Application security for risk reduction and regulatory compliance for utilities building the smart grid
IBM Sof tware Energy and UtilitiesRationalRational IBM Rational security solutions for energy and utility companies Application security for risk reduction and regulatory compliance for utilities building the smart grid Energy and utility companies today are facing a combination of opportu- Highlights nities and challenges. They must cope with the introduction of advanced metering infrastructure (AMI), home area network devices (HAN), grid ● Help energy and utility companies test automation technologies, distributed generation and electric vehicles software from multiple sources for vulnerabilities (EVs), while maintaining their ability to deliver reliable, high-quality power. Whether for residential or commercial and industrial (C&I) ● Help save time and money by eliminating customers, energy and utility providers must ﬁnd ways to maintain the vulnerabilities as early as possible in the software delivery life cycle (SDLC) stability and security of their existing systems while creating the next gen- eration of more interactive—and therefore more vulnerable—solutions. ● Ease the burden of demonstrating NERC CIP compliance for cyber vulnerability IBM® Rational® software provides the tools to create these new assessments applications while helping to minimize security risks. Most energy and utility companies rely on software from a variety of sources, which can make it difficult to stay on top of security issues. These sources include: ● Internal development teams: Often tasked with complicated deliver- ables and facing tight deadlines, internal teams are dealing with vast numbers of critical requirements, which means security may not get the attention it deserves. And some of the security thinking in development is new, as traditionally, electric companies have not invested heavily in large scale software development initiatives. Besides, system integrators working with utilities often do not expose every detail of the underpin- nings of the grid applications.
IBM Software Energy and UtilitiesRational● Packaged application vendors: Commercial off the shelf call for even more frequent assessments, covering a much larger (COTS) applications or “packaged apps” represent a signiﬁ- portion of utility systems. Performing these assessments consis- cant portion of many energy and utility companies’ infrastruc- tently and cost-effectively requires signiﬁcant effort. tures, but these applications have been created to meet the Automation can help alleviate that burden. manufacturer’s standards rather than the energy and utility industry’s standards. And getting ready for NIST● External development teams: Outsourcing development Following years of work by members of industry, government, enables providers to take advantage of a wider pool of expert- and academia, the National Institute for Standards ise and potentially realize cost savings, but to get the results and Technology (NIST) released its “NISTIR 7628: you need, you must provide detailed descriptions of expected Guidelines for Smart Grid Cyber Security,”2 version 1.0 in secure development standards. September 2010 and included guidance to rid systems of● Free and open source software: These offerings can be cost application-layer vulnerabilities and design issues, calling out effective, but they’re developed by groups that may or may several by name, including: not meet the regulations and standards that drive the utilities looking to use them. ●Input and output validation ●Authorization vulnerabilitiesMinimizing vulnerabilities ●Password and password management vulnerabilitiesIt would be ideal if all software used in your applications were ●Error handlingdeveloped and tested in a secure software development life ●Cryptographic vulnerabilities and weaknessescycle (SDLC), but that is rarely the case. Furthermore, security ●Logging & auditing issuesrequirements differ among industries, and no one set of best … and morepractices can apply to all of them. So as new smart grids arebeing built out of billions of lines of software, it’s difficult to It’s uncertain how quickly these guidelines will becomeknow whether all of it has been rigorously examined from a part of utilities’ compliance regime, but as support forsecurity perspective. And unfortunately, hackers regularly NISTIR 7628 has been strong in the US, including amongdemonstrate their ability to circumvent security controls by the state public utility commissions (PUCs) as well as interna-ﬁnding and exploiting software vulnerabilities. tionally, it makes sense for utilities to begin preparations.Demonstrating compliance with NERC Controlling development costsregulations When the applications in question are the ones you’re buildingThe North American Electric Reliability Corporation (NERC) yourself, reducing vulnerabilities early in the life cycle may becritical infrastructure protection (CIP) 007 regulation calls for one of the best ways to ensure security and reduce developmentannual vulnerability assessments. It also states that energy and costs. Assessing applications during the development phase canutility companies must provide “[d]ocumentation of the results be an ideal way to reduce opportunities for vulnerabilities andof the assessment, the action plan to remediate or mitigate vul- to simplify the assessment and reporting process later on.nerabilities identiﬁed in the assessment, and the execution statusof that action plan.”1 Upcoming versions of the CIPs will likely 2
