Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IBM Sof tware                                                                                                          Ene...
IBM Software                                                                                                             E...
IBM Software                                                                                                              ...
IBM Software                                                                                                              ...
For more informationTo learn more about security solutions for energy and utilitycompanies, contact your IBM representativ...
Upcoming SlideShare
Loading in …5

Application security for risk reduction and regulatory compliance for utilities building the smart grid


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

Application security for risk reduction and regulatory compliance for utilities building the smart grid

  1. 1. IBM Sof tware Energy and UtilitiesRationalRational IBM Rational security solutions for energy and utility companies Application security for risk reduction and regulatory compliance for utilities building the smart grid Energy and utility companies today are facing a combination of opportu- Highlights nities and challenges. They must cope with the introduction of advanced metering infrastructure (AMI), home area network devices (HAN), grid ● Help energy and utility companies test automation technologies, distributed generation and electric vehicles software from multiple sources for vulnerabilities (EVs), while maintaining their ability to deliver reliable, high-quality power. Whether for residential or commercial and industrial (C&I) ● Help save time and money by eliminating customers, energy and utility providers must find ways to maintain the vulnerabilities as early as possible in the software delivery life cycle (SDLC) stability and security of their existing systems while creating the next gen- eration of more interactive—and therefore more vulnerable—solutions. ● Ease the burden of demonstrating NERC CIP compliance for cyber vulnerability IBM® Rational® software provides the tools to create these new assessments applications while helping to minimize security risks. Most energy and utility companies rely on software from a variety of sources, which can make it difficult to stay on top of security issues. These sources include: ● Internal development teams: Often tasked with complicated deliver- ables and facing tight deadlines, internal teams are dealing with vast numbers of critical requirements, which means security may not get the attention it deserves. And some of the security thinking in development is new, as traditionally, electric companies have not invested heavily in large scale software development initiatives. Besides, system integrators working with utilities often do not expose every detail of the underpin- nings of the grid applications.
  2. 2. IBM Software Energy and UtilitiesRational● Packaged application vendors: Commercial off the shelf call for even more frequent assessments, covering a much larger (COTS) applications or “packaged apps” represent a signifi- portion of utility systems. Performing these assessments consis- cant portion of many energy and utility companies’ infrastruc- tently and cost-effectively requires significant effort. tures, but these applications have been created to meet the Automation can help alleviate that burden. manufacturer’s standards rather than the energy and utility industry’s standards. And getting ready for NIST● External development teams: Outsourcing development Following years of work by members of industry, government, enables providers to take advantage of a wider pool of expert- and academia, the National Institute for Standards ise and potentially realize cost savings, but to get the results and Technology (NIST) released its “NISTIR 7628: you need, you must provide detailed descriptions of expected Guidelines for Smart Grid Cyber Security,”2 version 1.0 in secure development standards. September 2010 and included guidance to rid systems of● Free and open source software: These offerings can be cost application-layer vulnerabilities and design issues, calling out effective, but they’re developed by groups that may or may several by name, including: not meet the regulations and standards that drive the utilities looking to use them. ●Input and output validation ●Authorization vulnerabilitiesMinimizing vulnerabilities ●Password and password management vulnerabilitiesIt would be ideal if all software used in your applications were ●Error handlingdeveloped and tested in a secure software development life ●Cryptographic vulnerabilities and weaknessescycle (SDLC), but that is rarely the case. Furthermore, security ●Logging & auditing issuesrequirements differ among industries, and no one set of best … and morepractices can apply to all of them. So as new smart grids arebeing built out of billions of lines of software, it’s difficult to It’s uncertain how quickly these guidelines will becomeknow whether all of it has been rigorously examined from a part of utilities’ compliance regime, but as support forsecurity perspective. And unfortunately, hackers regularly NISTIR 7628 has been strong in the US, including amongdemonstrate their ability to circumvent security controls by the state public utility commissions (PUCs) as well as interna-finding and exploiting software vulnerabilities. tionally, it makes sense for utilities to begin preparations.Demonstrating compliance with NERC Controlling development costsregulations When the applications in question are the ones you’re buildingThe North American Electric Reliability Corporation (NERC) yourself, reducing vulnerabilities early in the life cycle may becritical infrastructure protection (CIP) 007 regulation calls for one of the best ways to ensure security and reduce developmentannual vulnerability assessments. It also states that energy and costs. Assessing applications during the development phase canutility companies must provide “[d]ocumentation of the results be an ideal way to reduce opportunities for vulnerabilities andof the assessment, the action plan to remediate or mitigate vul- to simplify the assessment and reporting process later on.nerabilities identified in the assessment, and the execution statusof that action plan.”1 Upcoming versions of the CIPs will likely 2
