Greenville Utilities Commission (GUC) is requesting proposals from qualified firms to conduct comprehensive network security penetration testing services across all organizational networks, including corporate infrastructure and Supervisory Control and Data Acquisition (SCADA) systems serving electric, water, wastewater, and natural gas operations. Vendors must have demonstrated experience conducting security assessments on organizations with SCADA systems, with preference given to firms with utility industry background.
The scope encompasses external penetration testing on 22 external IP addresses, internal endpoint security testing on 510 internal IP accounts, and assessment of 195 IT servers running Windows and Linux operating systems. Vendors will conduct up to 10 hours of reconnaissance and Open Source Intelligence (OSINT) activities. Internal scope includes wireless security testing for both corporate and guest networks, endpoint security controls assessment, PII discovery attempts, and exploitation attempts against four identified SCADA networks using provided non-production HMI clients without impacting production systems. External scope includes remote access attempts to network devices and systems, unauthorized access attempts via credential compromise or exploits, and reconnaissance for credentials or proprietary documents.
Deliverables include a comprehensive penetration test report containing an executive summary, methodology description and standards adherence documentation, detailed findings with descriptions, rationale, remediation steps and impact analysis, recommendations categorized as industry best practices with sources or contractor opinions, prioritized findings with remediation suggestions, exploit and vulnerability descriptions, and vulnerability scan outputs. The contract period is anticipated to be multi-year, not exceeding three years total, with fixed pricing for the first year and options for annual extensions at same or negotiated rates.
Key deadlines include questions due by December 12, 2025, with answers provided by December 19, 2025. Proposal submission deadline is January 15, 2026 at 2:00 PM EST via email to haddocgc@guc.com. Screening completion is targeted for January 30, 2026, with contract execution expected on or about February 11, 2026. All work must be completed and invoiced by June 15, 2026, prior to the fiscal year end on June 30, 2026. The fixed-fee budget for this engagement is $45,000.00.