Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF AUGUST 06, 2005 FBO #1349
SOLICITATION NOTICE

B -- Special Studies and Analysis of Supervisory Control and Data Acquisition (SCADA) Systems Field Device Protection Profile Development

Notice Date
8/4/2005
 
Notice Type
Solicitation Notice
 
NAICS
541690 — Other Scientific and Technical Consulting Services
 
Contracting Office
Department of Commerce, National Institute of Standards and Technology (NIST), Acquisition Management Division, 100 Bureau Drive, Building 301, Room B129, Mail Stop 1640, Gaithersburg, MD, 20899-1640
 
ZIP Code
20899-1640
 
Solicitation Number
SB1341-05-Q-0912
 
Response Due
8/19/2005
 
Archive Date
9/3/2005
 
Small Business Set-Aside
Total Small Business
 
Description
THIS IS A COMBINED SYNOPSIS/SOLICITATION FOR A COMMERCIAL SERVICE PREPARED IN ACCORDANCE WITH THE FORMAT IN FAR SUBPART 12.6-STREAMLINED PROCEDURES FOR EVALUATION AND SOLICITATION FOR COMMERCIAL ITEMS-AS SUPPLEMENTED WITH ADDITIONAL INFORMATION INCLUDED IN THIS NOTICE. SIMPLIFIED ACQUISITION PROCEEDURES ARE UTILIZED IN THIS PROCUREMENT. THIS ANNOUNCEMENT CONSTITUTES THE ONLY SOLICITATION; QUOTATIONS ARE BEING REQUESTED, AND A WRITTEN SOLICITATION DOCUMENT WILL NOT BE ISSUED. This solicitation is a Request for Quotation (RFQ). The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular (FAC) 2005-05. The associated North American Industrial Classification System (NAICS) code for this procurement is 541690 with a small business size standard of $6,000,000.00. This requirement is restricted to small businesses. The National Institute of Standards and Technology (NIST) has a requirement for professional services to perform Supervisory Control and Data Acquisition (SCADA) Systems Field Device Protection Profile Development. . All interested offerors shall provide a quote for the following services: A. BACKGROUND INFORMATION The US Department of Commerce, National Institute of Standards and Technology, (NIST), Intelligent Systems Division (ISD) of the Manufacturing Engineering Laboratory is working with the Information Technology Laboratory (ITL) to address the information security issues of computer control systems used in the industrial process control industries. Specifically, NIST is leading the Process Control Security Requirements Forum (PCSRF). The PCSRF is a working group of users, vendors, and integrators in the industrial process control industry which is addressing the cyber security requirements for new industrial process control systems and components, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and Intelligent Electronic Devices (IEDs). The 650 members of the PCSRF represent the critical infrastructures and related industrial process industries, including oil and gas, water, electric power, chemicals, pharmaceuticals, metals and mining, and pulp and paper. In order to define reasonable IT security requirements and weigh the costs and benefits of adding new security features, it is necessary to understand 1) the vulnerabilities, threats, and their associated risks for these systems, 2) the effectiveness of different security technologies and procedures, and 3) the performance impacts and other costs that result from implementing those technologies and procedures. Real-time computer systems used in industrial process control applications have many characteristics that are different than traditional information processing system used in business applications. Foremost among these is design for efficiency, time-critical response and safety. Security has generally not been a strong design driver and therefore tended to be bypassed in favor of performance and safety. Supervisory Control and Data Acquisition (SCADA) systems integrate data acquisition systems with data transmission systems and Human-Machine Interface (HMI) software in order to provide a centralized monitor and control system for numerous process inputs and outputs. SCADA systems are designed to collect information, transfer it back to a central computer, and display the information to the operator(s) graphically or textually, thereby allowing the operator to monitor and/or control an entire system from a central location in real time. Based on the sophistication and setup of the individual system, control of any individual system, operation, or task can be automatic, or it can be initiated by operator commands. SCADA systems consist of both hardware and software and are used to control dispersed assets where centralized data acquisition is as important as control such as in the distribution operations of water supply systems, oil/gas pipelines, electrical systems and rail systems. Typical hardware includes a Master Terminal Unit (MTU) placed at a central location, communications equipment (radio, telephone line, cable or satellite), and one or more geographically distributed remote stations consisting of either a Remote Terminal Unit (RTU), a Programmable Logic Controller (PLC) which