  3. 3. IBM Software Energy and UtilitiesRational Outsourced applications Preexisting applications Packaged applications Applications developed in-house Applications from disparate sources Outage management application Customer portal System identity and access management system Meter data management system [ Vulnerability identification IBM Rational security solutions [ Vulnerability remediation Assessed and validated applicationsA solution from IBM Rational software vulnerabilities long before your software is exposed to theIBM offers a combination of products and services that can help public. And you can save time by automating analysis, triage,you enhance security while reducing your development costs: and vulnerability dispatch as part of your build process.IBM Rational AppScan Standard Edition IBM Rational AppScan Enterprise EditionRapidly scan applications and web-facing systems for Enable enterprise report generation for senior manage-vulnerabilities and configuration issues using IBM Rational ment, auditors and other key stakeholders. ImprovingAppScan® Standard Edition software. If you’re buying or security is one thing; demonstrating that you’ve done what itbuilding a new customer portal, web application assessment takes is another. Automated reporting capabilities from Rationalcapabilities from Rational software can help reduce the security AppScan Enterprise Edition software allow you to spend lessrisks involved. time creating reports and more time on your applications, systems and customers.IBM Rational AppScan Source EditionAnalyze your source code during the early stages of the IBM Rational Professional ServicesSDLC to catch vulnerabilities quickly. Rational AppScan Develop processes to address current and evolving NERCSource Edition software enables you to identify and reduce compliance requirements. Rational security professionals can help you design and develop a customized vulnerability action plan that’s applicable for NERC and other standards. 3
  4. 4. IBM Software Energy and UtilitiesRationalBest practices and maintaining a secure infrastructure, including knowledge ofUtilities have a few things to consider when launching an appli- threats and vulnerabilities, structural elements, and ongoing val-cation security program, and lessons learned in other industries idation. For application security with smart meters and othercan help guide their way. A few of these first steps include: grid automation sensors generating unprecedented amounts of (often sensitive) data on a daily basis, while Rational AppScan● Know what applications you have via centralized asset discov- software family capabilities are central, other important and ery and management. related IBM tools and services include:● Put a starter policy in place that describes how your organiza- tion secures its SDLC. ● Rational development life-cycle tools for defect tracking and● Prioritize applications by business criticality and exposure, source code control, as well as tools to help you inventory and triage found vulnerabilities to remediate or mitigate the your applications and capture your security policy. most severe ones first. ● IBM InfoSphere™ Optim™ software for data management● Include application security objectives and requirements in and IBM InfoSphere Guardium® software for data security. sourcing activities and decisions. ● IBM Tivoli® Identity and Access Management (IAM) solutions.Use cases ● IBM WebSphere® Data Power for web services security.Utilities in the US and elsewhere are beginning to understand ● IBM Proventia® network and application layer firewalls.that deploying and interconnecting software-centric systems is ● IBM Emergency Response Services (ERS).a risky proposition. And many have begun to address this issuevia implementation of new security policies, new employee Conclusiontraining and awareness initiatives, and the addition of select From a security perspective, energy and utility companies havetools to help automate security testing at key milestones. Here a lot on their plates these days. In the past, their systems wereare a few of the use cases: partially protected through isolation. But the benefits of smart grid, AMI and grid automation projects can best be achieved● Using tools to identify and eliminate high severity vulnerabili- by fully integrating and networking IT with operations and ties in public-facing applications like new smart grid customer by achieving trusted, reliable and attack resilient two-way portals. communications paths to and from customers. This unprece-● Performing web and source code-level security assessments of dented access and connectivity must be managed via new AMI components. security controls and policies, a vast majority of which are● Smart meter vendors running pre-release security tests of implemented in software. their code. Security solutions from IBM Rational software can help energyAn important part of IBM’s “Secure by and utility companies better understand the security posture of their applications and other software assets to save valuable timeDesign” initiative and money, make better-informed decisions to manage compli-As part of its Solutions Architecture for Energy (SAFE) ance regulations and help protect themselves from framework, and Secure by Design approach,IBM offers three primary components essential to creating 4
  5. 5. Notes
  6. 6. For more informationTo learn more about security solutions for energy and utilitycompanies, contact your IBM representative or IBM BusinessPartner, or visit: © Copyright IBM Corporation 2011Additionally, financing solutions from IBM Global Financing IBM Corporationcan enable effective cash management, protection from tech- Software Group Route 100nology obsolescence, improved total cost of ownership and Somers, NY 10589return on investment. Also, our Global Asset Recovery Services address environmental concerns with new, more energy- Produced in the United States of Americaefficient solutions. For more information on IBM Global March 2011Financing, visit: All Rights Reserved IBM, the IBM logo,, and Rational are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at Guardium is a registered trademark of Guardium, Inc., an IBM Company. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. The information contained in this documentation is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this documentation, it is provided “as is” without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this documentation or any other documentation. Nothing contained in this documentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM (or its suppliers or licensors), or altering the terms and conditions of the applicable license agreement governing the use of IBM software. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer’s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. 1 North American Electric Reliability Corporation, Standard CIP-007-3—Cyber Security—Systems Security Management, December 16, 2009, 2 National Institute of Standards and Technology Interoperability Report (NISTIR) 7628 - Guidelines for Smart Grid Cyber Security, Volume 3, August 2010, Please Recycle RAS14050-USEN-02