Threat Led Penetration Testing - Black Team

Descriptions

About the Contracting Authority

The UK Space Agency (UKSA) plays a major role in delivering the government's National Space Strategy. We support a thriving space sector in the UK, which generates an annual income of £16.5 billion and employs 47,000 people across the country. Our staff includes scientists, engineers, commercial experts, project managers and policy officials who help to:

1. catalyse investment to support projects that drive investment and generate contracts for the UK space sector

2. deliver missions and capabilities that meet public needs and advance our understanding of the Universe

3. champion the power of space to inspire people, offer greener, smarter solutions, and

4. support a sustainable future.

We are an executive agency of the Department for Science, Innovation and Technology (DSIT).

The Space, Security & Resilience Team promote a safe, sustainable and more secure space environment through international engagement and the development of national policy, plans and procedures to enable the delivery of space-based services and capabilities that are resilient to disruptive challenge.

The UK Space Agency is looking to procure, via an open tender exercise, limited scope assessment of the physical security posture of a number of companies.

The assessment will be undertaken through a real-world physical intrusion attempt in order to evaluate the organisation's ability to prevent, detect, and respond to this type of threat.

The intervention will identify vulnerabilities and provide recommendations for improvement.

1. Scope

The delivery organisation for this work may be required to gain 'unauthorised' access via gated control, guards, perimeter fencing, CCTV and/or a reception area (each company will differ).

Access to a controlled building, floor or room identified to test the effectiveness of physical security measures, access management, and response protocols.

The UKSA will identify the companies required to be tested.

The delivery organisation will undertake conversations with a single point of contact in the identified companies in order to make all arrangements regarding the assessment and gain high level authorisation.

The method of access i.e. social engineering tactics, mimicking of staff, use of false ID etc is at the discretion of the delivery organisation.

Companies may be anywhere in the UK, including Scottish Islands.

2. Deliverables

• Regular meetings with the UKSA Space Security & Resilience Team: Timing to be determined in order to update on progress, risks and issues.

• Physical intrusion of a number of companies working in the Space domain: As detailed above.

• Assessment Report and remediation plan: A comprehensive report detailing the findings, including identified vulnerabilities, exploitation methods, and recommendations for remediation for the company tested.

• Executive Summary: A high-level summary of the assessment findings and recommendations for the UKSA.

3. Delivery

The successful delivery organisation should be able to supply timelines for:

Planning and Reconnaissance

• Meetings with stakeholders to define objectives and gather preliminary information.

• Develop a detailed plan outlining the scope, objectives, and methodologies to ensure all stakeholders are aligned and aware of the assessment process.

• Conduct OSINT and other reconnaissance activities.

Physical intrusion

• Physical access attempt to agreed areas

Analysis, reporting and review

• Compile findings into a comprehensive assessment report and executive summary.

• Conduct debriefing sessions with stakeholders to review findings and discuss remediation strategies.

4. Other requirements

• Legal and Compliance Review: Ensure all activities comply with relevant laws, regulations, and company policies. Obtain necessary permissions and approvals before conducting assessments.

• Safety Measures: Implement safety measures to protect personnel and assets during the assessment. This includes physical safety protocols and cybersecurity measures.

• Contingency Planning: Develop contingency plans to address potential issues or disruptions during the assessment.

• Data Protection: Ensure all data collected during the assessment is securely stored and handled in accordance with data protection regulations and company policies.

• Post-Assessment Follow-Up: Offer a process for follow-up assessments and continuous monitoring to ensure identified vulnerabilities are addressed and security improvements are maintained (this is outside of the scope of this tender and would be at the cost of the tested company).

• Standards and guidelines: Although there are no security requirements imposed upon companies working in the space domain, tendering companies should be aware of NPSA physical security policies, standards and guidelines; in order to refer to the UK's Security Service's good practice in remediation recommendations.

5. Budget: £120,000 (including VAT)