Invitation to Tender: Provision of consultancy services for the ‘Mitigation of security risks arising from internet-connected devices’.

19 December 2018

The Security Sub Committee (SSC) are inviting security vendors to tender for the provision of consultancy services for the ‘Mitigation of security risks arising from internet-connected devices’.

The Security Sub-Committee (SSC), a Smart Energy Code (SEC) Panel Sub-Committee, is required by the SEC to carry out reviews of the Security Risk Assessment to identify any new or changed risks to the End-to-End Smart Metering System (SEC Section G7.19 (b)).  The SSC is also required to maintain the Security Requirements to identify the security controls that are appropriate to mitigate security risks (SEC Section G7.19 (c)). The SSC has recently undertaken a comprehensive review of the Security Risk Assessment and considers that one particular risk that arises from internet-connected devices, requires external security and technical expertise to identify security controls to mitigate the risks. Therefore the SSC are looking to appoint a provider who can identify appropriate security risk mitigations to enable the SSC to meet the obligations in SEC Section G7.19, in line with a scope and approach for the assignment to be approved by the SSC.

The consultancy provider will need to conduct research and collaborate with experts in the field of internet-connected devices, Internet of Things (IoT) and penetration testing in order to identify, assess and calibrate the current and future potential security risks to the End-to-End Smart Metering System arising from internet-connected Type 1 and/or Type 2 Devices. After sufficient research and identification of risks has been completed, they will provide a recommendation to the SSC for risk mitigation options including pros and cons, costs and timeframes. Following a decision on suitable risk mitigation options, the consultancy provider will develop implementation plans.

It is essential that the consultancy provider has experience with the HMG IS1/IS2 methodology and ISO / IEC 27005 guidance of risk assessment. It is desirable that the consultancy provider can demonstrate a credible and extensive track record of working within the cyber security specialism as a Lead or Senior Practitioner in a CCSC accredited organisation.

To simplify exchange of information regarding this Invitation to Tender (ITT) please advise the SECAS team as soon as possible if you wish to participate in this tender, along with contact details for a single point of contact. All queries should be submitted via email to the SECAS team no later than 5pm on 4 January 2019.

Responses to this ITT must be emailed to the SECAS team by 5pm, 18 January 2019 in accordance with the provisions of the attached ITT.

SECAS Team details:
PH: +44 020 7090 7755

close slider