Insight

Cybersecurity & The Digital Transformation: Key Considerations for Vendor Agreements in the Energy Industry

December 21, 2023

The energy industry faces unique challenges when it comes to cybersecurity and working with vendors on digital transformation projects. Energy is one of the “critical infrastructure sectors” identified in Presidential Policy Directive 21, and with good reason. Cyberattacks on our nation’s energy sector harm not only the energy companies themselves – a reduction in stable energy supply can impact the broader welfare, economic activity, and security of the country.

Energy companies also face a complicated matrix of industry-specific regulations that vary by the type of energy produced. Additionally, state law tort claims can be extremely complex and expensive, with a strict standard of care based on continuous energy service (so any interruption in service can imply a breach of duty of care). Because of this increased liability, energy companies must take proactive steps to bolster their cybersecurity, while also keeping pace with the unprecedented digital transformation sweeping the industry.

Energy Vendors and Cybersecurity Regulations

Though energy companies can increase their resources internally to combat cyberattacks, there is a heightened concern regarding the cyber risks created by outside vendors. As mentioned above, regulation of the US energy depends on the type of energy produced. Since the statutory regime is set up based on industry sub-segments, the energy industry is primarily regulated on a fuel-type basis. This chart provides a general overview of those distinctions.

 

Energy Type

Vendor Regulatory Regime

Nuclear

Regulation by the Nuclear Regulatory Commission (NRC); highly restrictive of vendors providing software and hardware within the plant boundaries.

Bulk-power electric transmission and non-nuclear generation

Regulation by the Federal Energy Regulatory Commission through the North American Electric Reliability Corporation (NERC); very specific set of supply chain requirements for procurements affecting critical operational technology assets.

Electric and gas distribution

State-regulated; not generally heavy cyber regulation.

Designated critical pipeline systems (hazardous liquid, natural gas, liquefied natural gas)

Transportation Security Administration (TSA) regulation for broad range of operational and information technology assets on transmission and distribution systems implicating procurements

 

For electric companies, which are mostly state regulated, there are often explicit supply chain requirements and reliability standards. The oil and gas industry, on the other hand is regulated by a number of federal agencies, including the Bureau of Land Management, the Federal Energy Regulatory Commission, and TSA, among others, with relatively new cybersecurity regulations that are still evolving. While the oil and gas industry is not subject to federal supply chain cybersecurity regulations, the TSA has signaled that vendor management programs may come under more scrutiny in future rules.

When procuring or transitioning vendors, energy companies should assess cybersecurity risks upfront and develop arrangements that include provisions for incident notification, response coordination, disclosure of vulnerabilities, verification of software integrity and authenticity, and how to handle vendor-initiated remote access. Vendors should also take note of the increasing role that regulations will play in securing critical infrastructure. Indeed, the Biden administration’s National Cybersecurity Strategy recognized that voluntary cybersecurity measures are a thing of the past and directed agencies to use “existing authorities to set necessary cybersecurity requirements in critical sectors.” Given the strict liability these companies face under current regulations, and the prospect of future regulations, all negotiations with vendors should focus on risk-sharing.

Similarly, cybersecurity professionals at energy companies should recognize that regulations are here to stay and take a diversity of approaches to cybersecurity preparedness, both to mitigate the shock of new regulatory requirements and avoid public incidents. Industry experts should keep an ear to the ground and work with regulators, who have broad responsibilities and often limited resources, on developing new rules.

Key Considerations When Contracting for Your Digital Transformation

Artificial Intelligence. Blockchain. Cloud Computing. The Internet of Things. The digital transformation currently taking place will bring massive change to the energy industry, as outdated technologies are replaced and upgraded with more integrated systems. Energy companies that take a proactive approach to their own digital transformation will reap the benefits of this paradigm shift, including optimized operations, increased operational lifetime, enhanced customer experience, and reduced costs through the use predictive analytics and real-time supply and demand forecasting.

Most energy companies will need to rely on a fleet of outside vendors for much of this technological transformation. When procuring such products and services, there are several key considerations companies should keep in mind. First, it is important to have a sense of the overall methodology or plan for the project in question. Digital transformation projects are often complex and time-consuming endeavors, so it’s helpful to have a clear sense of the project’s full timeline and ultimate goals. Energy companies should also make sure they have all the required documentation, as well as an understanding of any intellectual property or other data issues, well-defined processes around change control, and plans for post-deployment and handling worst-case scenarios.

A crucial aspect of the project timeline development is the use of performance incentives and success indicators, such as overall project objectives and critical deliverables. Energy companies contracting with vendors should consider using milestone dates with clearly defined completion/acceptance criteria that are tied to payments. Milestone plans help keep projects on track and can provide for remediation if certain targets aren’t met. They can also be used for ongoing services to ensure proper maintenance and record keeping, customer satisfaction, and multi-vendor collaboration on cybersecurity.

Key Takeaways

  • Digital transformation is rapidly changing the type and severity of cybersecurity risks to the energy industry. Furthermore, vendor contracts with energy companies carry unique cybersecurity challenges, due to a complex array of regulations at the state and federal level.
  • As regulators are increasingly focused on cybersecurity risks, including those related to the supply chain, energy companies working with outside vendors should implement best practices and conduct proactive agency outreach to mitigate the shock of new regulations.
  • When contracting for digital transformation solutions, energy companies should consider using “milestones” in project methodology to track success and provide built-in contractual remedies for delayed performance.