Procurement

Procurement is the processes used to monitor and improve the cybersecurity of devices, applications, and services as they are acquired and integrated into utility operations, as well as efforts to manage supply chain risk.

Procurement is the process by which a utility acquires devices, applications, or services that will be incorporated into its systems. Although sometimes thought of as simply purchasing, procurement is actually a multistage process that includes defining requirements, evaluating options for purchase, negotiating contracts, purchasing, and receiving the devices or applications (Harris and Maymi 2016) or activating the service.

Importance

The overall security of a utility depends to a large extent on the security of the individual devices, applications, or services within that utility. Technical controls can somewhat compensate for security gaps in these products, but the resulting system will never be as secure as one built from the ground up with secure components. Devices, applications, or services may be insecure due to mistakes made in designing or implementing security features, or they may have been made insecure deliberately to allow attackers access to systems after they are installed.

Therefore, procurement has a critical role to play in cybersecurity. At the very least, a thorough procurement process offers an opportunity for utilities to learn about the state of security of various products. In the best-case scenario, the utility can use procurement to select secure products while simultaneously communicating to vendors that cybersecurity is a product differentiator. If vendors hear that cybersecurity is a consideration in utility purchasing decisions, they will invest more resources to make future products more secure.

Utilities should make cybersecurity a key consideration in every phase of procurement.

Intersections With Other Building Blocks

Organizational security policy should include directives to incorporate cybersecurity into the procurement process. These may include regulatory requirements for procurement that originate with the compliance building block (not shown in Figure 8). These directives should be followed by those utility workers doing requirements analysis for new device and application purchases, those issuing requests for proposals, those reviewing vendor proposals, those issuing purchase orders, and those in charge of receiving.

Procurement.png
Figure 7. Information passed to the procurement building block

Processes and Actions

Security issues around procurement and supply chains have received a great deal of attention in recent years. A number of countries—including Russia, India, China, and the United States—have efforts underway to better address supply chain cybersecurity. Approaches vary widely, with some countries even restricting the use of foreign-made components or systems. However, electrical utilities in many countries may not have the option to buy locally if the devices and applications they need are only made overseas. In those cases, the utility must find a pragmatic approach to procurement and supply chain risk.

One source of actionable guidance on supply chain risk comes from the United Telecom Council’s Cyber Supply Chain Risk Management for Utilities—Roadmap for Implementation. The following are highlights from that document (more details and in-depth explanations can be found there):

  • Identify suppliers, assess their risk, and prioritize them. This will require some effort, as a single utility may depend on hundreds of different suppliers. Also, each supplier may incorporate parts and equipment from many sub-suppliers. But once the utility has identified its major suppliers and sub-suppliers, it can identify those that are the most critical for cybersecurity, either because of the nature of their products or the amount of access they will have to the utility’s system during the business relationship. The most critical suppliers and sub-suppliers have the greatest potential for risk and must receive more attention during procurement.
  • Determine security requirements and how to monitor compliance with those requirements. There are numerous policies and standards that can be used as the basis of security requirements (for instance, those from North American Electric Reliability Corporation Critical Infrastructure Protection or NIST). Utilities can ask suppliers to self-attest to adhere to these policies and standards, or they can take a more rigorous approach and conduct site visits or tests of the suppliers’ products. The most rigorous approach involves third-party testing or certification.
  • Prepare for the end-of-the-supplier relationship. At some point, the utility may decide to switch suppliers for any number of reasons. The utility should have a plan in place to terminate the supplier’s access to utility systems when that access is no longer needed. The longer the supplier relationship lasts, the more careful the utility must be when disengaging.

Another valuable resource from the Energy Sector Control Systems Working Group, Cybersecurity Procurement Language for Energy Delivery Systems, provides procurement language that addresses cybersecurity. The procurement language covers topics such as access control, logging and auditing, malware detection, and the supplier’s secure development practices. Utilities can take this language and customize it for contracts issued to suppliers, ensuring that they have covered all aspects of security relevant to the product being procured.

The American Public Power Association and the National Rural Electric Cooperative Association recommend sending standard cybersecurity questionnaires to vendors as a way of vetting them—possibly during the request for proposals stage. The American Public Power Association and National Rural Electric Cooperative Association provide topics for these questions (e.g., nature of access controls and information management security) but do not provide sample questions. However, such sample questions can be obtained from consultant websites or adopted from other industries.

Essential Data

Utilities seeking to improve their procurement processes should collect the following information:

  • A list of critical systems within the utility, and the devices, applications, and services operating within
  • A list of vendors associated with those products and the period of time that vendor relationship is expected to continue
  • Alternates for critical products in case the supplier goes out of business or no longer makes or supports a critical product
  • An inventory of all suppliers or vendors that have access to the utility’s systems, the reason for that access, and how that access could be suspended if need be
  • Contact information for reporting vulnerabilities in a product or reporting security-related incidents.

Recommended Reading

American Public Power Association & National Rural Electric Cooperative Association. 2018. Managing Cyber Supply Chain Risk-Best Practices for Small Entities.

Bartol, Nadya. 2015. Cyber Supply Chain Risk Management for Utilities—Roadmap for Implementation. Utilities Telecom Council.

Goff, Ed, Cliff Glantz, and Rebecca Massello. 2014. “Cybersecurity Procurement Language for Energy Delivery Systems.” In Proceedings of the 9th Annual Cyber and Information Security Research Conference on - CISR 14, 77–79. Oak Ridge, Tennessee: ACM Press.

Whistic. “RFPs: Introducing Information Security & Cybersecurity Standards in RFPs.” Medium. January 16, 2019.

Additional Resources and References

Boyens, Jon M., Celia Paulsen, Rama Moorthy, and Nadya Bartol. 2015. Supply Chain Risk Management Practices for Federal Information Systems and Organizations. NIST SP 800-161. National Institute of Standards and Technology.

Haas, Jeremy, and Ryan Bergquist. “Five Questions to Ask About Third-Party Vendors and Cybersecurity.” SupplyChainBrain. November 19, 2019.

Harris, Shon, and Fernando Maymi. 2016. CISSP All-in-One Exam Guide 7th ed. New York: McGraw Hill Education.