1. IBM Sof tware Energy and Utilities
Rational
Rational
IBM Rational security
solutions for energy and
utility companies
Application security for risk reduction and regulatory
compliance for utilities building the smart grid
Energy and utility companies today are facing a combination of opportu-
Highlights nities and challenges. They must cope with the introduction of advanced
metering infrastructure (AMI), home area network devices (HAN), grid
● Help energy and utility companies test automation technologies, distributed generation and electric vehicles
software from multiple sources for
vulnerabilities (EVs), while maintaining their ability to deliver reliable, high-quality
power. Whether for residential or commercial and industrial (C&I)
● Help save time and money by eliminating
customers, energy and utility providers must find ways to maintain the
vulnerabilities as early as possible in the
software delivery life cycle (SDLC) stability and security of their existing systems while creating the next gen-
eration of more interactive—and therefore more vulnerable—solutions.
● Ease the burden of demonstrating NERC
CIP compliance for cyber vulnerability
IBM® Rational® software provides the tools to create these new
assessments applications while helping to minimize security risks.
Most energy and utility companies rely on software from a variety of
sources, which can make it difficult to stay on top of security issues.
These sources include:
● Internal development teams: Often tasked with complicated deliver-
ables and facing tight deadlines, internal teams are dealing with vast
numbers of critical requirements, which means security may not get the
attention it deserves. And some of the security thinking in development
is new, as traditionally, electric companies have not invested heavily in
large scale software development initiatives. Besides, system integrators
working with utilities often do not expose every detail of the underpin-
nings of the grid applications.

2. IBM Software Energy and Utilities
Rational
● Packaged application vendors: Commercial off the shelf call for even more frequent assessments, covering a much larger
(COTS) applications or “packaged apps” represent a signifi- portion of utility systems. Performing these assessments consis-
cant portion of many energy and utility companies’ infrastruc- tently and cost-effectively requires significant effort.
tures, but these applications have been created to meet the Automation can help alleviate that burden.
manufacturer’s standards rather than the energy and utility
industry’s standards. And getting ready for NIST
● External development teams: Outsourcing development Following years of work by members of industry, government,
enables providers to take advantage of a wider pool of expert- and academia, the National Institute for Standards
ise and potentially realize cost savings, but to get the results and Technology (NIST) released its “NISTIR 7628:
you need, you must provide detailed descriptions of expected Guidelines for Smart Grid Cyber Security,”2 version 1.0 in
secure development standards. September 2010 and included guidance to rid systems of
● Free and open source software: These offerings can be cost application-layer vulnerabilities and design issues, calling out
effective, but they’re developed by groups that may or may several by name, including:
not meet the regulations and standards that drive the utilities
looking to use them. ●Input and output validation
●Authorization vulnerabilities
Minimizing vulnerabilities ●Password and password management vulnerabilities
It would be ideal if all software used in your applications were ●Error handling
developed and tested in a secure software development life ●Cryptographic vulnerabilities and weaknesses
cycle (SDLC), but that is rarely the case. Furthermore, security ●Logging & auditing issues
requirements differ among industries, and no one set of best … and more
practices can apply to all of them. So as new smart grids are
being built out of billions of lines of software, it’s difficult to It’s uncertain how quickly these guidelines will become
know whether all of it has been rigorously examined from a part of utilities’ compliance regime, but as support for
security perspective. And unfortunately, hackers regularly NISTIR 7628 has been strong in the US, including among
demonstrate their ability to circumvent security controls by the state public utility commissions (PUCs) as well as interna-
finding and exploiting software vulnerabilities. tionally, it makes sense for utilities to begin preparations.
Demonstrating compliance with NERC Controlling development costs
regulations When the applications in question are the ones you’re building
The North American Electric Reliability Corporation (NERC) yourself, reducing vulnerabilities early in the life cycle may be
critical infrastructure protection (CIP) 007 regulation calls for one of the best ways to ensure security and reduce development
annual vulnerability assessments. It also states that energy and costs. Assessing applications during the development phase can
utility companies must provide “[d]ocumentation of the results be an ideal way to reduce opportunities for vulnerabilities and
of the assessment, the action plan to remediate or mitigate vul- to simplify the assessment and reporting process later on.
nerabilities identified in the assessment, and the execution status
of that action plan.”1 Upcoming versions of the CIPs will likely
2

3. IBM Software Energy and Utilities
Rational
Outsourced applications Preexisting applications Packaged applications Applications developed in-house
Applications
from disparate
sources
Outage management
application
Customer portal
System identity and access
management system
Meter data management
system
[
Vulnerability identification
IBM Rational
security
solutions
[
Vulnerability remediation
Assessed and
validated
applications
A solution from IBM Rational software vulnerabilities long before your software is exposed to the
IBM offers a combination of products and services that can help public. And you can save time by automating analysis, triage,
you enhance security while reducing your development costs: and vulnerability dispatch as part of your build process.
IBM Rational AppScan Standard Edition IBM Rational AppScan Enterprise Edition
Rapidly scan applications and web-facing systems for Enable enterprise report generation for senior manage-
vulnerabilities and configuration issues using IBM Rational ment, auditors and other key stakeholders. Improving
AppScan® Standard Edition software. If you’re buying or security is one thing; demonstrating that you’ve done what it
building a new customer portal, web application assessment takes is another. Automated reporting capabilities from Rational
capabilities from Rational software can help reduce the security AppScan Enterprise Edition software allow you to spend less
risks involved. time creating reports and more time on your applications,
systems and customers.
IBM Rational AppScan Source Edition
Analyze your source code during the early stages of the IBM Rational Professional Services
SDLC to catch vulnerabilities quickly. Rational AppScan Develop processes to address current and evolving NERC
Source Edition software enables you to identify and reduce compliance requirements. Rational security professionals can
help you design and develop a customized vulnerability action
plan that’s applicable for NERC and other standards.
3

