We expect tenderers to have expertise and knowledge on the following topics.
— energy information security issues, with particular focus to electricity, oil and/or gas industry,
— ICS-SCADA security issues e.g. OT security, IT/OT convergence, large scale scanning (like SHODAN), etc.
— policy and regulatory issues related to the resilience of critical infrastructures and services at national and/or European level including activities related to CIIP and ICS-SCADA security,
— CIIP and cyber security strategy and policy at national and/or European level e.g. the European Critical Infrastructures Directive (2008/114/EC), the European Cyber security strategy,
— essential service (with particular focus on energy sector) operations and security practices and knowledge of the regulatory framework e.g. NIS Directive, the GDPR, the EU Telecoms Package,
— incident reporting and relevant incident reporting schemes in critical sectors e.g telecommunications (articles 13a of the telecom package),
— CIIP good practice guidelines and standards e.g. ENISA good practice guides, CPNI’s good practice guidelines to industrial control systems security, ANSSI ICS security documents (Classification Method and Key Measures” and “Detailed Measures.”), IEC 62351. IEC 62443, ISO 27001, ISO 27002, ISO 27019, NERC CIP standards, ANSI/ISA 99 etc.,
— network and information security issues e.g. internet and web security, cryptography, testing, security management, etc.,
— infrastructure security and resilience of CIIP and Energy related issues like Public Key Infrastructures (PKI) and core protocols.
Various specific contracts based on the annual ENISA work programme specifically in the Energy Sector will be launched periodically to the successful framework contractors based on the “Reopening of Competition” procedure. Depending on the needs of the Contracting Authority and budget availability, this overall
budget could be increased by up to 50 % using a “negotiated procedure without prior publication of a Contract Notice”.