This opportunity is closed for applications

The deadline was Monday 3 August 2020
Nuclear Decommissioning Authority (NDA)

NDA Cyber Range Proof of Concept

15 Incomplete applications

11 SME, 4 large

14 Completed applications

4 SME, 10 large

Important dates

Published
Monday 20 July 2020
Deadline for asking questions
Monday 27 July 2020 at 11:59pm GMT
Closing date for applications
Monday 3 August 2020 at 11:59pm GMT

Overview

Summary of the work
Demonstration of the use of a reconfigurable, easy to operate, object-library based cyber range (with SQEP support) to accurately emulate various NDA IT and OT systems. To subsequently conduct assurance tasks and simulated attack exercises in order to allow longer term requirements and CONOPS to be captured.
Latest start date
Monday 7 September 2020
Expected contract length
6 months wth options for up to 1 year extension
Location
North West England
Organisation the work is for
Nuclear Decommissioning Authority (NDA)
Budget range

About the work

Why the work is being done
The NDA is 3 years into a Cyber Security and Resilience Programme, which is implementing change across all of its 8 businesses.
A key component of CSRP is the establishment of a Cyber Security Centre of Excellence (CSCoE), which will:
• Support security operations capability across the NDA businesses through the provision of a system emulation / digital twinning capability,
• Conduct assurance and vulnerability evaluations on Information Technology (IT) and Operational Technology (OT) systems through analysis of virtualised and physically connected systems,
• Host business, enterprise and sector cyber exercises,
• Act as the focal point for academic research and information sharing.
Problem to be solved
The longer term requirements of the CSCoE cannot be adequately developed without capability demonstration and user interaction. Therefore, CSRP requires a cyber range capability that can enable each of the roles of the CSCoE to be demonstrated through emulation of multiple NDA topologies containing IT and OT components. The cyber range needs to be able to operate within the information and physical security requirements of the NDA (which includes options for locating the cyber range on NDA premises).
Who the users are and what they need to do
The lead for this work within the NDA is the CSRP Programme Manager. The delivery manager and person responsible for tasking of the cyber range is the Cyber Range Project Manager. The delivery manager is also responsible for capturing outputs and translating them into a longer-term requirement set. In order to develop the requirements, the delivery manager needs to run demonstrations, exercises and system trials with various NDA stakeholders (CISOs and security staff) to prove the concept of a reconfigurable cyber range, demonstrate its value, capture its CONOPS and collect evidence to underpin a business case.
Early market engagement
Any work that’s already been done
The NDA has previously employed skilled resource to develop a cyber range, located at the Energus site in Warrington. It has been configured to be representative of an NDA network, but is not rapidly reconfigurable. This range has been used to derisk CSCoE work and in particular has been used as part of a national level exercise (in conjunction with BEIS). The hardware is available for use in this project if necessary. The Energus site is the preferred site for the Cyber Range associated with this contract.
Existing team
The supplier will work as part of the CSRP team, which is made up of a combination of NDA staff, contractors and other suppliers that are responsible for CSRP related services (such as Incident Response, Threat Intelligence and Assurance/Testing). The supplier may encounter other suppliers as they engage with NDA businesses, who have their own support teams and security services in place.
Current phase
Discovery

Work setup

Address where the work will take place
Whitehaven, Cumbria and
Workington, Cumbria.
Some meetings may take place at NDA sites including Warrington, Cheshire
Working arrangements
Whilst Covid restrictions limit contact in the near term (allowing the supplier to work remotely during early phases), the intent is for the cyber range to be located in Workington from January 2021 at the latest and for remote access/interaction to take place with stakeholders that cannot attend the Workington site.
The supplier PM and key personnel will be expected to be routinely available with daily stand-ups by conference call. Online communication is inevitable given the geographic spread of NDA sites
Security clearance
SC minimum (or equivalent) and personnel may need to go through NDA clearance checks

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Technical capability to replicate/emulate mixed IT and OT topologies in a virtualised cyber range environment
  • Technical capability to run traffic simulation based scenarios for cyber attack/vulnerability analysis (based on MITRE ATT@CK framework)
  • Technical capability to create libraries of relevant configurations and scenarios for rapid re-configuration and running of simulation events
  • Functionality that limits the specialist skills requirements of cyber range users
  • Knowledge and experience of the deployment and employment of security controls and security management tools
  • Ability to design, prepare and deliver trials, demonstrations and exercises on a cyber range
  • Ability to identify, communicate and rapidly collate information for use on the cyber range
Nice-to-have skills and experience
  • Experience in NDA/ONR environment
  • Predefined library of relevant range components, attack scripts, security controls and configurations
  • Library of relevant exercises and mission rehearsal events
  • Ability to conduct multi-site (remote access) exercises and analyses

