For several years, the federal government has been working with industry to write guidance documents and provide models to assist the U.S. energy sector in creating and refining a “culture of security.” The latest product is called Cybersecurity Language in the Procurement of Energy Delivery Systems.
The intent of this guidance is to provide baseline cybersecurity language to owners, operators, integrators, and suppliers for use during the procurement of the sensors and actuators used for monitoring and controlling energy delivery processes; the computer-based systems that analyze and store data; and the communication pathways and networks that interconnect the various computer systems. Specific components to be acquired include supervisory control and data acquisition (SCADA) systems and programmable logic controllers.
“Including cybersecurity in the procurement process can ensure that those purchasing and supplying energy delivery systems consider cybersecurity starting from the design phase of system development,” according to guidance. “This further ensures that cybersecurity is implemented throughout the testing, manufacturing, delivery, installation, and support phases of the product life cycle, improving overall reliability and reducing cybersecurity risks.”
The document was prepared with federal funding by the Energy Sector Control Systems Working Group, Pacific Northwest National Laboratory, and Energetics Incorporated.
Intended readership
The document is intended for use by:
- Acquirers seeking to incorporate cybersecurity into the procurement of energy delivery systems or components. Requests or specifications may be issued by the acquirer through requests for proposals (RFPs) or requests for information (RFIs).
- Acquirers seeking to evaluate the cybersecurity maturity of energy delivery systems or components offered by suppliers and integrators.
- Suppliers and integrators designing or manufacturing systems, components, and services that will meet cybersecurity features requested by acquirers (or, in some cases, integrators).
- Acquirers, integrators, and suppliers negotiating procurement contracts that outline cybersecurity features and responsibilities for each party involved in the procurement.
Example language
One example of the type of language included in the document covers unused and unnecessary software and services in energy delivery systems and components. If left enabled, these elements can pose potential entry points for exploits, especially if they are not monitored. The document addresses this issue with the following procurement language:
“The Supplier shall remove all software components that are not required for the operation and/or maintenance of the procured product. If removal is not technically feasible, then the Supplier shall disable software not required for the operation and/or maintenance of the procured product. This removal shall not impede the primary function of the procured product. If software that is not required cannot be removed or disabled, the Supplier shall document a specific explanation and provide risk mitigating recommendations and/or specific technical justification. The Supplier shall provide documentation on what is removed and/or disabled.”
IT not addressed
Again, the document focuses on energy delivery systems; it is not intended to cover cybersecurity-based procurement language for information technology (IT).
In addition, while the document covers the major security issues related to procurement, the authors emphasize that the examples provided are not intended to be inserted (or attached) directly or verbatim into a procurement contract.
“Specific language that is appropriate for the applicable procurements should be negotiated by the acquirer and supplier based on the system, component, or service and the intended application of the energy delivery system in accordance with the cybersecurity risk tolerance of the acquirer,” state the authors.
Cybersecurity Language in the Procurement of Energy Delivery Systems