Question:
Hi

Could you share any insights and differences( if any), on going to market with a second request for EoI on OT VM

The May EoI issue appears same as April issue apart from some minor differences.



thank you.

Answered on 23/May/2025 11:26 AM:


Good morning,

Seqwater advises that there were minor updates to all three documents released to market (between 06184 April and 06191 May). We therefore advise respondents to thoroughly review the amended documentation prior to submitting a response to the EOI.

Kind regards

Question:
If possible, could you specify the list of OT devices for which you want to perform vulnerability management? so that we can bid on this tender accordingly.

Answered on 26/May/2025 09:10 AM:


Seqwater will not define the list of OT devices at this stage. As per 06191 EOI Part 1, Section C Scope and Specification:

“A network detection and response (NDR) method will be used for detection. Scanning and assessment should be non-intrusive for OT devices.”

Question:
n the Protocol sheet of the Excel spreadsheet, there are several entries that appear to be brand or vendor-specific DCS/PLC solutions rather than actual communication protocols. Could you please clarify the protocol requirements. Thanks

Answered on 26/May/2025 01:53 PM:


Network Detection and Response (NDR) solutions must be capable of recognising and analysing protocols that are specifically used in Industrial Control Systems (ICS). This capability is essential for adapting to the evolving landscape of technology and ensuring that products remain relevant and effective in the future. By effectively identifying these specialised protocols, organisations can enhance their security posture, mitigate risks associated with industrial environments, and ensure ongoing compliance with emerging industry standards.

Question:
Hi

Will SEQ Water accept EoI responses from organisations that are currently undergoing ISO27001 assessment and can provide written evidence along with an expected certification date from the certifying organisation.

regards

Answered on 27/May/2025 12:06 PM:


In relation to 06191 EOI Part 2, Section 10. Strength of Cyber Security and Quality Management Systems and/ or Internal Quality Assurance Processes, the Respondent is to demonstrate the strength of their cybersecurity (via assurance framework, standards, or certification) with one (1) of the listed cyber security activities.

• SOC2 Type2 (Service Organization Control 2)

• IRAP ((Information Security Registered Assessors Program – Australia))

• ISO27001 and Statement of applicability (SOA)

• NIST (National Institute of Standards and Technology) CSF Self-Assessment

• International Electrotechnical Commission (IEC) 62443 certificate.

Where a Respondent is undergoing certification, written evidence should be provided to demonstrate that the Respondent’s policies, procedures, and practices align with the requirements of the relevant standard/certification.

Question:
To ensure compatibility and to better scope our solution, could you please confirm the operating systems installed on the OT (Operational Technology) devices mentioned in the tender? Specifically, if the OT devices run on Windows or Linux-based systems, we would be able to support this requirement effectively and proceed accordingly with our proposal.

Answered on 27/May/2025 12:07 PM:


Seqwater will not define the list of O/S. As per 06191 EOI Part 1, Section C Scope of Works and Specification:

“A network detection and response (NDR) method will be used for detection. Scanning and assessment should be non-intrusive for OT devices.”

Question:
Hi


Are you able to advise the no. of OT devices or an estimate as opposed to a list of devices ?

regards

Answered on 27/May/2025 12:08 PM:


Seqwater will not define the list of devices. As per 06191 EOI Part 1, Section C Scope of Works and Specification:

“A network detection and response (NDR) method will be used for detection. Scanning and assessment should be non-intrusive for OT devices.”