Back to Top

Overview

S&C considers the security and privacy of our customer, supplier, team member, and operational data to be core to our business values. We embed security within and across our products, systems, services, and support. S&C’s Senior Leadership team leads the company’s Corporate Cyber Council, which oversees security governance across all business functions.

As part of S&C’s commitment to continual improvement and information security, S&C has achieved certification for all non-production-related operations at our primary U.S. facilities against the ISO/IEC 27001:2022 information security management systems (ISMS) standard. S&C’s ISO 27001 Certificate reinforces our dedication to protecting sensitive information and ensuring robust security practices across our business and software development operations.

Supply Chain Risk Management

To ensure supply-chain integrity, S&C identifies, mitigates, and where possible eliminates potential security risks by regularly assessing, monitoring, and measuring our supplier cyber risk. Our Standard Terms and Conditions for component or service suppliers include comprehensive information-security and data-privacy sections that define suppliers’ required cybersecurity obligations. While the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standard continues to expand and become more stringent, S&C enables our customers to comply with NERC CIP-013.

Product Security

S&C’s product-development activities follow the company’s Security Development Lifecycle (SDL), which codifies industry-accepted best practices. The major components of the SDL are security risk analysis, threat modeling, code analysis and review, and vulnerability management. S&C applies the SDL to all new products. In accordance with the SDL, S&C takes the following actions during design, development, and testing of our products:

  • Performs a security risk analysis, based on S&C security requirements, for every new project and for every significant change to an existing project

  • Regularly performs automated code analysis and manual code reviews during development based on industry standard frameworks

  • Automatically analyzes third-party code, including open-source code, to identify and mitigate vulnerabilities

  • Performs industry standard hardening of operating systems for embedded devices and systems

S&C has a policy and a documented process for identifying and communicating vulnerabilities in our products to our customers. This process involves reviewing industry data, such as the Common Vulnerability Scoring System (CVSS) and National Vulnerability Database (NVD), for information regarding known vulnerabilities.

Protecting Customer Data

S&C holds all team members accountable for understanding and maintaining control over how customers’, S&C’s, and our suppliers’ data are managed, processed, stored, and destroyed. Our suppliers are required to agree with Terms and Conditions that include privacy clauses. We adhere to all six principles of data privacy outlined in the General Data Protection Regulation (GDPR) and other data protection regulations around the world, including:

  • Lawfulness, Fairness, and Transparency
  • Purpose Limitation
  • Data Minimization
  • Accuracy
  • Storage Limitation
  • Integrity and Confidentiality

For more information on S&C’s data privacy policies, please refer to our Privacy Statement.

Cybersecurity Services

S&C has a deep and broad understanding of cybersecurity integration in our customer environments. We augment our product delivery and engineering services with secure network and system design, cybersecurity assessment and configuration, and risk management. S&C’s cybersecurity approach is with resilience as the enduring objective. We serve as the System Owner’s / Integrator’s Security Engineer to ensure holistic security of not only S&C products, but of all interconnections and third-party devices within receiving environments. We also provide standalone cybersecurity services.