controls actuators and/or monitors sensors, or Intelligent Electronic Device (IED), such as a protective relay. These geographically distributed remote stations (RTUs, PLCs and IEDs) will hereby be called ?field devices? throughout the remainder of this document. The MTU stores and processes the information from field device inputs and outputs, while the field device controls the local process. The communications hardware allows the transfer of information and data back and forth between the MTU and the field devices. The software is programmed to tell the system what and when to monitor, what parameter ranges are acceptable, and what response to initiate should the parameters go outside acceptable values. Most current SCADA field devices are highly insecure because encryption, authentication, and other security measures were not designed into the devices. An adversary could potentially exploit these insecurities by inserting false commands and responses, modifying legitimate communication, or altering field device behavior. Common vulnerabilities in SCADA field devices include (but are not limited to): IP-addressable using TCP/IP Authentication is usually weak or nonexistent Remote configuration capabilities and modem access FTP, TElnet, SNMP and HTML ports open to allow for remote configuration Configuration modes that are protected by password, but most are sent in clear text Unencrypted communications with SCADA MTU Configurations are not stored or backed up Embedded web servers Default OS security configurations System logs are neither collected nor examined Security capabilities don?t exist in SCADA field devices largely because appropriate security solutions are not available. Vendors have not had a business case for developing SCADA field devices with security capabilities. This is why there is a need for a SCADA Field Device Protection Profile (PP). Concise functional and assurance security requirements need to be specified for new SCADA field devices so that the requirements can get into the product design cycle and the vendors have specific security requirements to build to. B. PURPOSE AND OBJECTIVES OF THE PROCUREMENT The overall program objective is to reduce the vulnerability of industrial process control systems used in key industries of the Nation?s Critical Infrastructure. This procurement is to acquire services to define the information security functional and assurance requirements for new SCADA field devices and to capture the requirements as a Protection Profile utilizing the Common Criteria. The SCADA Field Device PP shall be complete and capable of having a Security Target written against it and be capable of testing and evaluation, leading to certified products by accredited IT security test laboratories. These security requirements could be specified in procurement Request for Proposals (RFPs) for new field devices used in SCADA systems. There is no intent to suggest or imply that the Government will enforce the adaptation of these requirements. C. CONTRACTOR REQUIREMENTS The contractor shall perform all tasks listed below, utilizing the Common Criteria to develop a Protection Profile for new Field Devices used in SCADA systems. The SCADA Field Device PP must be complete and be capable of leading to certified products. The contractor must have specific knowledge of SCADA systems and their unique security requirements. Task 1: Define the Target of Evaluation (TOE) for the Protection Profile The contractor shall concisely define the Target of Evaluation (TOE) for the SCADA Field Device Protection Profile including, but not limited to scope, physical and logical boundaries. Once the TOE is defined, it will be vetted by the PCSRF members for a period of 1 week. The contractor shall be responsible for addressing comments from the PCSRF and making modifications to the TOE description as required. Deliverable: Completed TOE for the SCADA Field Device PP Task 2: Analyze Current SCADA Field Device architectures, including Analyses of Threats, Vulnerabilities and Risk The contractor shall analyze current SCADA field device architectures and equipment and characterize the threats, vulnerabilities and associated risks for these devices. Once the threats, vulnerabilities and risks are defined, they will be vetted by the PCSRF members for a period of 1 week. The contractor shall be responsible for addressing comments from the PCSRF and making modifications to the report as required. The contractor shall use this report to develop the Security Environment portion of the Protection Profile. Deliverables: 1) 5-10 page report that describes current SCADA field device architectures and equipment and characterizes the threats, vulnerabilities and associated risks for these devices. Task 3: Develop the Security Objectives for the Protection Profile The contractor shall develop the concise security objectives to address the security issues from Task 2. Once the security objectives have been