Gas & Electricity Markets Authority (Ofgem)

RIIO-2 Cyber Security submissions review - Role 1

Incomplete applications

18
Incomplete applications
14 SME, 4 large

Completed applications

17
Completed applications
14 SME, 3 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 25 October 2019
Deadline for asking questions Tuesday 29 October 2019 at 11:59pm GMT
Closing date for applications Friday 1 November 2019 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Specialist role Cyber security consultant
Summary of the work Review the submissions, visit the OES, facilitate workshops, ask pertinent questions on the submission in order to establish and confirm their response. One of the key outputs is to produce a decision paper for each of the assigned OES.
Able to develop and retain relationships with the OES staff.
Latest start date Monday 25 November 2019
Expected contract length
Location London
Organisation the work is for Gas & Electricity Markets Authority (Ofgem)
Maximum day rate

About the work

About the work
Opportunity attribute name Opportunity attribute value
Early market engagement
Who the specialist will work with The Specialist will be working with other Cyber Security specialists working on the RIIO2 OES submissions. The NIS Regulations impose new duties on Operators of Essential Services (“OES”) and give relevant Competent Authorities (“CAs”) new powers and responsibilities to ensure OES are meeting those duties. Ofgem is a joint CA with BEIS, for the Downstream Gas and Electricity sectors in Great Britain.
What the specialist will work on 1. Industrial Cyber Security Specialist (x1 resource)
A recognised specialist in the field of industrial control systems security.
This resource will assist & review the technical aspects of the OES’s submissions, ensure alignment with NIS requirements, provide guidance and industry best practice and challenge when necessary.
Candidate needs experience in the industrial cyber security space & ideally in the Energy sector, leveraging a track record of successful project implementations and deployment of transformation programmes in this field.
This role will require a broad range of experience in bringing together people, processes & technology, attention to detail and senior stakeholder management.

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The majority of the reviews will take place on Ofgem's premises at 10 South Colonnade, Canary Wharf, London E14 4PU
Working arrangements The contract will be for total of 50 input days starting in November 2019. The selected company/candidate must be available to commence this assignment on mid November 2019 and be available until late January 2020.
Security clearance Staff visiting Ofgem’s & OEM’s premises shall hold at least a minimum of BPSS (Baseline Personnel Security Standard) level security clearance. The Contractor is responsible for obtaining clearance for all Staff and shall bear all costs associated with the clearance process.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • have 7 years’ proven track record of Leading the delivery of information security strategy in the industrial cybersecurity space, policy & process development and implementation
  • have 7 years’ proven track record of b) Leading the delivery of information security programmes and projects dealing mainly with industrial control systems
  • Clear evidence of a track record of successful project engagements covering a minimum of 6 of the topics listed below
  • a) Industrial cyber security strategy & architecture; b) Information security governance
  • c) Perimeter security and intrusion prevention & detection; d) Asset management
  • e) Defence in depth architecture; f) Knowledge of the energy sector
  • g) Industrial control systems controls & regulations (NIS, NERC-CIP, ISA/IEC 6443, NIST 800-53/8, etc.)
  • h) Security strategy & transformation; i) Information Security Risk Management best practices
  • j) Network segmentation and Purdue Model; k) Data protection
  • l) Industrial Health & Safety requirements; m) Identity & Access management
  • n) Change management; o) Malware & antivirus management
  • p) Information Security processes & policies; q) Incident response
  • r) Cyber threat intelligence; s) Vulnerability management
  • t) System security; u) Security awareness and training
  • v) Security monitoring; w) Third party vendors & access management
  • x) Resilience and business continuity
Nice-to-have skills and experience
  • demonstrate their knowledge of the energy sector through direct experience with energy stakeholders
  • demonstrate aknowledge of agile working practices

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many specialists to evaluate 6
Cultural fit criteria
  • Be able to engender confidence with OES and Ofgem
  • Work well under pressure
  • Take responsibility for delivering successfully
  • Work well in a transforming environment
  • Work well in a team and autonomously
Additional assessment methods
  • Reference
  • Interview
  • Presentation
Evaluation weighting

Technical competence

50%

Cultural fit

20%

Price

30%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. We worked extensively within the PSN assessment regime. One common issue was a lack of fixed assessment standard so it's clear to all assessors what 'good enough' looks like. Do you have an assessment standard that the OES's need to meet or exceed? Yes, but it's expected that assessors will contribute and help to shape the final assessment standard approach
2. Please can you confirm if there is an incumbent supplier in the post? No, this is a new requirement to provide support for this specific activity.
3. Please confirm if this assignment fall's outside or inside IR35? This falls outside of IR35, as it's a requirement for consultants of a short-term nature for which we have no permanent staff need.
4. Please can you confirm the maximum all in day rate (inc VAT)? We expect to pay market rates for the right combination of skills/expereince.
5. You have listed a large list of skills – requiring a minimum of 6.
However each of the bullet points requires an answer and will be scored accordingly – for the application.
Can you please confirm how the answers will be scored and if we will be marked down if candidates are not able to provide details on each of the skills?
We are looking for people with in-depth experience of 6 or more of the criteria, so would expect some of the criteria to score at the low end. We will not exclude people with low scores in some, but high scores in others.
6. Please can you confirm the length of contract and maximum day rate The contract will run until 31 January with possible extension. We will pay market rates for the right combination of skills/experience.
7. Can you please indicate the budget/day rate range for this opportunity. We will pay market rates for the right combination of skills/experience.
8. Please can you confirm the contract duration? The contract will run until 31 January with possible extension.
9. What is the maximum budget for this task? We will pay market rates for the right combination of skills/experience.
10. Can the Authority confirm if they are working with an incumbent supplier ? No, this is a new requirement to provide support for this specific activity.
11. Is there a current incumbent and can you give any indication on expected day rate ? No, this is a new requirement to provide support for this specific activity. Market rate will be paid for the right skills/experience.