© 2015 IBM Corporation

IBM Analytics – Continuous Engineering

Managing Risk: Safety and Security Compliance

Irv Badr Industry Architect IBM Continuous Engineering, IoT ibadr@us.ibm.com

Energy and Utility Sector Security Trends, Drivers and Impacts

IBM Approach and Benefits

Defining Safety Compliance

Nature of Safety (and security) standards

Design Compliance and its automation?

Client Success Stories

Agenda

Engineering

Manufacturing

Operations

Requirements

Market

Needs

Social

Sentiment

Testing and

Compliance

Device

Telematic

s Data

Learn

Predictive Analytics

Design

Models

Engineering Maintenance and Operations

Continuous

Engineering

Regulatory

Reporting

Warranty &

Repair Data

Continuous Engineering and Predictive Analytics close the product development loop

Energy and utility organizations are at the forefront of attacks

Utilities are among the most targeted verticals

• Organized cyber-crime, hacktivists, nation-states and exploit researchers

New vulnerabilities are being discovered

• Security testing through injecting invalid, unexpected or random data (fuzzing) have uncovered dozens of vulnerabilities in critical infrastructure systems

• Exploits can be implemented through physical access to networks or through techniques like brute-force password hacking Internet connected devices and phishing

Regulations provide guidance but do not protect against these recent exploits

• NERC CIP focus on IP communications, overlooking the real vulnerabilities that are present

• NIST CSF is process-based and voluntary

• ENISA Smart Grid Security Recommendations

• ENISA Protecting Industrial Control Systems

Grow the business

• Customer relationships

• Advanced metering and smart grid

optimization and efficiency Protect the business

• Customer data (usage data, credit

records, etc.)

• Intellectual property

• Internal/IT operations Comply with compliance and regulations

• NERC CIP

• NIST CSF

• ENISA Secure the grid

• Protect control systems and SCADA in

generation, transmission and distribution

• OT security

• Defend AMI/smart meter networks and

devices

Current trends are heightening the focus on utility security

Compliance Management

Security Risk Management

Secure Infrastructure

People Technology Information Process

The integration of physical

security and cyber security

is critical

Energy and utilities attacks – impact scenarios

Reliability impacts a potential brown/black out of a

large geographical area/or

concentrated at an area where other

critical infrastructures depend on

power, water treatment plants,

transportation centers, etc.

Safety impacts potential harms to utility personnel

and/or customers - re-energize systems

where maintenance crews are deployed

or exploding transformers with

hazardous waste

Reputation impacts exposure of sensitive customer data (e.g.,

usage info, govt. ID information, credit

card details, etc.) – extraction of such

data, including union employee healthcare

information

Productivity impacts Risks to utilities capacity, delivery

and overall ability to provide a

consistent product/service to their

customer base

CYBER ATTACKS

The balance of risk for energy and utility organizations is unique

A view of a transformed security environment

Current Environment Transformed Environment

Security Model based on

Defense in Depth

Security Model based on

Rapid Detection + Rapid Response

Security Operations

Steady State and Reactive

Security Operations

Elastic and Agile

Governance, Risk & Compliance

IT and Compliance Focused

Governance, Risk & Compliance

Enterprise Risk Management

Functional Domains

IT, OT, Telecom, Physical Silos

Functional Domains

Converged

Security Analysis

Manual and Fragmented

Security Analysis

Analytics and Intelligence

Reduce risks through greater visibility

Security

Intelligence is

BIG DATA

Develop greater visibility via security intelligence

and big data analytics

Client requirements:

A Threat and Risk Assessment review was conducted for a Danish energy company’s new Smart Grid DMS (Distribution Management System)/SCADA design and architecture. The purpose of the assessment was to identify and understand the transformational DMS architecture risks through a “Threat Based” architectural review.

Solution:

The engagement included review and assessment through interviews, observations, documentation reviews, industry best practices and a cross-business threat analysis and change workshop.

Key Deliverables included: Threat Matrix Heat Map, DMS Threat and Impact Assessment, DMS Design Considerations, DMS Security Roadmap

• Identified gaps

in architectural

design from un-

anticipated

threats

• Road map allow

prioritizing of

quick wins and

security

investment by risk

Benefits:

Country: Denmark Security area: SCADA Threat and Risk Assessment review

• Greater

understanding

of risk exposure

across business

units from cyber

threats

DONG Energy identifies and understands risks in its smart grid DMS/SCADA design and architecture with a threat review

What the analysts are saying about IBM

Gartner

Global Managed Security Services

Providers (MSSPs)

Strengths: IBM uses self-developed technology for data

collection, correlation, log query and reporting, and ticketing/workflow.

IBM has four North American SOCs, two in Europe, two in Asia/Pacific, and two in other regions.

IBM's advanced analytics and targeted attack detection capabilities are embedded in its MSS and hosted SIEM offerings, and are supported by IBM and third-party technology deployed by customers.

Gartner customers often include IBM in competitive MSS evaluations, and IBM has high visibility in North American, Asia/Pacific, and European markets.