defined, they will be vetted by the PCSRF members for a period of 1 week. The contractor shall be responsible for addressing comments from the PCSRF and making modifications to the security objectives as required. The contractor shall use the security objectives developed in Task 3 to develop the Security Objectives portion of the Protection Profile. Deliverable: 5-10 page report describing the security objectives. Task 4: Development of Information Security Functional and Assurance Requirements The contractor shall develop specific security functional and assurance criteria for new SCADA field devices based upon information collected in Task 1, Task 2 and Task 3. These security functional and assurance requirements will be capture in the form of Common Criteria requirement statements. All assignments and selections within each Common Criteria requirement statement must be completed (assigned and/or selected). Once the security functional and assurance requirements have been defined, they will be vetted by the PCSRF members for a period of 2 weeks. The contractor shall be responsible for addressing comments from the PCSRF and making modifications to the security functional and assurance requirements as required. The security functional and assurance requirements must be complete and when incorporated in the SCADA Field Device PP, be capable of having a Security Target written against it and be capable of testing and evaluation, leading to certified products by accredited IT security test laboratories. These security requirements could be specified in procurement Request for Proposals (RFPs) for new field devices used in SCADA systems. There is no intent to suggest or imply that the Government will enforce the adaptation of these requirements. Deliverable: Document listing the specific security functional and assurance criteria for new SCADA field devices. Task 5: Development of Rationale and Complete the Protection Profile The contractor shall develop the rationale demonstrating all of the security objectives are addressed, that the specified requirements are sufficient to address security needs and that they are necessary and are not redundant. The contractor shall then complete the SCADA Field Device PP using the material generated from Tasks 1-5. The SCADA Field Device PP shall be complete and capable of having a Security Target written against it and be capable of testing and evaluation, leading to certified products by accredited IT security test laboratories. These security requirements could be specified in procurement Request for Proposals (RFPs) for new field devices used in SCADA systems. There is no intent to suggest or imply that the Government will enforce the adaptation of these requirements. Once the SCADA Field Device PP has been completed, it will be vetted by the PCSRF members for a period of 30 days. The contractor shall be responsible for addressing comments from the PCSRF and making modifications to the SCADA Field Device PP as required. Deliverable: Completed SCADA Field Device PP by March 30, 2006 Task 6: Present the Field Device Protection Profile to the PCSRF community The contractor shall plan for and conduct 1 workshop, with NIST and the PCSRF to brief the users, vendors and systems integrators in the industrial process control system on use of SCADA Field Device PP. Deliverable: Workshop during the May/June 2006 timeframe. Evaluation criteria for this procurement are: Technical approach and scope Past performance and experience of the Contractor The period of performance for this contract is from the date of award until June 30, 2006. D. GOVERNMENT RESPONSIBILITIES Other than information provided by the PCSRF, no data, property, or equipment are anticipated to be provided by the Government for the work to be done in this procurement. E. REPORTING REQUIREMENTS AND DELIVERABLES Contractor will be required to provide task deliverables as indicated below. Completed TOE for the SCADA Field Device PP as described in Section C Task 1. 5-10 page report that describes current SCADA field device architectures and equipment and characterizes the threats, vulnerabilities and associated risks for these devices as described in Section C Task 2. 5-10 page report describing the security objectives as described in Section C Task 3. Document listing the specific security functional and assurance criteria for new SCADA field devices as described in Section C Task 4. Completed SCADA Field Device PP as described in Section C Task 5 to be completed by March 30, 2006 Workshop with NIST and PCSRF to brief the users, vendors and systems integrators in the industrial process control system on use of SCADA Field Device PP as described in Section C Task 6 during the May/June 2006 timeframe. The contractor shall provide biweekly 1-page reports of hours charged and progress made. The contractor is expected to participate in toll-free conference calls, approximately 1 hour each month, and informally relate