SOURCES SOUGHT
R -- Sources Sought for Examining Transformations in Cybersecurity States (TOCS) for Nuclear Applications
- Notice Date
- 12/20/2023 8:29:05 AM
- Notice Type
- Sources Sought
- NAICS
- 541690
— Other Scientific and Technical Consulting Services
- Contracting Office
- NUCLEAR REGULATORY COMMISSION ROCKVILLE MD 20855 USA
- ZIP Code
- 20855
- Solicitation Number
- APP-24-RES-0027
- Response Due
- 1/16/2024 2:00:00 PM
- Archive Date
- 01/31/2024
- Point of Contact
- MITCHELL, JEFFREY R., Phone: 3014155074, PEREZ-ORTIZ, ARACELIS, Phone: 3014150085
- E-Mail Address
-
Jeffrey.Mitchell@nrc.gov, Aracelis.Perez-Ortiz@nrc.gov
(Jeffrey.Mitchell@nrc.gov, Aracelis.Perez-Ortiz@nrc.gov)
- Description
- Sources Sought for Examining Transformations in Cybersecurity States (TOCS) for Nuclear Applications THE U.S. NUCLEAR REGULATORY COMMISSION (NRC) is issuing this Sources Sought Synopsis as a means of conducting market research or as a market survey to determine the availability of potential qualified vendors with the technical capability to provide all management, supervision, administration, and labor for the project titled: �Examining Transformations of Cybersecurity States (TOCS) for Nuclear Applications.�� BACKGROUND Cyber attackers have become more aggressive and are developing targeted malware that leverages knowledge of the nuclear domain and cyber physical systems (CPS)[1].� The current perimeter-based security model and domination of static physical controls to address vulnerabilities may need to be augmented to address these new threats. To mitigate the potential for successful cyber attacks, the nuclear industry may follow other industries and government entities by supplementing existing controls with cybersecurity defensive approaches that affect both actual and observed system states[i] relevant to a cyber attack. This research defines Transformations of Cybersecurity States (TOCS)[ii] as the family of such approaches.� One well known member of this family is moving target defense (MTD[2]).�� TOCS approaches may affect an attacker�s capabilities to perform an attack and a system�s capability to withstand attacks. This research will examine the feasibility and utility of TOCS approaches for nuclear cybersecurity as well as address the technical and regulatory implications associated with the use of these technologies. The goal of the research is to prepare to regulate licensee TOCS approaches by developing basic knowledge and insights concerning the approaches and the potential consequences of their application to nuclear cybersecurity. SPECIFIC ACTIVITIES The NRC is seeking a vendor capable of performing research on TOCS approaches. Tasks performed as part of this research include: capturing information about current and new TOCS technologies and applications through literature reviews and outreach to nuclear and cybersecurity stakeholders, identification and analysis of the TOCS technologies and approaches that may be suitable to the nuclear cybersecurity use case, development or identification of a nuclear-appropriate framework for consideration of the feasibility and utility of TOCS approaches, e.g., factors for consideration, pros, cons, metrics, and risk, and evaluation of each approach using the framework, development of insights including identification of TOCS approaches that are most beneficial to and likely to be used by the industry; regulatory gaps needed to prepare NRC to evaluate use of such applications, and future research activities needed to advance NRC knowledge of TOCS, identification and implementation of potential testing approaches for TOCS applications in a nuclear-relevant setting, and production of one or more technical reports documenting the results of this project. REQUIRED CAPABILITIES The applying organization/vendor must have the following capabilities: Knowledge and understanding relevant to nuclear cybersecurity states � Familiarity with basic nuclear power plant structures, systems, and components; states; performance; and operations Specific knowledge regarding applications of digital instrumentation and control and information technology to nuclear and other CPS Experience measuring and characterizing nuclear and other CPS relative to system and cybersecurity outcomes In-depth knowledge of a variety of cyber attacks and knowledge of their effects on nuclear and cyber-physical systems Detailed knowledge of how actual and observed cybersecurity states are changed for a given cyber attack Detailed knowledge of common countermeasures against such attacks and how the countermeasures affects system actual and observed states Capability to understand general TOCS approaches and identify specific technologies applicable to each approach Capability to map existing research, approaches, and technologies to abstract TOCS categories Capability to apply knowledge of general TOCS approaches to nuclear domain. Understanding of nuclear industry defensive architectures and capabilities that affect state and observed states Capability to evaluate and assess TOCS tools and technologies