Code Security: MidAmerican Energy’s top priority after SQL injection attacks

MidAmerican Energy Company is the largest utility in Iowa, strategically located in the middle of several major markets in the Midwest, providing service to more than 725,000 electric customers and more than 707,000 natural gas customers in a 10,600 square-mile area from Sioux Falls, S.D., to the Quad Cities area of Iowa and Illinois. This makes it a tempting target for an attacker bent on striking a blow to critical infrastructure.

Under the direction of John Kerber, manager of information protection, MidAmerican did an extensive review of its security procedures and found that its spread-out network had to be tightened up, particularly when it came to Internet access. Since the company owns other utilities across the globe [including PacifiCorp, which provides power to a large swath of the West coast], there were too many Internet access points that could be targeted. More importantly, though, the company found its biggest problem in the code that makes up its myriad applications for everything from power distribution to online billing services.

“Last May we had an incident where one of our web pages was exploited through an SQL injection flaw,” Kerber said. “It was a wake-up call that we had vulnerabilities people could find out about.”

[ Also see: How to choose and use source code analysis tools ]

In tackling the problem from the beginning of the app development process, MidAmerican is following a growing trend in the infosec community that relies less on bolt-on defenses and more on code security.

The code security trend includes the Rugged software movement, BSIMM — the Building Security In Maturity Model — and Microsoft’s Security Development Lifecycle (SDL).

A far-flung network

Owned by Berkshire Hathaway, MidAmerican itself has 17,000 employees and is latched into a very spread-out, decentralized network that includes the IT assets of PacifiCorp and those of companies in the U.K., Philippines and elsewhere.

It quickly became apparent to Kerber that a network like that had to be reined in.

“Spread-out networks present a lot of challenges in terms of making sure everyone is on the same page,” he said.

One of his first actions was to help craft IT policies at the holdings-company level that could be implemented by all the subsidiaries. Getting standards in place to implement the policies was a slow process, filtering down through the ranks. “We’ve identified procedures in each of the organizations and are working to modify them all for consistency,” Kerber said.

A tighter Internet pipeline

Next, Kerber put controls in place to funnel connections between operating units and the Internet. “It all goes through Des Moines and the Pacific region,” he said. “With only two Internet connection points we’re able to do a lot of filtering. E-mail runs from here and Portland. We have facilities in the Philippines and e-mail goes through here as well. It makes control of it all much easier.”

Nobody gets Internet connectivity without passing through several clearance points first, Kerber said. Any traffic to the control systems is one-way out, for the collection of data needed for power generation and billing department needs.

The code security problem

MidAmerican hosts most of the holding company websites while PacifiCorp hosts the rest. The sites include many applications that control operations in finance, HR and customer services. Vulnerabilities here led to an extensive code review and development refresh.

After the SQL injection attacks, Kerber found that the quality-assurance procedures needed work. QA was being done from a functional but not a security standpoint, he said. And so the CIO tasked him with drawing up an application security program. Kerber’s team decided to base their program on the OWASP standard and Security Development Lifecycle.

The code security solution

“We sent staff to an OWASP conference and they came back excited and full of ideas,” Kerber said. “They said they needed a tool to scan all our code.”

They needed that tool fast. A third-quarter 2009 deadline to secure all the applications was bearing down on them and manually reviewing thousands of lines of code wasn’t going to cut it. In the Fall of 2008, the search was on for a vendor to help expedite the process. They settled on Fortify Software, a vendor used by the likes of Oracle, which embarked on its own code security review and security assurance program a few years ago.

“Fortify met all the criteria we needed,” Kerber said. “They scanned every app language we used. And it’s a tool developers can use to do their own quality assurance assessments. They scanned 900,000 lines of code in first month of using the tool. We went from almost 15,000 high-level flaws to below 100. We cut the medium-level flaws in half.”

Cross-site scripting vanished off the company’s Top-5 list of vulnerabilities. Some SQL injection flaws remain, but the number is way down, Kerber said.

But something more important has happened as a result of the security improvements, Kerber said.

“The more significant thing is that our developers are smarter,” he said. “Security is more a part of the code from beginning.”