An inside look at MidAmerican's 273-day quest to transform its process and culture on the way toward making its software more secure using Microsoft's Security Development Lifecycle (SDL).
Smart Grid continues to make progress. One of the most important areas under discussion is the notion of securing the Smart Grid. What does this really mean? How do we add tens of millions of Smart Meters and even more smart devices like thermostats or smart plugs without adding tens of millions of insecure endpoints to the Utility network? In fact, with all the discussion about Critical Infrastructure Protection such as NERC CIPS, how does a Utility go about figuring out what is the right balance of what should be done, and how do they build an orderly plan to execute against the “what”.
Microsoft has invested heavily in the Security Software Development Lifecycle. Products coming to market over the past few years reflect the significant scrutiny, process improvements, threat modeling, code assessments, and dynamic testing that embody the secure approaches to software development. The key to this approach is one that should be familiar to everyone in this industry, minimize the number of vulnerabilities but assume they will exist and engineer to minimize the consequences. The strength of this type of secure development process is recognized by NIST and is reflected in the NIST Regulation NISTIR 7628 (All three volumes of Guidelines for Smart Grid Cyber Security (NISTIR 7628) can be downloaded here.
The next question might be: How does a Utility move from an academic discussion of security, to establishing a comprehensive and practical program for Utility Enterprise wide Security? Perhaps the best way to understand this question is to look at the chronicles of the path taken by MidAmerican Energy Holdings Company . What started at the Berkshire Hathaway company as a response to a botnet attack grew to be one of the most comprehensive, best orchestrated, systematic enterprise wide security assessment and remediation programs anywhere in the industry. MidAmerican took the challenge seriously, looked at what were the best practices and tools available and then did the work that was necessary. Along the way, MidAmerican discovered very tangible financial results from the SDL driven software development productivity gains as well as concrete, auditable gains in security of their applications. You read about the MidAmerican experience by going here.
Everyone should take a few minutes to read of the MidAmerican Secure Development story. It is a fascinatingaccount of how to transform the software engineering culture of a Utility and how to do security right! – Larry Cochrane