Discovering vulnerabilities in control system human–machine interface software

As educators plan for curriculum enhancement and modifications to address the net-generation of software engineers, it will be important to communicate the necessity of considering software security engineering as applications are net-enabled. This paper presents a case study where commonly accepted software security engineering principles that have been published and employed for approximately 30 years, are not often seen in an important class of application software today. That class of software is commonly referred to as control system software or supervisory control and data acquisition (SCADA) software which is being used today within critical infrastructures and being net-enabled as it is modernized. This circumstance is driven by evolution and not intention. This paper details several vulnerabilities existing in a specific software application as a case study. These vulnerabilities are a result of not following widely-accepted secure software engineering practices which should have been considered by the software engineers developing the product studied. The applicability of these lessons to the classroom are also established with examples of how they are integrated into software engineering and computer science curricula.