IBM's MSS capabilities include support for a customer-deployed SIEM (from IBM and others) that is integrated into its standard MSS offerings.

IBM is a large, stable provider of security services and products with global delivery capabilities.

The Bottom Line: Enterprises with global service delivery requirements,

and those with strategic relationships with IBM, should

consider IBM for MSSs.

2014 Gartner Magic Quadrant for SIEM: LINK

IBM Security QRadar SIEM is #1 on “Ability to Execute” (the Y-axis) AND on “Completeness of vision” (the X-axis)

IBM Internal and BP Use Only

What the analysts are saying about IBM

IBM Security QRadar is in the SIEM

Leadership Quadrant for Sixth Straight Year

Ability to execute is an assessment of overall viability, product service, customer experience, market responsiveness, product track record, sales execution, operations, and marketing execution.

Completeness of Vision is a rating of product strategy, innovation, market understanding, geographic strategy, and other factors

IBM Press Release: LINK

Download the

Cyber Security

Intelligence

Index for

Energy and

Utilities

Read the

white paper:

Responding to—

and recovering

from—

sophisticated

security attacks

Read the

white paper:

How Mature is your

cyber-security risk

management?

Download the

white paper:

Best practices for

cyber security in

the electric power

sector

Learn more – select publications

CONTINUOUS ENGINEERING

Managing Security and Safety through

Source: Schneider Electric

Safety is accounted for during System Development

65% of incidents involving process control systems occur during the specification,

design, installation and commissioning phases of the product implementation.

15

Challenges We Face in the Power Industry (e.g. Nuclear)

Radioactive Waste

The impact on water resources,

aquatic habitats, and wildlife

Key drivers for Nuclear Energy Regulatory and Compliance Projects

Ensuring

Compliance

Environment

al Safety and

Security

Protect confidentiality,

integrity, privacy, and

assurance of utility systems

Protect the public in the

event of a serious reactor

accident.

Assure a regulatory

environment for the continued

safe and efficient operation of

nuclear plants.

Provides the governance,

oversight, and support to

assure corporate and site

regulatory and emergency

preparedness activities meet

corporate needs and

regulatory requirements.

Environmental

Impact

1. Requirements grow and change at rates in excess of 1 percent per calendar month.

2. Few applications include greater than 80 percent of user requirements in the first release.

3. Some requirements are dangerous or “toxic” and should not be included.

4. Some applications are overstuffed with extraneous features no one asked for.

5. Most software applications are riddled with security vulnerabilities.

6. Errors in requirements and design cause many high-severity bugs.

7. Effective methods such as requirement and design inspections are seldom used.

8. Standard, reusable requirements and designs are not widely available.

9. Mining legacy applications for “lost” business requirements seldom occurs.

10. The volume of paper documents may be too large for human understanding.

10 of the top issues with requirements Packaged applications create certain issues

Software Engineering Best Practices: Lessons from Successful Projects in the Top Companies by Capers Jones

17

Most enterprises have an inadequate compliance platform

Compliance

Documents

Costly manual effort to aggregate and analyze

for Completeness and Redundancy

Spreadsheets and word

processors

Document Management

Systems

Inadequate

tools

•Insufficient access controls

•Does not support distributed teams

•Cannot analyze the content of the

documents

•Information is not linked and offers no

traceability

18

18

Information Traceability - “Chaos to Order”

structured,

linked and

traced at

statement

level,

are

imported,

to produce

reports of

managed

information

Non-

integrated

project data

Autonomous

Word/Excel

Documents

with related

& dependent

Information

between them

Requirements have multiple dimensions

Functional

Safety

Procedural

Technical

Specs

Requirements

Management

Pumps, Valves,

Hardware

Level-1, Level-2,

….

Security, Cooling,

….

I&C, Software,

….

Business Contractual

Traceability

Impact

Dependency

Detailed Requirements cover more than just software

Requirements Areas

20

Impact Analysis: studied before changes are made

10 CFR Part 72 – related to

Nuclear Cyber Security

NEI is the industry trade

group that interpreted and

proposed a response to the

CFR

Determined by technical

SMEs in each utility.

Varies from site to site

Determined by technical

SMEs in each utility.

Varies from site to site

21

Asset inventory showing which system(s) use the assets (“where used)

A given asset can “touch” multiple

critical systems.

A critical “system” is typically

composed of multiple Critical Digital

Assets (CDAs)

22

Cause and Mitigation – Reactor Auxiliary Feedwater Inspection Guide

US Department of Energy (DOE) - Yucca Mountain Repository

Requirements in ~20 areas managed with DOORS

Emergency Mgt.

Safety and Heath

Safeguards & Security

The program used Rational’s DOORS product to develop an extensive requirements

database to track and manage an extremely broad range of program and regulatory

requirements ranging from US CFRs to Contract Requirements.

