CYBER SECURITY PROCUREMENT METHODOLOGY FOR DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

摘要

Cyber security standards have been produced as a result of continual threats to business and process control networks. In recent years, electric utilities have established cyber security programs to ensure compliance with critical infrastructure protection (CIP) standards requirements of the North American Electric Reliability Corporation (NERC), Nuclear Regulatory Commission (NRC) Regulatory Guide 5.71, and related requirements in the international community. Determining how to apply cyber security requirements for new I&C systems requires cyber security experts, I&C engineers, and procurement organizations to work together with vendors to implement and maintain cyber security controls. Improper or incomplete implementation of controls due to lack of proper requirements and/or division of responsibilities between the utility and vendor can often result in costly backfit to meet the requirements. This paper reports on phase 2 and 3 of an ongoing EPRI cross sector project to develop a methodology and several worked examples (application of the methodology in a sample procurement) for procuring digital I&C systems with the necessary cyber security controls. The methodology facilitates addressing cyber security related issues early in the lifecycle of an I&C system in order to fit within and support the other key requirements. This is especially useful in the procurement phase, so utilities and vendors have a common understanding of cyber security requirements and capabilities. The methodology is based on understanding the cyber security requirements for the system, and defining the boundary between those that are the responsibility of the utility and of the vendor.