the status of their work. No travel is required except for the travel requirements specified in Task 6. F. PROGRAM MANAGEMENT AND CONTROL REQUIREMENTS Work will be performed under the technical guidance of the Contracting Officer?s Technical Representative (COTR) and in collaboration with PCSRF. G. INSPECTION AND ACCEPTANCE CRITERIA The COTR will review each deliverable to determine its acceptability or unacceptability, incorporating input from PCSRF participants. The submission of each deliverable will be approved or disapproved, and the contractor will be notified, within 30 days of receiving the deliverable. Deliverables that are deemed not to meet one or more requirements specified in this SOW will be rejected and the contractor will be required to correct the deficiencies at no additional cost to the government. Acceptance criteria include completeness and suitability for meeting PCSRF goals. H. ATTACHMENTS None. Award will be made to the Offeror whose proposal offers the lowest price, technically acceptable proposal. The following provisions and clauses apply to this acquisition: Provisions: 52.212-1, Instructions to Offerors-Commercial Items; and 52.212-3 Offeror Representations and Certifications-Commercial Items. Offerors must complete annual representations and certifications on-line at http://orca.bpn.gov in accordance with FAR 52.212-3, Offerors Representations and Certifications- Commercial Items. If paragraph (j) of the provision is applicable, a written submission is required. The following clauses apply to this acquisition: 52.204-7 Central Contractor Registration; 52.212-4 Contract Terms and Conditions, Commercial Items; 52.212-5 Contract Terms and Conditions Required to Implement Statutes or Executive Orders, Commercial Items including subparagraphs: 52.222-3, Convict Labor; 52.222-19, Child Labor-Cooperation with Authorities and Remedies; 52.222-21, Prohibition of Segregated Facilities; 52.222-26, Equal Opportunity; 52.222-35, Equal Opportunity for Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans; 52.222-36, Affirmative Action for Workers with Disabilities; 52.222-37, Employment Reports on Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans; 52.225-3, Buy American Act-Free Trade Agreements- Israeli Trade Act; (ii) Alternate I of 52.225-3; 52.225-13, Restrictions on Certain Foreign Purchases; 52.232-33, Payment by Electronic Funds Transfer-Central Contractor Registration. Department of Commerce Agency-Level Protest Procedures Level above the Contracting Officer is also incorporated. It can be downloaded at www.nist.gov/admin/od/contract/agency.htm. All clauses may be viewed at www.acqnet.gov. All vendors shall submit the following: 1) An original and three (3) copies of a proposal which addresses the requested services; and 5) A completed copy of the provision at 52.212-3, Offeror Representations and Certifications-Commercial Items which may be downloaded at www.acqnet.gov. All proposals must be received not later than 3:30 PM local time, on August 19, 2005 at the National Institute of Standards & Technology, Acquisition Management Division, 100 Bureau Drive, Building 301, Room B129, Mail Stop 1640, Gaithersburg, MD 20899-1640, Attn: Al Petto. Because of heightened security, FED-EX, UPS, or similar delivery methods are the preferred method of delivery of quotes. If quotes are hand delivered, delivery must be made on the actual due date through Gate A, and a 48 hour (excluding weekends and holidays) prior notice must be made to the Contracts Office at 301-975-6321. NIST is not responsible for late delivery due to the added security measures. In addition, offerors/quoters who do not provide 24-hour notification in order to coordinate entrance to the NIST campus must assume the risk of not being able to deliver offers/quotes on time. The Government is not responsible for the amount of time required to clear unannounced visitors, visitors without proper identification and without complete information that would allow delivery (i.e. point of contact, telephone POC, bldg., room number, etc.). If 24 hour notification was not provided, it is suggested your company representative or your courier service arrive at NIST at least 90 minutes prior to the closing time in order to process entry to the campus through the visitor center and complete delivery. Notice must include the company name, name of the individual making the delivery, and the country of citizenship of the individual. For non-US citizens, the following additional information will be required: title, employer/sponsor, and address. Please ensure that the individual making the delivery brings photo identification, or they will be denied access to the facility. Faxed proposals will not be accepted.
 
Place of Performance
Address: 100 Bureau Dr, Gaithersburg, MD
Zip Code: 20899
Country: USA
 
Record
SN00862170-W 20050806/050804211808 (fbodaily.com)
 
Source
FedBizOpps.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.