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
5
Proposal criteria
  • Ability to meet timeframe
  • Maturity and suitability of technical solution
  • Experience in relation to IT/OT topologies
  • Examples of similar, successful projects
  • Approach to project and task management
  • Value for money (including transparency of costs)
Cultural fit criteria
  • Ability to work as part of CSRP team
  • Agility in approach and management of tasks
  • Focus on the outcome of the work, not the specifics of their technical capability
  • Willingness to share wider knowledge and experience of supplier
  • Willingness to take risk and responsibility
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Presentation
Evaluation weighting

Technical competence

60%

Cultural fit

20%

Price

20%

Questions asked by suppliers

1. NDA normally have a requirement that the suppliers that they work with have Cyber Essentials. Is this a requirement at this point or for down selected suppliers to have?
NDA would draw supplier attention to the security clearance requirements and the start date. If suppliers are proposing to prepare project content and reports on their own information systems (rather than assume to be issued NDA IT, which has a time risk) then they will be required to have CE+ (or accredited equivalent) based on the assumption that reports are likely to be classified and caveated Official Sensitive. Submissions should also indicate how security is achieved for their cyber range, given that it will be representative of (and contain configurations of) live systems.
2. What is the budget for the activity?
NDA has chosen not to advertise its budget in the supplier opportunity. It would be helpful if proposals contain costs for use of the cyber range for 6 months, costs of the core team to run and maintain the range and rates for additional staff that may be required to support the individual activities as advertised.
3. Please can you confirm the specification and volume of available hardware?
36 HPZ440 workstations (32GB RAM,x2 256 SSD,Windows 10Pro,VM Workstation 12Pro).
Range devices sit on a 12 core 1000BASE-SX connection.
Range infra:
· Cisco UCS (x6 Cisco B200-M4/M5 Blades) scalable to x8
· 1.28 TB usable RAM across VMware Cluster
. 232.5 GHz usable CPU across VMware Cluster
Connection to a Dual Controller HPe (Nimble CS1000) via 10GBASE-SX backplane
-7TB Raw, 6.2TB usable
-Cisco Nexus 5548P L3 core 10Gbe
-Cisco 2960x Access, 1Gb to desk​
-VMWare ESXi 6.5 Standard
-Isolated FTTP at 50Mbps - 100Mbps Bearer
-Cisco 5525 CheckPoint firewall.
-Remote access for up to 30 users
-LogRhythm All-In-One XM4500 SIEM
4. : Can you confirm what SW is already available on the existing hardware?
See answer to previous question regarding available hardware
5. Can you confirm what remote connectivity/remote access is already available?
Remote access from the current Energus facility is available, see technical description provided to previous question.
6. Can we include diagrams in conjunction with our response?
Yes, diagrams and screenshots are encouraged
7. Can we include diagrams in conjunction with our response?
Yes, diagrams and screenshots are encouraged
8. What is the scale and scope of the desired environment/number of VMs?
The requirement provides the scope (mixed IT and OT environments using virtualised and physically connected systems). The NDA does not intend to stipulate the number of VMs or other measures of scale. Open source information regarding the role and function of the NDA and its businesses is deemed sufficient for suppliers to demonstrate the suitability of their Cyber Range solutions in accordance with the need for ‘digital twinning’. Detail of the VM capacity of of-the-shelf supplier systems (and evidence as to why such capacity is or has proven to be sufficient elsewhere) would be welcome information in the proposal. https://www.gov.uk/government/organisations/nuclear-decommissioning-authority/about#ndas-estate
9. Are NDA looking for the Supplier to take on Ownership / Management of the current Customer Hardware & Software ? And, If so, is the Cisco Server and Switch hardware under a Service contract currently?
No. To clarify the requirement, the opportunity is for the delivery of a cyber range separate to the one previously used. Reference to Energus is regarding 'work that's already been done'. The current hardware is available for use ‘if necessary’ but the NDA anticipates an off-the-shelf system being provided in order to meet the full features as described.
10. Is the Cisco 5525 listed an ASA, as the description doesn’t align with a Checkpoint Model?
Apologies for the confusion, it is actually a Cisco ASA 5516 (not 5525) for the range currently installed at Energus.
11. Is the listed VMware software under an ongoing service agreement?
Hardware and software can be assumed to be supported by NDA for the duration of this contract. It is worth reiterating, however, that the opportunity offers the hardware 'if necessary'. The contract is not for ongoing maintenance and use of the current range as it does not support the features required.
12. Can you confirm that the questions and answers related to providing costs and diagrams do not apply at this stage but are relevant to the second stage when a costed proposal is required? Please confirm you are only expecting the 100 word response to the skill section.
This opportunity does not deviate from the standard DOS process and constraints of the application formats. Costs etc will follow in the next stage. It was intended to provide all suppliers with information of what would be required if they were to submit an application and be successfully down-selected.
13. What do you envisage the outcome of this initial Discovery phase of work to be and how would you measure success?
We envisage the outcome to be sufficient evidence to underpin an investment plan for longer term capability (to be written by the NDA team). Success will be measured by having been able to conduct a sufficient number of demonstrations/activities across IT and OT, based on sufficiently representative architectures, using a wide range of functions/features (eg traffic generation and attack scenarios) to be able to judge the full utility of a cyber range.
