Code Security: MidAmerican Energy's top priority after SQL injection attacks
Security practitioners are increasingly bent on better code security, as Microsoft SDL, BSIMM and Rugged demonstrate. Here's how it became Priority 1 for one of the nation's largest energy providers.
By Bill Brenner , Senior Editor
May 21, 2010 — CSO —
MidAmerican Energy Company is the largest utility in Iowa, strategically located in the middle of several major markets in the Midwest, providing service to more than 725,000 electric customers and more than 707,000 natural gas customers in a 10,600 square-mile area from Sioux Falls, S.D., to the Quad Cities area of Iowa and Illinois. This makes it a tempting target for an attacker bent on striking a blow to critical infrastructure.
Under the direction of John Kerber, manager of information protection, MidAmerican did an extensive review of its security procedures and found that its spread-out network had to be tightened up, particularly when it came to Internet access. Since the company owns other utilities across the globe [including PacifiCorp, which provides power to a large swath of the West coast], there were too many Internet access points that could be targeted. More importantly, though, the company found its biggest problem in the code that makes up its myriad applications for everything from power distribution to online billing services.
"Last May we had an incident where one of our web pages was exploited through an SQL injection flaw," Kerber said. "It was a wake-up call that we had vulnerabilities people could find out about."
In tackling the problem from the beginning of the app development process, MidAmerican is following a growing trend in the infosec community that relies less on bolt-on defenses and more on code security.
A far-flung network
Owned by Berkshire Hathaway, MidAmerican itself has 17,000 employees and is latched into a very spread-out, decentralized network that includes the IT assets of PacifiCorp and those of companies in the U.K., Philippines and elsewhere.
It quickly became apparent to Kerber that a network like that had to be reined in.
"Spread-out networks present a lot of challenges in terms of making sure everyone is on the same page," he said.
One of his first actions was to help craft IT policies at the holdings-company level that could be implemented by all the subsidiaries. Getting standards in place to implement the policies was a slow process, filtering down through the ranks. "We've identified procedures in each of the organizations and are working to modify them all for consistency," Kerber said.
A tighter Internet pipeline
Next, Kerber put controls in place to funnel connections between operating units and the Internet. "It all goes through Des Moines and the Pacific region," he said. "With only two Internet connection points we're able to do a lot of filtering. E-mail runs from here and Portland. We have facilities in the Philippines and e-mail goes through here as well. It makes control of it all much easier."