Section one: Contracting entity
one.1) Name and addresses
SCOTTISH HYDRO ELECTRIC TRANSMISSION PLC
Inveralmond House,200 Dunkeld Road
PERTH
PH13AQ
Contact
James Pike
Country
United Kingdom
Region code
UKM77 - Perth & Kinross and Stirling
Companies House
SC213461
Internet address(es)
Main address
https://www.ssen-transmission.co.uk/
one.3) Communication
Additional information can be obtained from the above-mentioned address
Tenders or requests to participate must be submitted electronically via
https://sse.app.jaggaer.com/esop/guest/go/opportunity/detail?opportunityId=386
one.6) Main activity
Other activity
IT Services
Section two: Object
two.1) Scope of the procurement
two.1.1) Title
SHET network segregation project and networking support services
Reference number
7647
two.1.2) Main CPV code
- 72700000 - Computer network services
two.1.3) Type of contract
Services
two.1.4) Short description
Scottish Hydro Electric Transmission seek a skilled provider of network and security consulting and project delivery services to design and deliver a major IT network and authentication re-structure.
The objective of the project is to further segregate SHET network zones from SSE corporate networking, enabling SHET to apply networking changes in a more agile way with less inter-group dependency. The projects span both IT and OT (operational technology).
This project will in 2025 define a costed strategy, architecture secure design, support model and execution plan for SHET to meet its desired network and security outcomes, with execution of the approved design to follow in 2026 as part of the RIIO-T3 regulatory period. On-site execution will take place across the territory of Scotland.
The supplier should be able to provide CREST certified penetration testing services
It is desirable that the supplier have the capability to provide IT managed services and project delivery services (for example but not limited to networking, infrastructure, cybersecurity specialisms) and professional services as this may be a future requirement.
The PIN estimate reflects a combination of initial project delivery, contingency, potential ad-hoc projects and support services, and is not a promise or guarantee that the estimate will be reached during the initial or renewal terms.
two.1.5) Estimated total value
Value excluding VAT: £60,000,000
two.1.6) Information about lots
This contract is divided into lots: No
two.2) Description
two.2.3) Place of performance
NUTS codes
- UK - United Kingdom
Main site or place of performance
Onsite delivery to take place across the geography of Scotland, any remote delivery services to be performed within the UK
two.2.4) Description of the procurement
The objective of the project is to further segregate SHET network zones from SSE corporate networking, enabling SHET to apply networking changes in a more agile way with less inter-group dependency, and where relevant limit personnel access to network segments. The projects span both IT and OT (operational technology); on-site execution will take place across the territory of Scotland.
Project 1 - 2025 (Part of RIIO-T2):
Provide costed strategy options to fulfil the programme outcome, this to include;
• 'To-be' estate architecture and security design (including Business Continuity and Disaster Recovery design)
• 'To be' support model
• 'To-be' Resource Plan, including skills matrix and recruitment plan.
• Detailed estate transition execution plan including, hypercare and Handover to Support approach
• Risk assessment, management and mitigation approach
• 'End-state' assessment approach of final estate post-transformation; creating report summarizing outcomes achieved/partially achieved, testing/pen-testing outcomes, residual management/activity required to retain acceptable risk level and manage emerging risk
The design phase to provide options that can be reviewed and agreed with by SHET:
o High Level Design Options with level of risk for acceptance
o Low Level Design Options with level of risk for acceptance
• The current network design is complex with a disparate combination of separate and shared services with other SSE businesses. It is important that the design for the "To-Be" solution minimises the risk to the business during the transformation from the current network architecture to the future model. Suppliers should appreciate transition will be undertaken in the context of a live operating environment.
• SHET may wish to see an approach where a supplier can deliver a scalable proof of concept of key assemblies in a reasonable time, to demonstrate and rigour-test a solution approach prior to mass-scale deployment
The estate transformation will include the following;
- Creating a new physically and logically separated Active Directory, directory scheme, configuration, and access control structure.
- Physical separation of network and server infrastructure; including:
o Servers (including data centres)
o Storage, backups
o Fibres (using existing fibre bundles/lines)
o Switches
o Routers
o SHET dedicated firewall appliances
o Wide Area Network communications between SCADA and remote sites
o Firewalls
- Physical separation in Purdue level 3, in RIIO-T3, such that Transmission OT systems are only accessible to Transmission staff and their approved suppliers.
- Separation of remote devices so they are ringfenced to only access a specific network zone.
