IBMIBM SSooffttwwaarreeRationaRationall

Energy and Utilities

IBM Rational securitysolutions for energy andutility companiesApplication security for risk reduction and regulatorycompliance for utilities building the smart grid

Highlights● Help energy and utility companies test

software from multiple sources for

vulnerabilities

● Help save time and money by eliminating

vulnerabilities as early as possible in the

software delivery life cycle (SDLC)

● Ease the burden of demonstrating NERC

CIP compliance for cyber vulnerability

assessments

Energy and utility companies today are facing a combination of opportu-nities and challenges. They must cope with the introduction of advancedmetering infrastructure (AMI), home area network devices (HAN), gridautomation technologies, distributed generation and electric vehicles(EVs), while maintaining their ability to deliver reliable, high-qualitypower. Whether for residential or commercial and industrial (C&I) customers, energy and utility providers must find ways to maintain thestability and security of their existing systems while creating the next gen-eration of more interactive—and therefore more vulnerable—solutions.IBM® Rational® software provides the tools to create these new applications while helping to minimize security risks.

Most energy and utility companies rely on software from a variety ofsources, which can make it difficult to stay on top of security issues.These sources include:

● Internal development teams: Often tasked with complicated deliver-ables and facing tight deadlines, internal teams are dealing with vastnumbers of critical requirements, which means security may not get theattention it deserves. And some of the security thinking in developmentis new, as traditionally, electric companies have not invested heavily inlarge scale software development initiatives. Besides, system integratorsworking with utilities often do not expose every detail of the underpin-nings of the grid applications.

2

IBM Software Energy and UtilitiesRationalIBM SoftwareRational

● Packaged application vendors: Commercial off the shelf(COTS) applications or “packaged apps” represent a signifi-cant portion of many energy and utility companies’ infrastruc-tures, but these applications have been created to meet themanufacturer’s standards rather than the energy and utilityindustry’s standards.

● External development teams: Outsourcing developmentenables providers to take advantage of a wider pool of expert-ise and potentially realize cost savings, but to get the resultsyou need, you must provide detailed descriptions of expectedsecure development standards.

● Free and open source software: These offerings can be costeffective, but they’re developed by groups that may or maynot meet the regulations and standards that drive the utilitieslooking to use them.

Minimizing vulnerabilitiesIt would be ideal if all software used in your applications weredeveloped and tested in a secure software development life cycle (SDLC), but that is rarely the case. Furthermore, securityrequirements differ among industries, and no one set of bestpractices can apply to all of them. So as new smart grids arebeing built out of billions of lines of software, it’s difficult toknow whether all of it has been rigorously examined from asecurity perspective. And unfortunately, hackers regularlydemonstrate their ability to circumvent security controls byfinding and exploiting software vulnerabilities.

Demonstrating compliance with NERCregulationsThe North American Electric Reliability Corporation (NERC)critical infrastructure protection (CIP) 007 regulation calls forannual vulnerability assessments. It also states that energy andutility companies must provide “[d]ocumentation of the resultsof the assessment, the action plan to remediate or mitigate vul-nerabilities identified in the assessment, and the execution statusof that action plan.”1 Upcoming versions of the CIPs will likely

call for even more frequent assessments, covering a much largerportion of utility systems. Performing these assessments consis-tently and cost-effectively requires significant effort.Automation can help alleviate that burden.

And getting ready for NISTFollowing years of work by members of industry, government,and academia, the National Institute for Standards and Technology (NIST) released its “NISTIR 7628: Guidelines for Smart Grid Cyber Security,”2 version 1.0 inSeptember 2010 and included guidance to rid systems of application-layer vulnerabilities and design issues, calling outseveral by name, including:

● Input and output validation● Authorization vulnerabilities● Password and password management vulnerabilities● Error handling● Cryptographic vulnerabilities and weaknesses● Logging & auditing issues… and more

It’s uncertain how quickly these guidelines will become part of utilities’ compliance regime, but as support for NISTIR 7628 has been strong in the US, including among the state public utility commissions (PUCs) as well as interna-tionally, it makes sense for utilities to begin preparations.

Controlling development costsWhen the applications in question are the ones you’re buildingyourself, reducing vulnerabilities early in the life cycle may beone of the best ways to ensure security and reduce developmentcosts. Assessing applications during the development phase canbe an ideal way to reduce opportunities for vulnerabilities andto simplify the assessment and reporting process later on.

3

IBM Software Energy and UtilitiesRationalIBM SoftwareRational

A solution from IBM Rational softwareIBM offers a combination of products and services that can helpyou enhance security while reducing your development costs:

IBM Rational AppScan Standard EditionRapidly scan applications and web-facing systems for vulnerabilities and configuration issues using IBM RationalAppScan® Standard Edition software. If you’re buying orbuilding a new customer portal, web application assessmentcapabilities from Rational software can help reduce the securityrisks involved.

IBM Rational AppScan Source EditionAnalyze your source code during the early stages of theSDLC to catch vulnerabilities quickly. Rational AppScanSource Edition software enables you to identify and reduce

vulnerabilities long before your software is exposed to the public. And you can save time by automating analysis, triage,and vulnerability dispatch as part of your build process.

IBM Rational AppScan Enterprise EditionEnable enterprise report generation for senior manage-ment, auditors and other key stakeholders. Improving security is one thing; demonstrating that you’ve done what ittakes is another. Automated reporting capabilities from RationalAppScan Enterprise Edition software allow you to spend lesstime creating reports and more time on your applications, systems and customers.

