The recent news of major, relentless cyber attacks on the State Department, White House, and Pentagon, as well as South Korean targets, sadly demonstrate why so much time, money and effort is being spent on ensuring that critical infrastructure, particularly that of the utility grid, is protected and secure.

The lesson couldn’t be more stark as you consider that, as utility companies try to make the grid smarter by adding more devices, sensors, monitors and communication equipment, they will open new doors into the grid’s information network and create more vulnerabilities. 

There’s no question it’s a new day in utility security concerns. In the past, utility companies were lulled into a false sense of security. Legacy control systems were originally designed to be electrically disconnected from the Internet so that security implementations would be minimal, if they were considered at all.

Surely, this is no longer the case. The Obama administration and North American Electric Reliability Corporation are aggressively studying system vulnerabilities and what utilities need to do to protect their critical infrastructure.

Microsoft has established a unique approach to the development of security measures because of our extensive experience as the target of those who continuously look for vulnerabilities. As a result, Microsoft has taken the approach that security should not be just a bolt-on after-thought for its software solutions. We have endeavored to build a whole new class of products with security as a key area of focus and established a complete methodology for developing secure software, including design, coding, and test practices. The slogan we’ve developed along the way is “Secure by Design, Secure by Development, Secure by Deployment.”

We believe that building security into products during each progressive step of the development process is more effective than addressing security after the fact. Utilities that are required to demonstrate exacting security prowess will come to appreciate this inside-out approach.

While all new products from Microsoft must make their way through this process, it has become very clear that intruders have moved from targeting Microsoft code to attacking partner applications as well. Thus, to fully protect a company’s critical infrastructure, it is imperative that all deployed software adhere to good security practices.

To help our partners understand this security approach we’ve recently posted on our Web site The Microsoft Security Development Lifecycle: Key Resources for Software Development. The SDL process is part of Microsoft’s continuing effort to enable a more secure and trustworthy computing ecosystem and provides an in-depth description of the Microsoft SDL methodology and requirements.


It’s our hope you will benefit from understanding the Security Development Lifecycle as a result of reading this paper. As usual, should you need more information, please don’t hesitate to contact us. – Larry Cochrane, Worldwide Utilities Industry Technology Strategist/Architect