IBM Software Energy and UtilitiesRational Outsourced applications Preexisting applications Packaged applications Applications developed in-house Applications from disparate sources Outage management application Customer portal System identity and access management system Meter data management system [ Vulnerability identification IBM Rational security solutions [ Vulnerability remediation Assessed and validated applicationsA solution from IBM Rational software vulnerabilities long before your software is exposed to theIBM offers a combination of products and services that can help public. And you can save time by automating analysis, triage,you enhance security while reducing your development costs: and vulnerability dispatch as part of your build process.IBM Rational AppScan Standard Edition IBM Rational AppScan Enterprise EditionRapidly scan applications and web-facing systems for Enable enterprise report generation for senior manage-vulnerabilities and conﬁguration issues using IBM Rational ment, auditors and other key stakeholders. ImprovingAppScan® Standard Edition software. If you’re buying or security is one thing; demonstrating that you’ve done what itbuilding a new customer portal, web application assessment takes is another. Automated reporting capabilities from Rationalcapabilities from Rational software can help reduce the security AppScan Enterprise Edition software allow you to spend lessrisks involved. time creating reports and more time on your applications, systems and customers.IBM Rational AppScan Source EditionAnalyze your source code during the early stages of the IBM Rational Professional ServicesSDLC to catch vulnerabilities quickly. Rational AppScan Develop processes to address current and evolving NERCSource Edition software enables you to identify and reduce compliance requirements. Rational security professionals can help you design and develop a customized vulnerability action plan that’s applicable for NERC and other standards. 3
IBM Software Energy and UtilitiesRationalBest practices and maintaining a secure infrastructure, including knowledge ofUtilities have a few things to consider when launching an appli- threats and vulnerabilities, structural elements, and ongoing val-cation security program, and lessons learned in other industries idation. For application security with smart meters and othercan help guide their way. A few of these ﬁrst steps include: grid automation sensors generating unprecedented amounts of (often sensitive) data on a daily basis, while Rational AppScan● Know what applications you have via centralized asset discov- software family capabilities are central, other important and ery and management. related IBM tools and services include:● Put a starter policy in place that describes how your organiza- tion secures its SDLC. ● Rational development life-cycle tools for defect tracking and● Prioritize applications by business criticality and exposure, source code control, as well as tools to help you inventory and triage found vulnerabilities to remediate or mitigate the your applications and capture your security policy. most severe ones ﬁrst. ● IBM InfoSphere™ Optim™ software for data management● Include application security objectives and requirements in and IBM InfoSphere Guardium® software for data security. sourcing activities and decisions. ● IBM Tivoli® Identity and Access Management (IAM) solutions.Use cases ● IBM WebSphere® Data Power for web services security.Utilities in the US and elsewhere are beginning to understand ● IBM Proventia® network and application layer ﬁrewalls.that deploying and interconnecting software-centric systems is ● IBM Emergency Response Services (ERS).a risky proposition. And many have begun to address this issuevia implementation of new security policies, new employee Conclusiontraining and awareness initiatives, and the addition of select From a security perspective, energy and utility companies havetools to help automate security testing at key milestones. Here a lot on their plates these days. In the past, their systems wereare a few of the use cases: partially protected through isolation. But the beneﬁts of smart grid, AMI and grid automation projects can best be achieved● Using tools to identify and eliminate high severity vulnerabili- by fully integrating and networking IT with operations and ties in public-facing applications like new smart grid customer by achieving trusted, reliable and attack resilient two-way portals. communications paths to and from customers. This unprece-● Performing web and source code-level security assessments of dented access and connectivity must be managed via new AMI components. security controls and policies, a vast majority of which are● Smart meter vendors running pre-release security tests of implemented in software. their code. Security solutions from IBM Rational software can help energyAn important part of IBM’s “Secure by and utility companies better understand the security posture of their applications and other software assets to save valuable timeDesign” initiative and money, make better-informed decisions to manage compli-As part of its Solutions Architecture for Energy (SAFE) ance regulations and help protect themselves from attackers.software framework, and Secure by Design approach,IBM offers three primary components essential to creating 4