STATE-OWNED ELECTRICITY GRID operator EirGrid wants to enlist an external cybersecurity team to bolster its systems against cyber-attacks.
The operator has issued a call for tenders for a service provider with up to 15 people in roles such as security auditors, penetration testers and consultants as well as an account manager.
EirGrid already has an existing security team, but the new contractors will be tasked with assessing vulnerabilities and potential risks in its systems and infrastructure.
“Driven by the ongoing development of our information security framework and business transformation programmes, EirGrid’s Information Security function has established a security testing and a security risk assessments reporting regime,” it said in the tender documents.
The successful bidder for the contract – which is estimated to be worth €640,000 – will carry out security audits and reviews and devise remediation plans for the electricity operator.
This initiative will require checks on physical servers, databases and various networks that contribute to EirGrid’s operations and its running of power systems around the country.
EirGrid said in its tender request that it has a preference for candidates with security testing experience in SCADA (supervisory control and data acquisition) and ICS (industrial control systems) infrastructures.
This refers to the various systems used in the energy supply industry for operating electricity networks.
Security researchers have demonstrated how these control systems can be compromised.
An infamous recent example involved an attack on Ukraine’s power grid where poorly secured login protocols for its SCADA network allowed hackers to enter the network and take control of circuit breakers and shutdown substations. Commentators were quick to point the finger at Russia-affiliated hackers.
There is now greater pressure on infrastructure operators to strengthen their cybersecurity processes.
The EU’s Network and Information Security directive, which was transposed into Irish law last year, requires certain bodies and companies, known as operators of essential services (OES) in sectors like energy, transport and health services, to meet strict new cybersecurity obligations.
EirGrid said in its documents that it is “essential” that prospective applicants must provide at least one example of a previous contract where it delivered services to an OES.
The tender contract is due to be awarded in June and will run for three years initially.