Smart-grid security could benefit from Microsoft's SDL framework
- By William Jackson
- May 16, 2012
A major vendor of energy system control and smart metering systems is adopting Microsoft’s Security Development Lifecycle framework to help ensure the security of the emerging Smart Grid.
Itron Inc., of Liberty Lake, Wash., began using the process in August in the development of a security management server for electrical systems and is using it in the design of smart meters now under development.
Microsoft’s head of Trustworthy Computing, Scott Charney, talked about the adoption of SDL May 16 at the Security Development Conference the company is hosting in Washington. Former presidential adviser Richard Clarke spoke about the need to incorporate secure development practices in the nation’s critical infrastructure in his opening keynote for the conference May 15.
Smart-grid tech outpacing security, in 'delicate dance with risk'
NIST fills some gaps in smart-grid standards
The conference is an effort to improve the level of security in IT software and hardware by building it in from the design phase and through the entire life cycle. Microsoft began formalizing this process in its Security Development Lifecycle eight years ago and has made the framework, which includes documentation, processes and tools, available for download. Elements of the SDL have been downloaded more than 940,000 times, according to the company.
“We are now at the point where the industry can sustain a conference of practitioners focused on making software more secure,” said Steve Lipner, partner director of program management in Microsoft’s Trustworthy Computing Group.
The Smart Grid is an emerging system for electric distribution and delivery that is expected to provide greater efficiency and enable the use of nontraditional energy sources such as solar and wind generation. Billions of dollars in American Recovery and Reinvestment Act grants are being invested in development of the technologies for the networked system, and parts of it are being incorporated today.
Smart meters are one of the most common elements of the new grid. Itron supplies advanced metering, data collection and software solutions to some 8,000 utilities around the world. Smart meters account for about one-third of the meters now installed in the United States, and this is expected to increase to 85 percent over the next decade. The design and approval process for the meters, which enable two-way communication between consumer and supplier with some remote controls, is 18 to 24 months. Once they are installed, they are likely to remain in service for a decade or more.
Because of the long life of these systems and the need to secure them, Itron decided it would be more cost-effective to build security into the systems during the development process.
Microsoft said Itron’s approach in using the SDL in smart meter design is similar to how Microsoft used it in designing its Xbox video game console, applying it to both hardware and software development.
Reviews of the security management server involved the line-by-line review of 375,000 lines of code with automated scanning tools. It identified 1,200 potential security issues, most of which were inconsequential and easily mitigated. The company considered five of them critical and fixed them on the spot, and it deemed another dozen or so moderate risks in need of further review.
William Jackson is freelance writer and the author of the CyberEye blog.