14. How many end users will be catered for i.e. Red team, Blue Team, observers, etc.? What are the first deliverables – a CONOPs, and evidence for inclusion within a wider business case to develop the range? Will the range be purely virtual or does the end OT equipment need to be physically present? Can open source security assessment tools be used, i.e. security onion, volatility, FTK, Wireshark etc or does it have to be commercial security assessment tools only? What attack scenarios are we trying to emulate? Where is the threat intel coming from?
End user numbers and type will depend on the role in which the range is being used. The NDA will be using this discovery to inform longer term requirements and seeks to benefit from supplier experience in similar environments. Deliverables - reports from activities as evidence. Virtualisation - where OT cannot be virtualised there should be the ability to connect it. Open source tools - yes, but the solution should be appropriate for open source and ‘commercial’ tools. Attack scenarios (see essential skills and experience) should be appropriate for NDA sector. Threat intel is being provided under a separate workstream.
15. Will the customer accept a response from an industrial team, not just a single supplier? Will the customer allow additional team members to be added to the supplier team after contract award, or during the procurement process? For purposes of clarity, does the customer expect us to submit a price, not a cost? Is the customer expecting a firm price or a Rough Order Magnitude (ROM) quote? Will the range be used for regulator demonstrations i.e. Level 1 exercising and exercising of duty holders and 3rd parties such as NDA, ONR, NCSC, BEIS?
Team or single supplier - DOS eligibility rules apply, NDA would agree to subcontracting or consortium arrangement as long as all parties have delivery roles and opportunity isn't being subcontracted in its entirety. Additional members - yes if in accordance with DOS rules. Cost/Price - it should read price. Pricing - Firm Price, based on breakdown previously stated : range price + support team price for duration, rate cards for additional staff if required. Regulator demonstration - exercising is only one of the activities for which the range will be used (see roles). Regulator involvement/awareness in each activity is tbc
16. Is there a project beyond the 18 months that this aligns with? Does the NDA foresee a continued service offering after the 18 months? Will suppliers who bid for the initial 6 months project be allowed to deliver the full technical solution/service offering? Will other European National SC vetting or equivalent be acceptable for this project? Will the NDA issue an ITT or ITN for the subsequent assessment after this initial RFI/PQQ stage with a pricing matrix so we can cost against a work breakdown structure?
Contract 6 months with option for additional 12. Project alignment (funding) - subject to justification and normal Govt funding plan risks. Continued service foreseen after 6 months. Initial supplier allowed to bid for full offering - yes, appropriate measures in place for open competition. Vetting - non UK SC equivalents considered depending on role, subject to acceptable information control measures being in place with risk of delays having vetting checked by NDA before they start. Assessment - NDA will provide information to assist pricing, but won't be a full WBS or ITT in line with purpose and guidelines of DOS.
17. In the spirit of wanting to provide the NDA with the best possible proposal and due to COVID 19 and travel restrictions, would it be possible to have a minimum of 1 weeks extension granted for the submission of this return. This is also due to some of our staff returning from furlough and annual leave? Are you completely wedded to the hardware that you have cited in the opportunity?
Extension - no, as this stage of the competition just requires sufficient information for us to be able to downselect 5 suppliers to be further assessed. Hardware - referring back to the requirement, the NDA requires a cyber range and current hardware could be used 'if necessary'. By 'if necessary' the NDA anticipates that suppliers are providing a cyber range to replace/act as an alternative to the current range.
18. Does bidding, or winning/delivering this Consultancy opportunity with the NDA preclude competing for future NDA & Subsidiary (i.e. Sellafield) tenders for delivery of Asset Management services/solutions?
Strictly speaking this is not a consultancy opportunity, it is an outcomes based contract for the delivery of a technical capability with support. Asset Management services/solutions is outside the scope of this opportunity.
19. What does SC equivalence mean? E.g. will a NATO secret work? Would it include 5-eyes?
Non-UK SC holders can work on the project but not be exposed to nationally caveated informatio
20. Are all elements to be fully emulated and virtualised? ICS Components/PLCS/HMI/Networking/Switches/Work Stations/Engineering Stations? What level of emulation is required? Full hardware emulation with real firmware extracted from physical devices/partital emulation of expected responses to inputs? Will NDA be expecting staff support will NDA supply staff?
Requirement is for a cyber range that over the length of contract will allow a number of digital twins of live NDA systems (IT and OT) to be quickly created in a virtualised environment, such that they act and behave in the same way as the live system but virtualised.  Where systems cannot be virtualised (eg OT) they may be physically connected.  The range requires traffic generation for this behaviour to be representative of a live system.  NDA will expect range support and possibly additional staff to help with range based activities.  NDA staff and stakeholders will be the users.