ICS/OT security RFPs differ significantly from IT security RFPs due to the focus on maintaining operational uptime and physical safety. Traditional IT security tools can disrupt or even damage sensitive industrial equipment. The need to support legacy systems and obscure, vendor-specific protocols adds another layer of complexity. Furthermore, compliance requirements such as NERC CIP and industry-specific regulations necessitate specialized expertise and capabilities.
How to write an RFP for ICS and OT
Requirements, questions, and evaluation criteria specific to ICS and OT procurement
Securing Industrial Control Systems (ICS) and Operational Technology (OT) requires a specialized approach. RFPs in this category are crucial for addressing the unique performance, safety, and reliability requirements distinct from traditional IT environments, ensuring the protection of critical infrastructure and physical processes.
What makes ICS and OT RFPs different
- Passive asset discovery to avoid disrupting sensitive systems
- Deep packet inspection (DPI) for industrial protocols
- Risk-based vulnerability management tailored to OT environments
- Integration with existing SIEM/SOAR platforms
RFP vs RFI vs RFQ
Here's when to use each document type when procuring ICS and OT software.
RFI
Request for InformationUse early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.
RFP
Request for ProposalUse when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.
RFQ
Request for QuoteUse when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.
For ICS/OT security, an RFI helps understand the landscape of available solutions and vendor specializations. An RFP is essential for detailed technical and commercial evaluation, considering the high stakes and potential for catastrophic consequences. RFQs are less applicable due to the complexity and customization required.
Technical requirements checklist
Use this checklist when defining your RFP scope.
Asset Discovery and Inventory
- Passive network discovery capabilities
- Identification of OT assets (PLCs, HMIs, etc.)
- Detailed asset information (make, model, firmware)
- Automatic inventory updates
Protocol Support
- Support for industrial protocols (Modbus, DNP3, Profibus)
- Deep packet inspection (DPI) for protocol analysis
- Protocol-specific anomaly detection
- Custom protocol support capabilities
Vulnerability Management
- Risk-based vulnerability prioritization
- OT-specific vulnerability database
- Integration with vulnerability scanning tools
- Remediation guidance for OT vulnerabilities
Threat Detection and Response
- Behavioral anomaly detection
- OT-specific threat intelligence feeds
- Incident response playbooks for OT attacks
- Integration with SIEM/SOAR platforms
Secure Remote Access
- Granular access control policies
- Multi-factor authentication
- Session recording and auditing
- Just-in-time access provisioning
Questions to include in your RFP
Architecture and Deployment
-
Describe your solution's architecture and deployment options (on-premise, cloud, hybrid).Understanding the architecture is vital for ensuring compatibility with the existing infrastructure.
-
How does your solution minimize impact on OT network performance and availability?Minimizing latency is crucial in OT environments to avoid disrupting critical processes.
-
Explain your solution's scalability to accommodate future growth and expansion of the OT environment.Scalability ensures the solution can adapt to evolving needs without requiring significant overhauls.
-
Detail your solution's data storage and retention policies.Data retention policies affect compliance and forensic investigation capabilities.
Asset Discovery and Inventory
-
Describe your passive asset discovery capabilities, including supported protocols and device types.Passive discovery ensures minimal disruption to sensitive OT systems.
-
How does your solution identify and classify assets without active scanning?Active scanning can cause legacy devices to crash.
-
What level of detail is provided for each asset (e.g., make, model, firmware, serial number)?Detailed asset information is essential for effective vulnerability management.
-
How does your solution handle unknown or custom devices and protocols?OT environments often include unique and proprietary devices.
Threat Detection and Response
-
Describe your behavioral anomaly detection capabilities for OT environments.Behavioral analysis can identify subtle deviations indicative of cyberattacks or equipment failures.
-
How does your solution leverage OT-specific threat intelligence to detect and prevent attacks?OT-specific threat intelligence is critical for identifying targeted industrial malware.
-
Detail your incident response playbooks and procedures for OT security incidents.Prepared incident response plans are essential for minimizing downtime and damage.
-
How does your solution integrate with existing SIEM/SOAR platforms for centralized security management?Integration streamlines incident response and improves collaboration between IT and OT teams.
Vulnerability Management
-
Describe your risk-based vulnerability management approach for OT assets.Prioritization based on operational criticality prevents alert fatigue and focuses on the most critical risks.
-
How does your solution identify and prioritize vulnerabilities that are exploitable in an industrial context?Many IT vulnerabilities are not relevant or exploitable in OT environments.
-
Detail your remediation guidance for OT vulnerabilities, including compensating controls.Compensating controls provide temporary protection when patching is not possible.
-
How do you handle vulnerabilities in legacy systems that cannot be patched?Many OT systems are too old to receive security updates.
Secure Remote Access
-
Describe your secure remote access capabilities for vendors and remote employees.Secure remote access is essential for enabling remote support without compromising security.
-
How does your solution provide granular access control and session monitoring?Granular control limits the scope of access and prevents unauthorized activities.
-
Detail your multi-factor authentication and session recording features.MFA adds an extra layer of security, and session recording provides an audit trail.
-
How does your solution integrate with existing identity and access management (IAM) systems?Integration streamlines user management and enforces consistent access policies.
Compliance and Reporting
-
How does your solution help us comply with industry-specific regulations (e.g., NERC CIP, NIS2, TSA Pipeline Security Directives)?Compliance is often a legal requirement and essential for maintaining operational licenses.
-
Detail your automated reporting capabilities for compliance audits.Automated reporting reduces the burden of compliance and ensures accurate documentation.
-
Can your solution map its findings to industry standards and provide recommendations for remediation?Mapping to standards simplifies audit preparation and provides actionable guidance.
-
Describe your solution's support for data privacy and security requirements.Data privacy is increasingly important in industrial environments.
Compliance and security requirements
Depending on your industry, you may need to require proof of these certifications and standards.
NERC CIP
Required for north american electric utilities. If applicable, request evidence of NERC CIP compliance and audit reports.
NIS2 Directive
Required for critical infrastructure in the european union. If applicable, request documentation outlining adherence to NIS2 requirements.
IEC 62443
Required for industrial automation and control systems. If applicable, request certification or attestation of conformity to IEC 62443 standards.
TSA Pipeline Security Directives
Required for us oil and gas pipelines. If applicable, request information on compliance with TSA security directives.
Evaluation criteria
Here is the suggested weighting for ICS and OT RFPs.
Some weights were adjusted based on your priorities.
- Increase if the vendor is primarily an IT security company.
- Increase if complex integration landscape exists
Red flags to watch
-
IT-First Pedigree
Vendor primarily focused on IT security with a new OT module may lack the necessary protocol depth and safety mindset.
-
Reliance on Active Scanning
Vendors that insist on active scanning as the primary method pose a risk to industrial uptime.
-
Opaque Pricing
Usage-based fees that scale with data volume can lead to massive cost overruns as industrial data scales.
-
Lack of OT Threat Research
Vendors that rely solely on public IT threat feeds will miss highly targeted industrial malware.
-
Weak Financials
A vendor with high burn rates or a history of frequent acquisitions may be unstable given the long-term commitment required.
Key metrics to request
Ask vendors to provide benchmarks from similar customers.
Mean Time to Detect (MTTD)
Minimizes the time an attacker can remain hidden in the network.
Mean Time to Contain (MTTC)
Prevents a minor infection from spreading to critical production zones.
Asset Coverage Rate
Ensures no "dark" corners of the factory exist for attackers to hide.
False Positive Rate
Prevents "alert fatigue" and ensures operators trust the system.
Implementation Timeline for Similar Customers
Helps set realistic expectations and identify potential delays.