the key constructs of the SDL is threat modeling, which helps prioritize mitigations and resources. This concept is now being looked at broadly in the industry.

Flexible and adaptable

One of the SDL’s strengths is that it is a process-based approach that is flexible and designed to be incorporated into any organization’s product life cycle – even outside the software industry. The SDL has been successfully adapted and deployed at infrastructure companies such as MidAmerican Energy Co. and at Itron, a global technology company and builder of smart grid electricity and water meters.

At MidAmerican, executives held company-wide SDL training in response to attacks on company websites. Not only did the SDL-inspired security approach reduce the impact of attempted attacks, it also increased efficiency, including a 20% productivity gain resulting from less change during testing and fewer after-the-fact fixes to code.

Itron, a company with parallels to the oil and gas industry, adapted its utility meters – meant to live in the field for decades – to a rapidly changing cybersecurity environment. Its engineers adapted the SDL to the design of the smart meter, addressing issues such as how to prevent it from being broken into physically by securing seals and closures to how to protect its electrical systems and software.

Developing a common framework

Software security will continue to be critical to the safety and success of oil and gas companies in the future. It will be increasingly important that software developers, vendors, and purchasers have a common framework with which to define and describe how software development projects should include security requirements from the project initiation stage.

A recent publication from the International Standards Organization, ISO 27034-1, offers a “common language” that can be used to simplify and streamline the process of requiring secure development practices in software projects. This means that organizations looking to ensure that software they develop or procure has been developed with security in mind can specify that the development process is conformant with ISO 27034-1.

Microsoft is helping the industry minimize the number and severity of vulnerabilities found in software and services through the use of the SDL. The SDL now conforms to ISO 27034-1, making it easier for organizations to mandate conformity to the standard in their projects by adopting the SDL. For more information on the Microsoft SDL, visit . For more information on ISO27-34-1 and software security standards, download “The emergence of software security standards: ISO/IEC 27034-1:2011 and your organization,” a research report from Reavis Consulting Group LLC.