Determining how to apply cyber security requirements for new power delivery systems requires cyber security experts, power system engineers, and procurement organizations to work together with vendors to implement and maintain cyber security controls. Improper or incomplete implementation of controls due to lack of proper requirements and/or division of responsibilities between the utility and vendor can often result in costly backfit to meet requirements.
The Electric Power Research Institute (EPRI) has a project underway to develop procurement guidance to address this problem. Project research has shown that a standard set of cyber security requirements with a standard set of procurement specifications is not feasible for the multitude of equipment types, vendors, and use cases that exist. Therefore a methodology has been developed for determining the appropriate cyber security requirements for each use case as informed by a number of factors.
This Technical Update report is phase 2 of a three-phase ongoing EPRI cross sector project. Phase 2 includes development of a methodology for procuring digital I&C and power delivery systems with the necessary cyber security controls. This document is focused on the Power Delivery & Utilization (PDU) Sector and is based upon EPRI Technical Update 1025824, which describes a procurement methodology for the Generation/Nuclear (GEN/NUC) Sector.
Phase 1 included a GEN/NUC benchmarking study that was conducted prior to proceeding with any new guidance. A follow-on Phase-3 project is planned with completion in early 2013 to develop additional PDU guidance with sample procurement language, additional worked examples, and a complete mapping between major applicable regulations and guidelines.