S&C considers the security and privacy of our customer data to be core to our business values. Security is embedded within and across S&C’s products, systems, services, and supports. We have a variety of programs, policies, and procedures in place built to leading industry cybersecurity frameworks and best practices. S&C’s information security program includes but is not limited to data-handling procedures and classification standards. Standards include appropriate controls around data use, storage, retention, monitoring, secure destruction, and segmentation of both electronic and paper records.
Governance and Standards
S&C’s Cybersecurity Council oversees security governance across all business functions and is led by S&C’s President and CEO. A network of security architects, analysts, managers, and administrators embedded across the organization supports security activities related to product development, manufacturing, and enterprise security. S&C’s information security program aligns our policies and processes with industry-recognized frameworks and best practices, including but not limited to:
- NIST Cybersecurity Framework (NIST CSF)
- North American Transmission Forum Supply Chain Questionnaire (NATF C-SCRM)
Our cybersecurity subject matter experts participate in technical committees of global standard development organizations, such as the Institute of Electrical and Electronics Engineers (IEEE) and the International Electrotechnical Commission (IEC). S&C is a member of the National Electrical Manufacturers Association (NEMA) and Electro Federation Canada (EFC), and the company actively participates in the NEMA Cybersecurity Council and the EFC Committee on Cybersecurity of IIoT devices to stay current with topics related to cybersecurity and data privacy.
S&C’s systems are managed by specialized global operations teams whose responsibilities include producing operational specifications and performing maintenance, security updates, vulnerability management, backup, logging, monitoring, and management of events and incidents. The teams also perform periodic reviews of network and application security, including proper separation of duties for system administration.
S&C has a strict protocol for deploying updates for our cloud-based or on-premises systems that defines a formal test, development, and acceptance process prior to approving systems for production. Resiliency, business continuity, and disaster recovery are enabled with the deployment of distributed services within cloud-based systems and physical data centers across multiple geographical areas.
S&C’s product-development activities follow the S&C Security Development Lifecycle (SDL), which codifies industry-accepted best practices. The major components of the SDL are security risk analysis, threat modeling, code analysis and review, and vulnerability management. S&C applies the SDL to its new products, systems, services, software, and cloud solutions.
In accordance with the SDL, S&C takes the following actions during design, development, and testing of our products:
- A security risk analysis, based on S&C security requirements, is performed for every new project and for every significant change to an existing project.
- Automated code analysis and manual code reviews are regularly performed during development based on frameworks, such as the Open Web Application Security Project (OWASP) Top 10.
- Third-party code, including open-source code, is automatically analyzed to identify and mitigate vulnerabilities.
- Hardening of operating systems is performed for embedded devices and cloud-based solutions.
- Network security and firewall rules are implemented and reviewed regularly.
- Testing by independent internal groups is performed before each product release.
S&C has a policy and a documented process for identifying and communicating vulnerabilities in our products to our customers. This process involves reviewing industry data, such as the Common Vulnerability Scoring System (CVSS) and National Vulnerability Database (NVD), for information regarding known vulnerabilities. S&C also conducts internal testing to identify vulnerabilities.
Supply Chain Security
To ensure supply chain integrity, S&C identifies, mitigates, and where possible eliminates potential security risks. We regularly assess, monitor, and measure our suppliers for product integrity, shipping, and data security. Our standard Terms and Conditions for component or service suppliers include comprehensive information-security and data-privacy sections that define suppliers’ required cybersecurity obligations. While NERC CIP standard continues to expand and become more stringent, S&C enables our customers to be compliant with NERC CIP-013-1, “Cybersecurity — Supply Chain Risk Management.”
Training & Awareness
S&C holds its team members accountable to specific policies involving information security, communications, and network security. In addition, S&C requires team members to complete annual cybersecurity and data-privacy awareness training. Additional role-specific training is provided, and S&C encourages team members to pursue external security certifications. S&C security experts hold industry certifications, such as Certified Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), and GIAC Certified Incident Handler (GCIH). S&C also incorporates cybersecurity awareness and best practices into its internal communications and events to reinforce the value of cybersecurity in S&C’s business operations to S&C team members.
Data Security & Privacy
S&C holds all team members accountable for understanding and maintaining control over how customers’, S&C’s, and our suppliers’ data are managed, processed, stored, and destroyed. Our suppliers are required to agree with Terms and Conditions that include privacy clauses. We adhere to all six principles of data privacy outlined in the General Data Protection Regulation (GDPR) and other data protection regulations around the world, including:
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Data Minimization
- Storage Limitation
- Integrity and Confidentiality
For more information on S&C’s data privacy policies, please refer to our Privacy Statement.
Customers’ Role in Security
In this hyperconnected world, cybersecurity is a collective responsibility because there could be internal and external threats accelerated by a rapidly evolving digital landscape. With increased risk exposure happening every day, we actively work with customers and suppliers to create end-to-end security solutions. S&C views appropriate evaluation of risks and proper care in installation, maintenance, and operations as essential. We work with our customers to ensure S&C-approved updates and patches are securely delivered and authenticated. We provide instructions in our product manuals regarding secure configuration of our products. Finally, we work with customers to remedy any suspected vulnerability or data breach.
Security Incident Response
S&C assigns responsibilities and establishes procedures to respond to suspected security events. We assess each suspected security event against a set of criteria to determine whether it qualifies as a security incident. When security incidents occur, mitigation measures are taken immediately to enable an effective resolution. Lessons-learned activities are conducted regularly to improve and enhance security measures.