The prospective supplier should ensure that their proposed design recommendation has been thoroughly reviewed by their internal design authority and will be required to seek design approval from SHET's own design authority.
Project 2 - 2026 (Part of RIIO-T3):
EXECUTE the agreed costed strategy option; including:
• Delivery of estate transformation (including on-site work pan-Scotland)
• Solution testing including functional, pen-testing, BCDR testing (where appropriate)
• Project management of suppliers own resources, feed into SHET project, programme and design governance. Actively manage risk and mitigate service impact during transition.
• Service Transition including SCADA Centre and Sub-stations
• Post-implementation hyper-care
• Final outcomes and testing report
Other services
The supplier should be able to provide CREST certified penetration testing services
It is desirable that the supplier have the capability to provide IT managed services and project delivery services (for example but not limited to networking, infrastructure, cybersecurity specialisms) and professional services as this may be a future requirement.
The PIN estimate reflects a combination of initial project delivery, contingency, potential ad-hoc projects and support services, and is not a promise or guarantee that the estimate will be reached during the initial or renewal terms.
two.2.5) Award criteria
Price is not the only award criterion and all criteria are stated only in the procurement documents
two.2.6) Estimated value
Value excluding VAT: £60,000,000
two.2.7) Duration of the contract, framework agreement or dynamic purchasing system
Duration in months
96
This contract is subject to renewal
Yes
Description of renewals
Total term of 8 years reflects a top end estimate, including initial project delivery (timescale to be confirmed through detailed planning with successful tenderer) plus option for ongoing services subject to SHET agreeing such services with the successful tenderer
two.3) Estimated date of publication of contract notice
19 August 2024
Section three. Legal, economic, financial and technical information
three.1) Conditions for participation
three.1.1) Suitability to pursue the professional activity, including requirements relating to enrolment on professional or trade registers
List and brief description of conditions
Prospective suppliers should be able to commit that they have reasonable procedures in place for the prevention of modern slavery, human trafficking, financial crime and bribery
Prospective suppliers should be able to commit to revealing the identity of any third party subcontractors or solutions upon which their delivery of services would be dependent. SHET may require the right to undertake business probity, financial, cybersecurity and other compliance reviews of subcontractors.
Prospective suppliers may be required to sign a Non-Disclosure-Agreement before security sensitive content is shared with them
Other or additional conditions of participation may be set out in the final tender documents.
three.1.2) Economic and financial standing
List and brief description of selection criteria
Prospective suppliers must have a minimum turnover of £50m p.a.
The financial standing of a prospective supplier must give SHET reasonable confidence that they can successfully fund the services for the duration and accept reasonable liability in line with the level of risk their project presents to SHET.
Other/additional requirements may be set out in the final tender documents.
three.1.3) Technical and professional ability
List and brief description of selection criteria
Prospective suppliers should be able to evidence strong knowledge and experience in the delivery of similar projects, including multiple secure network implementations/re-structures at similar scale
Prospective suppliers should be familiar with major brands of OT and IT equipment
Additional requirements may be set out in the final tender documents.
Minimum level(s) of standards possibly required
Prospective suppliers will be required to be accredited to SOC2 or ISO27001 level (or recognized equivalent)
Prospective suppliers should be able to provide personnel based in the UK (during delivery) who have been through enhanced background vetting or carry current security clearance (SC or above). The same vetting expectation may be required for subcontractors of the supplier who work on the delivery
Prospective suppliers should be knowledgeable in NIST standard SP800-53
Penetration test personnel provided should be CREST accredited.
Additional requirements may be set out in the final tender documents.
three.2) Conditions related to the contract
three.2.3) Information about staff responsible for the performance of the contract
Obligation to indicate the names and professional qualifications of the staff assigned to performing the contract
Section four. Procedure
four.1) Description
four.1.3) Information about a framework agreement or a dynamic purchasing system
The procurement involves the establishment of a framework agreement
Framework agreement with a single operator
four.1.8) Information about the Government Procurement Agreement (GPA)
The procurement is covered by the Government Procurement Agreement: No
four.2) Administrative information
four.2.4) Languages in which tenders or requests to participate may be submitted
English
Section six. Complementary information
six.2) Information about electronic workflows
Electronic ordering will be used
Electronic invoicing will be accepted
Electronic payment will be used
six.4) Procedures for review
six.4.1) Review body
SSE Plc.
Perth, Scotland
Country
United Kingdom