4. IBM Software Energy and Utilities
Rational
Best practices and maintaining a secure infrastructure, including knowledge of
Utilities have a few things to consider when launching an appli- threats and vulnerabilities, structural elements, and ongoing val-
cation security program, and lessons learned in other industries idation. For application security with smart meters and other
can help guide their way. A few of these first steps include: grid automation sensors generating unprecedented amounts of
(often sensitive) data on a daily basis, while Rational AppScan
● Know what applications you have via centralized asset discov- software family capabilities are central, other important and
ery and management. related IBM tools and services include:
● Put a starter policy in place that describes how your organiza-
tion secures its SDLC. ● Rational development life-cycle tools for defect tracking and
● Prioritize applications by business criticality and exposure, source code control, as well as tools to help you inventory
and triage found vulnerabilities to remediate or mitigate the your applications and capture your security policy.
most severe ones first. ● IBM InfoSphere™ Optim™ software for data management
● Include application security objectives and requirements in and IBM InfoSphere Guardium® software for data security.
sourcing activities and decisions. ● IBM Tivoli® Identity and Access Management (IAM)
solutions.
Use cases ● IBM WebSphere® Data Power for web services security.
Utilities in the US and elsewhere are beginning to understand
● IBM Proventia® network and application layer firewalls.
that deploying and interconnecting software-centric systems is
● IBM Emergency Response Services (ERS).
a risky proposition. And many have begun to address this issue
via implementation of new security policies, new employee Conclusion
training and awareness initiatives, and the addition of select From a security perspective, energy and utility companies have
tools to help automate security testing at key milestones. Here a lot on their plates these days. In the past, their systems were
are a few of the use cases: partially protected through isolation. But the benefits of smart
grid, AMI and grid automation projects can best be achieved
● Using tools to identify and eliminate high severity vulnerabili- by fully integrating and networking IT with operations and
ties in public-facing applications like new smart grid customer by achieving trusted, reliable and attack resilient two-way
portals. communications paths to and from customers. This unprece-
● Performing web and source code-level security assessments of dented access and connectivity must be managed via new
AMI components. security controls and policies, a vast majority of which are
● Smart meter vendors running pre-release security tests of implemented in software.
their code.
Security solutions from IBM Rational software can help energy
An important part of IBM’s “Secure by and utility companies better understand the security posture of
their applications and other software assets to save valuable time
Design” initiative
and money, make better-informed decisions to manage compli-
As part of its Solutions Architecture for Energy (SAFE)
ance regulations and help protect themselves from attackers.
software framework, and Secure by Design approach,
IBM offers three primary components essential to creating
4

5. Notes

6. For more information
To learn more about security solutions for energy and utility
companies, contact your IBM representative or IBM Business
Partner, or visit: ibm.com/software/rational/offerings/
websecurity/?S_TACT=105AGX23&S_CMP=HP
© Copyright IBM Corporation 2011
Additionally, financing solutions from IBM Global Financing IBM Corporation
can enable effective cash management, protection from tech- Software Group
Route 100
nology obsolescence, improved total cost of ownership and Somers, NY 10589
return on investment. Also, our Global Asset Recovery Services U.S.A.
help address environmental concerns with new, more energy- Produced in the United States of America
efficient solutions. For more information on IBM Global March 2011
Financing, visit: ibm.com/financing All Rights Reserved
IBM, the IBM logo, ibm.com, and Rational are trademarks of International
Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the web at
“Copyright and trademark information” at ibm.com/legal/copytrade.shtml
Guardium is a registered trademark of Guardium, Inc., an IBM Company.
References in this publication to IBM products or services do not
imply that IBM intends to make them available in all countries in
which IBM operates.
The information contained in this documentation is provided for
informational purposes only. While efforts were made to verify the
completeness and accuracy of the information contained in this
documentation, it is provided “as is” without warranty of any kind,
express or implied. In addition, this information is based on IBM’s current
product plans and strategy, which are subject to change by IBM without
notice. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, this documentation or any other documentation.
Nothing contained in this documentation is intended to, nor shall have
the effect of, creating any warranties or representations from IBM (or its
suppliers or licensors), or altering the terms and conditions of the applicable
license agreement governing the use of IBM software.
IBM customers are responsible for ensuring their own compliance with
legal requirements. It is the customer’s sole responsibility to obtain advice of
competent legal counsel as to the identification and interpretation of any
relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with
such laws.
1
North American Electric Reliability Corporation,
Standard CIP-007-3—Cyber Security—Systems Security Management,
December 16, 2009, http://www.nerc.com/files/CIP-007-3.pdf
2
National Institute of Standards and Technology Interoperability Report
(NISTIR) 7628 - Guidelines for Smart Grid Cyber Security, Volume 3, August
2010, http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf
Please Recycle
RAS14050-USEN-02