IBM Rational Professional ServicesDevelop processes to address current and evolving NERCcompliance requirements. Rational security professionals canhelp you design and develop a customized vulnerability actionplan that’s applicable for NERC and other standards.

Vulnerability identification

Vulnerability remediation

[

[

Outsourced applications Preexisting applications Packaged applications Applications developed in-house

System identity and access management system

Customer portal

Outage management applicationApplications

from disparatesources

IBM Rational security

solutions

Meter data managementsystem

Assessed andvalidated

applications

4

IBM Software Energy and UtilitiesRationalIBM SoftwareRational

Best practicesUtilities have a few things to consider when launching an appli-cation security program, and lessons learned in other industriescan help guide their way. A few of these first steps include:

● Know what applications you have via centralized asset discov-ery and management.

● Put a starter policy in place that describes how your organiza-tion secures its SDLC.

● Prioritize applications by business criticality and exposure,and triage found vulnerabilities to remediate or mitigate themost severe ones first.

● Include application security objectives and requirements insourcing activities and decisions.

Use casesUtilities in the US and elsewhere are beginning to understandthat deploying and interconnecting software-centric systems is a risky proposition. And many have begun to address this issuevia implementation of new security policies, new employeetraining and awareness initiatives, and the addition of selecttools to help automate security testing at key milestones. Hereare a few of the use cases:

● Using tools to identify and eliminate high severity vulnerabili-ties in public-facing applications like new smart grid customerportals.

● Performing web and source code-level security assessments ofAMI components.

● Smart meter vendors running pre-release security tests oftheir code.

An important part of IBM’s “Secure byDesign” initiativeAs part of its Solutions Architecture for Energy (SAFE) software framework, and Secure by Design approach, IBM offers three primary components essential to creating

and maintaining a secure infrastructure, including knowledge ofthreats and vulnerabilities, structural elements, and ongoing val-idation. For application security with smart meters and othergrid automation sensors generating unprecedented amounts of(often sensitive) data on a daily basis, while Rational AppScansoftware family capabilities are central, other important andrelated IBM tools and services include:

● Rational development life-cycle tools for defect tracking andsource code control, as well as tools to help you inventoryyour applications and capture your security policy.

● IBM InfoSphere™ Optim™ software for data managementand IBM InfoSphere Guardium® software for data security.

● IBM Tivoli® Identity and Access Management (IAM) solutions.

● IBM WebSphere® Data Power for web services security.● IBM Proventia® network and application layer firewalls.● IBM Emergency Response Services (ERS).

ConclusionFrom a security perspective, energy and utility companies havea lot on their plates these days. In the past, their systems werepartially protected through isolation. But the benefits of smartgrid, AMI and grid automation projects can best be achieved by fully integrating and networking IT with operations and by achieving trusted, reliable and attack resilient two-way communications paths to and from customers. This unprece-dented access and connectivity must be managed via new security controls and policies, a vast majority of which areimplemented in software.

Security solutions from IBM Rational software can help energyand utility companies better understand the security posture oftheir applications and other software assets to save valuable timeand money, make better-informed decisions to manage compli-ance regulations and help protect themselves from attackers.

Notes

Please Recycle

For more informationTo learn more about security solutions for energy and utilitycompanies, contact your IBM representative or IBM BusinessPartner, or visit: ibm.com/software/rational/offerings/

websecurity/?S_TACT=105AGX23&S_CMP=HP

Additionally, financing solutions from IBM Global Financingcan enable effective cash management, protection from tech-nology obsolescence, improved total cost of ownership andreturn on investment. Also, our Global Asset Recovery Serviceshelp address environmental concerns with new, more energy-efficient solutions. For more information on IBM GlobalFinancing, visit: ibm.com/financing

© Copyright IBM Corporation 2011

IBM CorporationSoftware GroupRoute 100Somers, NY 10589U.S.A.

Produced in the United States of AmericaMarch 2011All Rights Reserved

IBM, the IBM logo, ibm.com, and Rational are trademarks of InternationalBusiness Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or othercompanies. A current list of IBM trademarks is available on the web at“Copyright and trademark information” at ibm.com/legal/copytrade.shtml

Guardium is a registered trademark of Guardium, Inc., an IBM Company.

References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

The information contained in this documentation is provided forinformational purposes only. While efforts were made to verify thecompleteness and accuracy of the information contained in thisdocumentation, it is provided “as is” without warranty of any kind, express or implied. In addition, this information is based on IBM’s currentproduct plans and strategy, which are subject to change by IBM withoutnotice. IBM shall not be responsible for any damages arising out of the useof, or otherwise related to, this documentation or any other documentation.Nothing contained in this documentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM (or itssuppliers or licensors), or altering the terms and conditions of the applicablelicense agreement governing the use of IBM software.

IBM customers are responsible for ensuring their own compliance withlegal requirements. It is the customer’s sole responsibility to obtain advice ofcompetent legal counsel as to the identification and interpretation of anyrelevant laws and regulatory requirements that may affect the customer’sbusiness and any actions the customer may need to take to comply withsuch laws.

1 North American Electric Reliability Corporation, Standard CIP-007-3—Cyber Security—Systems Security Management, December 16, 2009, http://www.nerc.com/files/CIP-007-3.pdf

2 National Institute of Standards and Technology Interoperability Report(NISTIR) 7628 - Guidelines for Smart Grid Cyber Security, Volume 3, August2010, http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf

RAS14050-USEN-02