EnerNex assisted Tampa Electric Company (TECO) in developing a series of deliverables to improve customer confidence and security conformance with industry regulation and best practices through TECOs product security. EnerNex began the effort by conducting an assessment of TECOs current security architecture for Energy Planner and related applications.
EnerNex leveraged our unique experience and expertise in power systems, Smart Grid, regulations, standards and information security to identify the path necessary for improving TECO’s security posture in the company’s suite of products. The deliverables identified gaps missing from the current Energy IP version and provide recommended remediation steps for the next version of Energy IP and applications. EnerNex’s assessment helped TECO establish traceability for system security decisions, including establishing completeness of coverage and justification for selected security technologies deployed in the TECO solution. The purpose of this effort is to be used to integrate security into the product Systems Development Lifecycle (SDLC) including security requirements, security design and offerings, request for quote (RFQ) response language, and secure customer installation guidelines; enabling TECO to build robust security solutions and practices into the goods and services they provide for their customers.
EnerNex assessed key aspects of TECOs Energy IP security architecture within the SDLC. Findings were documented for review. Key industry requirements sources were considered in review of TECOs product security in the Systems Development Lifecycle:
- Security Requirements Assessment: this step involved interviewing key TECO personnel to understand the TECO architecture including the underlying platform, application and how the system interfaces with other systems. The TECO resources required were: Platform Architect, Applications Architect, and Security Engineer. The goal was to identify requirements and potential gaps in the current architecture mapped against current industry practice.
- Review System Architecture
- Review Product Security and Privacy Requirements
- Alignment with best security practices (e.g., NIST-IR 7628)
- Alignment with industry security standards (e.g., CIM, OpenHAN, IEC 62351)
- Alignment with industry security regulation and laws (e.g., NERC CIP)
- Design – Identify Key Security Technologies: this step identified TECOs key security technology offerings provided for their customers and also provided traceability to the security requirements identified in step 1. Providing this information to TECO customers will equip them for meeting compliance audits.
- Acquisition: RFQ Language: Based on the analysis performed in previous steps, EnerNex provided language necessary to respond to RFQs.