Abstract
Critical infrastructure applications do not emerge fully formed, but generally rely on components and services from third-party vendors. This paper presents a brief survey on good practice for security requirements to be put on vendors delivering products and services to power Distribution System Operators and other critical infrastructure operators.