S&C considers the security and privacy of our customer data to be core to our business values. We embed security within and across our products, systems, services, and support. S&C’s Senior Leadership team leads the company’s Cybersecurity Council, which oversees security governance across all business functions.
S&C’s Information Security program aligns our policies and processes with industry-recognized frameworks and best practices, including but not limited to the:
- NIST Cybersecurity Framework (NIST CSF)
- North American Transmission Forum Supply Chain Questionnaire (NATF C-SCRM)
Our cybersecurity experts participate in the technical committees of various global standard-development organizations, such as the Institute of Electrical and Electronics Engineers (IEEE) and the International Electrotechnical Commission (IEC). S&C is also a member of the National Electrical Manufacturers Association (NEMA) and Electro Federation Canada (EFC), and the company participates in those organizations’ working groups to stay current with topics related to cybersecurity and data privacy.
S&C requires team members to complete annual cybersecurity and data-privacy awareness training. Additional role-specific training is provided, and S&C encourages team members to pursue external security certifications. S&C cybersecurity experts hold industry certifications, such as COMPTIA Security+, Certified Information Systems Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), GIAC Industrial Control System Professional (GICSP), and GIAC Certified Incident Handler (GCIH).
S&C’s product-development activities follow the S&C Security Development Lifecycle (SDL), which codifies industry-accepted best practices. The major components of the SDL are security risk analysis, threat modeling, code analysis and review, and vulnerability management. S&C applies the SDL to its new products, systems, services, software, and cloud solutions.
In accordance with the SDL, S&C takes the following actions during design, development, and testing of our products:
- A security risk analysis, based on S&C security requirements, is performed for every new project and for every significant change to an existing project.
- Automated code analysis and manual code reviews are regularly performed during development based on frameworks, such as the Open Web Application Security Project (OWASP) Top 10.
- Third-party code, including open-source code, is automatically analyzed to identify and mitigate vulnerabilities.
- Hardening of operating systems is performed for embedded devices and cloud-based solutions.
- Network security and firewall rules are implemented and reviewed regularly.
- Testing by independent internal groups is performed before each product release.
S&C has a policy and a documented process for identifying and communicating vulnerabilities in our products to our customers. This process involves reviewing industry data, such as the Common Vulnerability Scoring System (CVSS) and National Vulnerability Database (NVD), for information regarding known vulnerabilities. S&C also conducts internal testing to identify vulnerabilities.
Supply Chain Risk Management
To ensure supply-chain integrity, S&C identifies, mitigates, and where possible eliminates potential security risks by regularly assessing, monitoring, and measuring our supplier cyber risk. Our Standard Terms and Conditions for component or service suppliers include comprehensive information-security and data-privacy sections that define suppliers’ required cybersecurity obligations. While the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standard continues to expand and become more stringent, S&C enables our customers to comply with NERC CIP-013.
Protecting Customer Data
S&C holds all team members accountable for understanding and maintaining control over how customers’, S&C’s, and our suppliers’ data are managed, processed, stored, and destroyed. Our suppliers are required to agree with Terms and Conditions that include privacy clauses. We adhere to all six principles of data privacy outlined in the General Data Protection Regulation (GDPR) and other data protection regulations around the world, including:
- Lawfulness, Fairness, and Transparency
- Purpose Limitation
- Data Minimization
- Storage Limitation
- Integrity and Confidentiality
For more information on S&C’s data privacy policies, please refer to our Privacy Statement.
Customers’ Role in Security
S&C has a deep and broad understanding of cybersecurity integration in our customer environments. We augment our product delivery and engineering services with secure network and system design, cybersecurity assessment and configuration, and risk management. S&C’s cybersecurity approach is with resilience as the enduring objective. We serve as the System Owner’s / Integrator’s Security Engineer to ensure holistic security of not only S&C products, but of all interconnections and third-party devices within receiving environments. We also provide standalone cybersecurity services.