Scottish Water has gone to market for a cybersecurity partner, publishing a new £50 million contract for the role, which will include delivering what it describes as "complex transformative cybersecurity projects."
As well as a wide range of technical improvements, responsibilites will include to "continuously inform Scottish Water's internal awareness and coaching strategy and to provide materials to support this" and "attend Scottish Water strategy and design governance boards and be the key source of cybersecurity advice" the tender says.
The Scottish Water cybersecurity contract comes as utility CIOs become increasingly alarmed at the operational disruptions that they are seeing in other critical national infrastructure after cybersecurity incidents.
(See, for example a wave of opportunistic attacks on European oil terminals in early 2022.)
Scottish Water provides over a billion litres of fresh water daily to millions of customers. It operates 231 water treatment works and oversees 30,400 miles of water pipes and 33,300 miles of sewer pipes.
The Scottish Water cybersecurity contract will be for a three-year initial term, with three further one-year extension options. It expects to invite just three providers to bid; a number that perhaps coincidentally matches the number of its existing key IT service providers: Atos, Capgemini and Microsoft partner CompanyNet.
Requests to participate need to be submitted by February 10, 2022.
Scottish Water cybersecurity contract: What the utility is seeking
Perhaps needless to say, the company is not looking for a minnow but a substantial partner. It needs someone to take on what it described in a contract notice – published late January 12 – as a comprehensive blend of “both traditional managed detection and response services (MDR) and managed security services (MSS).”
The provider will take the lead on “proactive assessment and prevention of cybersecurity risk”, “response and management of cyber-security emergencies”, and “deliver complex transformative cybersecurity projects.”
Extensive experience in utilities, particularly water are a must, as is the ability to provide Advanced Threat Centre (ATC) services from a Security Operations Centre (SOC) located onshore within the UK.
Follow The Stack on LinkedIn for access to events
Scottish Water wants expert competency in, among other areas:
- Managed Detection Response (MDR) services
- Software defined networking (SD-WAN)
- Network Segregation and intrusion detection
- Identity and access management solutions
- IT and OT Convergence
- Security of IoT Devices and Programmable Logic Controllers
- Next-gen firewall appliances
- Microsoft E5 security products and wider Microsoft security product portfolio
- Advanced Threat Protection tools
- Threat-intelligence services
- Secure network access to remote sites
- Secure remote access services
- NIS – working knowledge and consultancy.
The preferred partner will "working collaboratively with Scottish Water... be delivering security improvement projects to enhance security capabilities, optimise costs and add value in addition to bringing or developing new innovative technologies to address the convergence of IT and OT security" the tender notice said.
Scottish Water's last annual report shows that its Audit and Risk Committee had -- perhaps unsurprisingly -- "requested specific reports on cyber security and NIS compliance" during the last year and that the company had reviewed and tested "detailed disaster recovery plans" and participated in cyber incident exercises.
The Scottish Water cybersecurity contract comes after the parent company of South Staffs Water and Cambridge Water, was hit by the CL0P ransomware group in July 2022; an attack that caused concern at the highest levels of government and triggered a "nationally coordinated response" according to the NCSC.
The group claimed it had got access to 5TB of data, SCADA systems and systems that control "chemicals in water", showing screenshots that suggested it had obtained access to the controls for the Clean-In-Place (CIP) system which introduces chemicals into pipes and other systems to disinfectant them.
No disruption to operational systems was caused by that attack however.
Gartner expects spending on information security and risk management to hit $188.3 billion in 2023.