clauses should be clear and not over-inclusive.

They should
impose responsibilities not just on the receiver of confidential
data but also on the source of confidential data. That goes for
cybercrime as well. It is not fair to place all risk for cybercrime
on the company gaining access when the facility owner does not
have even the most minimal protections of its own in place. In
the case of maintenance and monitoring arrangements, it is wise
to have a separate contract or work order in place that spells out
the rules—including the establishment of clear distinctions, for
instance, between responding to a routine service request and
implementing the upgrade of a system.

Indemnity: Indemnity and indemnification are words that

keep lawyers fully employed because they can be so difficult
to understand. Please pay attention to them! The difference
between a thoughtlessly-worded (and often too-hastily accepted)
indemnity clause and a balanced indemnity clause can be the
difference between a third-party claim covered by insurance and
one that renders your company insolvent.

Incorporation of “standard”: When looking for greater certainty

in managing risk, consider incorporating automation standards in
your proposals, purchase orders and other contract documents as
a respected measuring stick for performance. Standards can be a
double-edged sword, however. Do not incorporate standards that
you have no intention of understanding—and following.

Waiver of consequential damages: Perhaps the most important

crucial clause for control system integrators and other automation
companies on the “provider side” is a “waiver of consequential
damages.” This is the part of the contract that says
that whatever else happens, the automation provider will not be

2021 I Practical Guide for Remote Access to Plant Equipment 38