Vendors vs. Suppliers

In the NERC CIPC Supply Chain Working Group, we’ve had an ongoing discussion about vendors vs. suppliers. It started when someone from a prominent power industry supplier pointed out that his CEO hated it when his company was called a vendor. “Vendors sell hot dogs” was his CEO’s memorable statement. The company now officially refers to itself as a supplier. This person requested that the SCWG stop using the term vendor and refer to any provider of BES Cyber Systems or services as a supplier.

However, he didn’t get very far in his argument. The first time we had the discussion, I pointed out that, while “vendor” isn’t a defined term in the NERC Glossary, it is used everywhere in CIP-013, and definitely in the majority of articles and papers written about CIP-013, to designate entities that provide BCS components to NERC entities. It would be very hard for the SCWG to single-handedly try to change this.[i]

At the SCWG’s meeting last week, held the day before the CIPC meeting started in Orlando, the subject came up again. Once again, there was very little support for trying to change the usage (and in response to the same statement that vendors sell hot dogs, I pointed out – a little meanly, I now admit – that I thought of crack dealers as suppliers, not vendors).

However, during that discussion, my good friend John Work of the Western Area Power Administration emailed me (he was listening to the webcast of the discussion, being unable to get to Orlando for it) that there was a good case to be made for using both terms: A supplier is the manufacturer of the hardware or the developer of the software, while the vendor is the organization that sells it.

I admit that at first I didn’t see that this distinction was going to make a difference, but this week, in the course of working with a client on their CIP-013 methodology, I began to realize it can be very helpful to use both terms, in the way John suggested.

The reason for this becomes evident when you think about having a contract with a vendor (in the original all-inclusive sense), and inserting cybersecurity provisions into it. If the organization both develops and sells the product, in my opinion it doesn’t matter what you call them – your contract is with the organization.

But what about the case where one organization manufactures or develops the product and another sells it? Big companies like Cisco, Microsoft and SEL develop or manufacture their products, but they don’t sell them; a dealer does that. So while your organization certainly has a contract with the dealer, is that really useful as a tool for implementing supply chain cyber risk management mitigations? Of course not; you really would need a contract with Cisco, Microsoft or SEL[ii]. But good luck getting one!

In such cases, using contract language to mitigate risks by requiring certain vendor security practices is simply impossible. You will need to admit that, while all of these companies have very good security practices now (and in fact Edna Conway of Cisco almost single-handedly invented the field of supply chain cyber security risk management), and they will all certainly try to address the concerns of the power industry with specific position papers describing their controls, in the end there is no utility that’s big enough to force one of these companies to do something it really doesn’t want to do. Ultimately, if a utility thinks that, for example, Cisco’s cyber risk controls are woefully insufficient for mitigating the risks that Cisco faces, it will need to either find another vendor or simply accept these risks (which BTW is allowed in CIP-013, while it’s still strictly verboten in the other CIP standards). There’s no other choice.

And now you may see what I just saw in the last day or two: It can really help if you distinguish suppliers from vendors. If your contract is with the vendor (e.g. the Cisco dealer), it simply isn’t going to be a vehicle for mitigating much supply chain cyber risk, although it’s certainly necessary for other reasons. It’s only if your contract is with the supplier (or if the supplier is also the vendor) that you will be able to use it to mitigate a lot of supply chain cyber risk.

Of course, whether you distinguish vendors from suppliers, whether you call them all vendors (as CIP-013 does now), or whether you call them all suppliers (as the CEO of the industry supplier wanted. And BTW, that company sells direct to utilities, so they are both a supplier and a vendor in John’s nomenclature), there is no compliance implication. You can call them anything you want in your compliance documentation, since “vendor” isn’t a NERC Glossary term. But I think it’s very helpful to distinguish vendors from suppliers as you develop your supply chain cyber risk management plan, because you will probably need to take different actions in the two cases.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.

---

[i] The CIP-013 drafting team originally drafted a definition, but they withdrew this after it – I assume – received a lot of negative comments on the first ballot. After that, the term was defined in one of the notorious blue boxes in the later CIP-013 versions. A lot of people had the impression that these boxes were actually part of the standard (and it may have influenced how they voted), since they were found in the middle of the requirements. However, NERC – which was at the time going through one of its periodic identity crises, this time regarding what kinds of “guidance” they could provide – ended up declaring that the items in the blue boxes weren’t officially part of the standard. They were moved to another area (not officially a part of the standard) when CIP-013 was approved by NERC and submitted to FERC for their approval.

[ii] Even a pure dealer will be the subject of some supply chain risk – for example, they may not take proper measures to secure the product before shipment, and it could be tampered with en route; that risk needs to be mitigated, using contract language or another means. And if the dealer also installs the product, there’s a lot of risk to mitigate (which of course is also covered by CIP-013, since risks of installation need to be mitigated just as much as pure procurement risks).