DoD software assurance for electric sector security?


By Andy Bochman


Behold the electric sector software supply chain. It includes:


·         The code that comes with the systems you procure: IT, OT, mobile, smart meters, etc.

·         The code that your developers buy or borrow and use as part of their software development lifecycle (SDLC)

·         The code developed, bought or borrowed by integrators you've hired

·         The code your personnel download in the form of patches

·         Other code that's crept in through the cracks, including code you didn't intend to procure, like the malware you've detected and removed

·         ... and the malware resident on your systems that you don't know about yet


The U.S. Department of Defense has been thinking about this for a long time, and recently codified a pretty robust response in the form of the National Defense Authorization Act (NDAA) of 2013.


Would this help remove vulnerabilities and substantially bolster security in our sector? You bet. Could it ever come to pass. That I don't know. But let's watch how it works in DoD, learn some lessons, and see what we can use.


Here's the article in NextGov on this. Hat tip to my federal colleague, Tim F., for shooting this my way.


Andy Bochman is author of the Smart Grid Security Blog and an Energy Security Lead for IBM's Rational division, where the focus is on securing the software that runs the smart grid. Andy is a contributor to industry and national security working groups on energy security and cyber security. He lives in Boston, is an active member of the MIT Energy Club, and is the founder of the Smart Grid Security and DOD Energy Blogs.


Read more from Andy on smart grid security...

Lessons from Huawei: Are supply chain security risks on your radar?

So much new SCADA goodness (but so few words on security)

Is the smart grid a homeland security problem?