relevant to nuclear and CPS cybersecurity outcomes General understanding of NRC cybersecurity regulatory frameworks and activities Familiarity with NRC, other US federal, and industry regulations and guidance relevant to nuclear cybersecurity Capable of analyzing TOCS techniques and approaches relative to NRC cybersecurity regulatory frameworks and identify potential gaps Capability to represent, simulate, or emulate basic nuclear power plant cyber security systems, states, performance, and operations Capability to simulate various cyber attacks and countermeasures in nuclear power plants in order to assess various TOCS approaches Capability to integrate power plant systems and cyber systems representations into a composite system representation suitable for research, testing, and evaluation of cyber-attacks and the consequences of the attacks on plant systems Capability to represent, simulate, or emulate cyber-attacks on the composite system representation and measure/evaluate the consequences of the attacks on the composite system Capability to develop abstract frameworks and/or models relevant to nuclear and CPS cybersecurity The vendor must provide a team of personnel that as a whole possess the following qualifications: Understanding of nuclear power plant operational domain including reactor systems, instrumentation and controls, normal and abnormal operating conditions, and other common commercial nuclear power plant structures, systems, and components Expertise in nuclear power plant cyber security programs, postures, requirements, and controls Expertise in nuclear power plant simulation Expertise in the research process and applying new cybersecurity approaches to existing infrastructures. Services will be provided remotely to the NRC located in Rockville, Maryland.� The applicable North American Industry Classification System (NAICS) code assigned to this procurement is 541690. THERE IS NO SOLICITATION AT THIS TIME.� This request for sources and vendor information does not constitute a request for proposal; submission of any information in response to this market survey is purely voluntary; the Government assumes no financial responsibility for any costs incurred.� The purpose of this announcement is to provide potential sources the opportunity to submit information regarding their capabilities to perform work for the NRC free of conflict of interest (COI).� For information on NRC COI regulations, visit NRC Acquisition Regulation Subpart 2009.5 (http://www.nrc.gov/about-nrc/contracting/48cfr-ch20.html).� All interested parties, including all categories of small businesses (small businesses, small disadvantaged businesses, 8(a) firms, women-owned small businesses, service-disabled veteran-owned small businesses, and HUBZone small businesses) are invited to submit a response.� The capabilities package submitted by a vendor should demonstrate the firm's ability, capability, and responsibility to perform the principal components of work listed below.� The package should also include past performance/experience regarding projects of similar scope listing the project title, general description, the dollar value of the contract, and name of the company, agency, or government entity for which the work was performed. Organizations responding to this market survey should keep in mind that only focused and pertinent information is requested.� If significant subcontracting or teaming is anticipated in order to deliver technical capability, organizations should address the administrative and management structure of such arrangements.� Submission of additional materials such as glossy brochures or videos is discouraged. HOW TO RESPOND TO THIS SOURCES SOUGHT NOTICE If your organization has the capability and capacity to perform, as a prime contractor, one or more of the services described in this notice, then please respond to this notice and provide written responses to the following information.� Please do not include any proprietary or otherwise sensitive information in the response, and do not submit a proposal.� Proposals submitted in response to this notice will not be considered. Organization name, address, emails address, Web site address and telephone number. What size is your organization with respect to NAICS code identified in this notice (i.e., ""small"" or ""other than small"")? If your organization is a small business under the aforementioned NAICS code, what type of small business (i.e., small disadvantaged business, woman-owned small business, economically disadvantaged woman-owned small business, veteran-owned small business, service-disabled veteran-owned small business, 8(a), or HUBZone small business)? Specify all that apply. Separately and distinctly describe your organization�s ability to meet the capabilities indicated in the above section, required capabilities. Indicate whether your organization offers any of the required capabilities described in this notice on one or more of your company's own Federal Government contracts (i.e., GSA Federal Supply Schedule contract or Government