After two days the group working on control system security identified two potential Priority Research Directions (PRD’s). These were written up in a one page quad chart, and now a smaller team is writing them up in the DoE format for funding consideration.

The organizers brought in a few speakers to get the group thinking; Steve Lipner, Microsoft’s Senior Director of Security Engineering Strategy and author of the Security Development Lifecycle, was one of the speakers. A lot of the information was from his books, but there were a couple of interesting nuggets.

• Microsoft uses a term called “Security Science” that describes their efforts to identify and remove new classes of vulnerabilities. Microsoft typically does not make this information public because some of their older architectures, such as Windows 2000, are often vulnerable to these new attack classes. They monitor the vulnerability research and hacking communities to see if these are found by others. Steve said some have, but many have not.
• Microsoft added fuzzing to their testing in the 2004/2005 time frame.

Microsoft is almost universally scorned in the security community, and the knee-jerk reaction to the mention of Microsoft in the control system community is almost always negative. However my feeling is that most control system applications and devices would be found to be far worse than Microsoft if even a fraction of the effort spent on exploiting Microsoft OS and applications was applied.

Why? Look at Microsoft’s Security Development Lifecycle and compare this to the integration of security into the development lifecycle of control system vendors. It took Microsoft getting bloodied in the late 90’s and early this decade to get serious. That has not happened yet in the control system community and many are naively thinking the bugs leading to vulnerabilities are not there.