Effective October 1, 2020, LADWP is required to comply with North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standard-013. Pursuant to the CIP-013 Standard and LADWP’s CIP-013 Supply Chain Cyber Security Risk Management Plan, LADWP must implement changes to its procurement process and prequalify vendors that participate in bidding opportunities for the procurement of cyber assets, equipment, software, or services supporting the Bulk Electric System.
A Bulk Electric System is defined as facilities and control systems necessary for operating an interconnected electric energy network including electrical generation, transmission, and interconnection systems and all associated software and equipment used to control and operate voltages of 100 kV or higher.
To be prequalified by LADWP, vendors are required to provide a cybersecurity risk profile information that will be evaluated by LADWP. This evaluation includes an assessment of the vendor’s organization, access control, technical controls, incident response, network security, and overall security posture.
All LADWP Invitation for Bids and Request for Proposals for the procurement of cyber assets, equipment, software, or services supporting the Bulk Electric System will be exclusively advertised to vendors that are on LADWP’s Prequalified List of Cyber Vendors.
Vendors that seek to be prequalified by LADWP shall review the document titled LADWP – New Regulation for Procurement of Cyber Assets and Services and submit a completed copy of the CIP-013 Vendor Risk Assessment Questionnaire to [email protected] for evaluation.
LADWP will manage all inherent and residual risks based on established practices and in accordance with the CIP-013 Supply Chain Cyber Security Risk Management Plan.
Intermountain Power Service Corporation (IPSC) utilizes LADWP’s Supply Chain Cyber Security Risk Management Plan and Prequalified Vendor List. For the procurement of computing systems and industrial control system hardware, software, and computing and networking services associated with BES operations from a vendor not covered through LADWP’s Prequalified Vendor List, IPSC utilizes a Supplemental Supply Chain Cyber Security Risk Management Procedure to mitigate cyber security risks to the reliable operation of the BES.