wide Acquisition Contracts) that the NRC could order from and, if so, which services are offered. �Also, provide the contract number(s) and indicate what is currently available for ordering from each of those contract(s). Is your organization currently performing or have in the past performed same or similar services as those listed above for any of the licensees regulated by the NRC? If so, which licensees? See http://www.nrc.gov/about-nrc/regulatory/licensing.html for more information on NRC licensing. Has your organization previously faced organizational conflict of interest issues with NRC? If so, what were they and how were they mitigated or resolved? Interested organizations responding to this Sources Sought Synopsis are encouraged to structure capability statements in the order of the area of consideration noted above.� All capability statements sent in response to this notice must be submitted electronically, via e-mail, Jeffrey Mitchell, at Jeffrey.Mitchell@nrc.gov , either MS Word or Adobe Portable Document Format (PDF), by January 16, 2024, close of business DISCLAIMER AND NOTES:� Any organization responding to this notice should ensure that its response is complete and sufficiently detailed to allow the Government to determine the organization�s potential capability and capacity to perform the subject work.� Respondents are advised that the Government is under no obligation to acknowledge receipt of the information received or provide feedback to respondents with respect to any information submitted.� After a review of the responses received, a pre-solicitation synopsis and solicitation may be published in sam.gov.� However, responses to this notice will not be considered adequate responses to a solicitation. [1] Cyber-Physical Systems (CPS) are integrations of computation, networking, and physical processes (https://ptolemy.berkeley.edu/projects/cps/). � [2] MTD is a cybersecurity paradigm that proactively thwarts cyber attacks that rely on a static system using dynamic system states. MTD enables polymorphism among system components, while maintaining isomorphism of important system functionality (safety and security properties). It constantly (and unpredictably) changes a system to shift the attack surface and increase cost for the attackers. [i] Successful cyber attacks at nuclear power facilities require the interactions of information technology (IT) and operational technology (OT) to negatively affect a safety, security, or emergency preparedness (SSEP) function. At a high level, the elements related to a successful cyber attack can be understood using a state-based viewpoint: State: a system�s state fully characterizes the system for a given purpose (multiple state viewpoints are possible), e.g., the attacker�s cybersecurity state represents the set of system characteristics useful for/related to conducting a cyber attack. Observed State: an observed state is obtained by measuring a system�s state and is dependent on the methods of measurement and information available for measurement, e.g., an external (attacker�s) observed state may contain less information than an internal (plant operator�s) observed state. A successful attack may be related to elements of both (1) and (2). For example, elements might include the attacker�s knowledge of the system, i.e., the attacker�s cybersecurity observed state, and elements related to the system, i.e., the system�s (actual) cybersecurity state, such as the system�s attack surface and resilience to attacks.� Approaches that affect these elements may affect the overall potential for a successful cyber attack. [ii] Transformations of Cybersecurity States (TOCS) are cybersecurity approaches that change system states and/or observed states and are polymorphic to attackers but isomorphic to system users and outcomes. TOCS approaches can be grouped into at least five areas: Moving Target Defense (MTD): (periodically/randomly) change system properties/states, deploy computer systems, and use diversity to affect attacker system knowledge. System State Obfuscation (SSO) � introduce noise, randomness, or falsity in information an attacker can gather about the system. Cyber Complexity Increase (CCI) � establish heterogeneity among system elements forcing an attacker to expend more effort to gain system knowledge and execute successful attacks. Cyber Hardness and Resilience by Design (CHRD) � include �extra� design features that increase attack difficulty and mitigate the consequences of malicious operations, especially operations outside the design safety operational envelope.� Key Cyber Information Protection (KCIP) � identify key cyber exploitable information and prevent an attacker from accessing that information.� These TOCS approaches may be grouped according to their state effects as follows: Affects system state: MTD, CCI, CHRD Affects observed system state: SSO, KCIP
- Web Link
-
SAM.gov Permalink
(https://sam.gov/opp/8945195140d148b288e655599801dd42/view)
- Record
- SN06918966-F 20231222/231220230049 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |