Cybersecurity Procurement Language for Energy Delivery Systems (co-author)
This document provides baseline cybersecurity procurement language that is the consensus opinion of the document authors and was guided by input from voluntary reviewers representing the Acquirer, Integrator, and Supplier communities. It focuses on the cybersecurity of energy delivery systems (i.e., control systems) and does not attempt to specify or replace cybersecurity-based procurement language for acquisitions involving IT. Considerations for IT cybersecurity are outlined in many standards and guidance documents (e.g., the NIST 800 series of publications). Users of this document have the responsibility of ensuring that actions taken during the procurement process comply with current standards and regulations. In addition to the language included in this document, acquired products and services should conform to the applicable IT security standards and operations technology (OT) standards for energy delivery systems.
This document is designed to provide baseline cybersecurity procurement language for the following:
- Individual components of energy delivery systems (e.g., programmable logic controllers, digital relays, or remote terminal units).
- Individual energy delivery systems (e.g., a SCADA system, EMS, or DCS).
- Assembled or networked energy delivery systems (e.g., an electrical substation [transmission and distribution] or a natural gas pumping station).