Vulnerabilities introduced during the software development and delivery processes for smart grid systems can arise from a lack of oversight in cyber security evaluation, leading to poor software integration and overall system vulnerability. Reliability protections, data loss prevention, and privacy enforcement for energy customers provide a strong business case for enforcing strict cyber security policies. Standards applicable to software delivery include Guidelines for Smart Grid Cyber Security: NISTIR 7628 and PCI for credit card processing, among others. A viable software delivery process for companies in the energy and utilities sector must include these types of cyber security measures.

Standards versus regulations

Whereas standards allude to best practices and are not enforceable by outside agencies, regulations such as those defined by North American Electric Reliability Corporation (NERC) are enforced. NERC’s Critical Infrastructure Protection regulations are aimed at power suppliers and power generation and transmission operators who are required to show compliance with all provisions of NERC pertaining to smart grid cyber security.

Standards pertaining to industry frameworks such as those defined by the IEC 61968 and 61970 standards, collectively known as the Common Information Model, increase interoperability in the smart grid. This is accomplished by standardizing the data headed to and from grid systems, including control centers, substations, and other devices.

Software challenges for energy and utility systems

Utility companies acquire software from multiple sources. Internal software delivery teams are inundated with multiple operational and control requirements in the delivered system, and often fully or partially omit implementing security requirements.

Furthermore, COTS or open-source applications are customarily used in complex systems affiliated with large IT and network systems. Energy companies frequently use software service providers and independent software vendors for developing and integrating the final system. Among the many benefits of outsourcing, lower total cost, larger pools of available experts, and shorter time to market are obvious. However, despite a diverse number of teams involved in software assembly, there are no safety regulations imposed on independent software vendors, COTS products, or open-source components used in the delivered system (see Figure 1).

(click graphic to zoom by 1.9x)

Defining security needs

From a security perspective, it is vital for a utility company to incorporate safety measures into the following elements:

• The various source code and binary software components comprising the final system
• The collaborative development process practiced by the extended team
• The enterprise structure through review and reengineering of the enterprise architecture and business process

Securing evolving software

The most logical place to start implementing security is in the evolving software slated for deployment. For an energy and utility company, this could be at the level of enterprise IT systems, smart grid network, or Web-facing portal.

Whether source code has evolved from internal development teams, external teams, purchased applications, or generated from models such as UML, analysis during the early stages of the software development life cycle is one way automated tools can identify and reduce vulnerabilities before software is released.

It is also important to show stakeholders which security measures are being implemented on a continuous basis. Automated reporting capabilities free software delivery teams from the manual chore of creating reports so they can spend more time on their applications, systems, and customers.

Finally, developing a business process to address NERC compliance requirements at various stages of an energy or utility company’s operation is essential for developing a security-conscious culture in the software delivery organization. Because security is a global initiative, it is beneficial to engage security professionals to help design and develop a customized vulnerability action plan applicable to NERC and other security standards that are observed internationally.

Integration optimizes smart grid benefits

Energy and utility companies continually face new security challenges. In the past, systems were isolated from security violations. But as the smart grid proliferates throughout an organization, its benefits along with other advanced metering infrastructure projects can be optimized by fully integrating and networking the enterprise IT with the organization’s operations, as well as by achieving true two-way communications paths to and from customers. This unprecedented access must be managed via new security controls and policies, the vast majority of which are implemented in software.

Andy Bochman is the energy security lead for IBM’s Rational Division, where he focuses on securing the software that runs the smart grid. Andy is a contributor to industry and national security working groups on energy security and cyber security. He lives in Boston, is an active member of the MIT Energy Club, and is the founder of the Smart Grid Security and DOD Energy blogs.

Irv Badr works at IBM’s Rational Division as go-to-market manager, focusing on energy, utilities, and communication service providers. He has nearly 20 years of experience developing software architecture and marketing complex systems. Irv received his Bachelor’s in Engineering from the University of Illinois and Master’s in Technology Management from Northwestern University.

IBM Rational 847-425-5149 ibadr@us.ibm.com www.linkedin.com/groups/IBM-Rational-software-community-3823995?mostPopular=&gid=3823995 www.facebook.com/IBMRational @ibmrational www.ibm.com/software/rational