Customer example

Auto-generation of safety-relevant report

Fault Source Matrix, Fault Detection Matrix, Fault-Requirement Matrix, Hazard Analysis…

• Traceability improves the

ability to enforce safety

• Safety metadata guides

downstream engineering work

25

Epic B

Story 1

Story 2

Story 3

Dev Actions in support of a Business Requirements and IEC 61508 standard and guideline

The prioritized set of Epics supporting Business requirements that need to be addressed and/or not scheduled for

The set of Epics which are scheduled for the a different major release.

Specific Stories and Tasks to implement the Planned Epics.

Developing Control System

For example: Intelligent Electric Devices (IED)

Incoming Business

Dev Actions

Project/product

Milestone & Backlog

Release Milestone

and Backlog/Plan

Dev Action Epic A

Dev Action

Story 4

Epic C Top-level

safety function

Component/Iteration

Plan

Story 5 Epic D

#technical

Agile Project Planning Requirements

RM tool Imports IEC 61508 requirement guidelines

26

Link each requirement guideline to techniques/measure that we should follow

Traceability from requirements to Software requirements implementation state

27

Linking from each requirement guideline to the techniques/measures and System Integrity level (SILs)

28

Linking from each requirement guideline from IEC 61508-2 to the techniques/measures and System Integrity level (SILs) in part 7

29

30

Text based approaches introduce risk into the project

Method Requirements Completeness Requirements Defects per Function Point

Dynamic Modeling 97% 0.10

Quality Functional Deployment 96% 0.25

Requirements Inspections 95% 0.10

Use Cases 80% 0.80

Energy Legacy Applications 70% 0.20

Prototyping 62% 0.55

Information Requirements Gathering

57% 1.00

Normal Text Documents 50% 1.10

Requirements Methods (Capers 2010)

31

*Forrester Research Inc, October 23, 2012. Forrester Research, The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester

Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments.

Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are

subject to change.

IBM Rational Recognized As A Leader in ALM

Report Highlights

• Highest Scores among all vendors for

Current Offering & Strategy“

• “Not only has IBM continued

development of its strong suite of

products, but it has also stitched them

together in a more coherent way.”

• [IBM] has also made clearer the use

cases it supports ... such as Agile teams

and embedded software development"

The Forrester WaveTM: Application Life-cycle Management*

Link to report

DESIGN COMPLIANCE

Creating Architectural (e.g. SOA) Safety View in UML/SysML

• UML can be extended to

model metadata beyond its

standard usage, for example

• UML Profile for

Schedulability

Performance and Time

(SPT)

• Model Analysis of Real-

Time Systems (MARTE)

• Systems Modeling

Language (SysML)

• UML Profile for DoDAF

and

MoDAF (UPDM)

• A safety critical profile can be

developed that provides

• FTA diagrams

• FMEA and fault views

• Hazard analysis table

view

Safety-Critical Profile in UML

Model-Based Safety Analysis

Link to requirements

Link to manifestors

Link to extenuators Link to detectors

36

Design Standard: CIM - application and data integration and analysis

• IEC CIM v13 – Combined 61968 and 61970 models

• IEC CIM Model Transformation Plug-in (Harvested from AEP)

• EPRI Intelligrid Use Cases (Partial)

Innovation for a smarter planet

IBM Solutions for Systems and Software Engineering (SSE)

QUALITY MANAGEMENT Achieve “quality by design” with an

integrated, automated testing process

Rational Quality Manager

ARCHITECTURE & DESIGN Use modeling to validate requirements, architecture

and design throughout the development process

Rational Rhapsody

REQUIREMENTS MANAGEMENT Manage all system requirements

with full traceability across the lifecycle

Rational DOORS

COLLABORATION, PLANNING & CHANGE MANAGEMENT Collaborate across diverse engineering disciplines and development teams

Rational Team Concert

Open Services for Lifecycle Collaboration

38

Deployment for Development: Dong Energy

CIM

Control

CIM

Monitoring

T&D

System

Dong E

Applications

Control

System

Monitoring

System

IBM

Modeling

Solutions

Websphere

Servers

Rational

Development

Solutions

•WebSphere

Application Server

•WebSphere

Message Broker

•RAD

•ILOG JRules

Continuous Engineering Reference

SE for

Dummies

Book

− https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-

CERT_Monitor_%20Jan-April2014.pdf

− http://www.reuters.com/article/2014/05/21/us-usa-cybercrime-infrastructure-

idUSBREA4J10D20140521

− http://leblog.gdfsuez-dolcevita.fr/2014/03/13/alerte-securite-attention-au-

phishing/

− https://threatpost.com/shodan-search-engine-project-enumerates-internet-

facing-critical-infrastructure-devices-010913/77385

− http://www.shodanhq.com

− http://scadastrangelove.org

− http://www.digitalbond.com/tools/basecamp/

− http://blogs.computerworld.com/cybercrime-and-hacking/23402/hackers-

exploit-scada-holes-take-full-control-critical-infrastructure

Additional References

Questions?

© 2012 IBM Corporation

Building a smarter planet

© Copyright IBM Corporation 2011. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

www.ibm.com/software