The Energy Sector Control Systems Working Group and the Pacific Northwest National Laboratory are leading an effort to promote cybersecurity by design through procurement language tailored to the specific needs of the energy sector. With support from the U.S. Department of Energy’s Office of Electricity Delivery & Energy Reliability and in coordination with the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team, this effort will build on existing procurement guidance to help stakeholders clearly communicate expectations and requirements.
Energy sector stakeholders will be engaged throughout this effort in order to ensure that all perspectives are included in the procurement language. We are reaching out to you in order to collect some initial information that will be used to guide this effort.
Would you be willing to take a few minutes and respond to the following questions, either via email or a follow-up phone call? We ask that all responses be submitted no later than Wednesday, June 19th. Reponses or questions can be sent to ieRoadmapNews@energetics.com.
· Are you aware of cybersecurity-focused procurement language guidance for energy delivery systems? For example:
- Department of Homeland Security Cyber Security Procurement Language for Control Systems (2009)
- EPRI’s Cyber Security Procurement Methodology (2012) or EPRI’s Cyber Security Procurement Methodology for Power Delivery Systems (2012).
- Werkgroep Instrument Beoorderling (WIB): Process Control Domain Security Requirements for Vendors (2010).
- SA/IEC-62443-2-4 : Security for Industrial Automation and Control Systems: Certification of IACS Supplier Policies
· Have you used any of these or other cybersecurity guidance products in developing procurement language or responding to procurement requests?
- Which guidance product(s) or standard(s) have you used? Why?
- For which types of technology solutions was this guidance applicable?
- Which guidance products have you refrained from using? Why?
· What are the most useful elements of the guidance documents you have used and how could they be improved?
- What portions of the guidance do you find most applicable? How do you use these?
- What would you like to see added or changed in the guidance?
- What were your challenges implementing the guidance?
· If you have used multiple guidance documents, have you identified any significant differences or contradictions among them? What are some key examples?
· Are you willing to discuss your procurement experience with our project team? If so, please let us know when it would be convenient to call you.
· Are you interested in being a reviewer of the energy sector cybersecurity procurement language guidance document?
Please do not hesitate to contact us if you have any questions. We appreciate the time you are taking to review this email, and help us through this process.
Ed Goff, CISSP
Enterprise Architect - IT&T Security
Duke Energy