Professional Documents
Culture Documents
Version.1
Scope of Work Document (SOW)
July 2015
LoRaWAN Network
23-Mar-2023
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
1. Purpose:
SABIC is looking for a vendor to provide LoRaWAN gateway and network server (network
management platform) to connect IIoT sensors and manage the LoRaWAN network to support
Corporate Digitalization strategy.
LoRaWAN network requires connecting all of the LoRaWAN IIOT sensors and operations in edge tier
and platform tier as shown on the three-tier architecture described by Industrial Internet Consortium.
LoRaWAN network selected shall provide the LoRaWAN gateways and network server to manage and
connect current and future IIoT LoRaWAN sensors, which use LoRa Alliance and CITC connectivity
standards and frameworks, and wireless frequency to securely connect sensors and manage network
devices (Gateways and sensors).
Version.1
Scope of Work Document (SOW)
July 2015
The requirement is to have a LoRaWAN network in compliance with SABIC’s internal infrastructure and
network segregation and Cybersecurity requirements.
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
Company Profile
LoRaWAN Network Technical Capabilities for the gateways and network server.
LoRaWAN Network Technical Considerations and Setup
Services Offering.
Timeline and Project Implementation Details.
Commercials
Vendor shall provide a well-crafted company profile with below mentioned information (not limited to):
Company information
Highlight products and services
Unique strengths and track records
General idea about investors, business partners, and customers
Ownership and Management Team
Company History, mission statement and future goals
The offered platform shall possess (not limited to) below mentioned capabilities:
Topology: On-premise, cloud or hybrid topology dedicated instance capable of analyzing and storing
the IoT data. Explain how the solution handles the flow of information among the different sensors,
devices, gateways and servers.
Programming Languages and Application Development: What choices the platforms makes in their
programming languages, how the platform implement their APIs, and how these choices impact the
IoT solutions’ capacity to implement adequate connectivity, security, and privacy
Event Handling: Methods used to handle events in an IIoT solution and how the workload impact
performance and security.
Application enablement and management: Features that enables business applications in any
deployment model to analyse data and accomplish IIoT-related business functions.
Device management: The ability to register, configure, and manage LoRaWAN devices,
including updating firmware, resetting devices, and monitoring their status and performance.
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
Network management: The ability to manage and monitor the LoRaWAN network, including
configuring gateways and sensors, setting up network policies, and monitoring network
performance.
Data management: The ability to manage and store data generated by LoRaWAN devices,
including real-time data, historical data, and device metadata.
Security management: The ability to provide secure communication between devices and the
LoRaWAN network, including managing authentication, encryption, and access control.
Application integration: The ability to integrate with other applications, such as on primes /
cloud platforms (IIOT Platform, Osi Pi) or analytics tools, to enable data analysis and
visualization.
Over-the-Air (OTA) updates: The ability to update firmware and software on LoRaWAN
devices remotely, without the need for physical access.
Device activation: The ability to activate and deactivate devices on the LoRaWAN network.
Geolocation: The ability to determine the location of LoRaWAN devices using various
methods, including Time of Flight (ToF), signal strength, and triangulation.
Analytics and reporting: The ability to analyse data generated by LoRaWAN devices and
generate reports, including performance reports, network utilization reports, and device health
reports.
Security: Describe what mechanisms are provided by the platform for administrators,
developers, and researchers to secure their IoT solutions on terms of confidentiality
(encryption and authentication), integrity, availability, and access control to prevent, detect
and correct breaches.
Vendor shall include consideration about system architecture, data, performance, scalability,
availability, and backhaul protocols and deployment and setup. Example of use case for chemical or
petrochemical industries.
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
2.4 NETWORK, JOIN AND APPLICATION SERVERS TECHNICAL CONSIDERATIONS & SETUP
Vendor shall include consideration about system architecture, data, performance, scalability,
availability, deployment and setup. Example of use case for chemical or petrochemical industries.
Vendor shall cover and include in their proposal below mentioned service requirements:
Implementation support and operation, annual health check, on site engineers support.
User manuals, training presentations, and associated documentation.
High-Level & Low-Level Edge-To-Enterprise Architecture
Post-implementation evaluation and high-level plan for translation
Fully Functional and stable LoRaWAN Gateways
Fully Functional and stable Network Server
Any other valuable optional services (Add-ons).
2.7 COMMERCIALS
Vendor shall provide as part of their commercial proposal (not limited to) below mentioned:
Pricing structure
Platform licenses with all categories, levels, licenses details and with different options based on
size and volume.
Enterprise licenses (unlimited users)
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
3. Evaluation Criteria
A Hardware Answer
1 Do you have Atex certified Zone 1 LoRaWAN GW?
What is the expected time frame for supplying Atex
2 certified Zone 1 LoRaWAN GW?
What is the supported backhaul link protocols, please
3 list all supported protocols?
Is the GW can be powered over power over Ethernet
4 (POE)?
5 What is the estimated coverage radius for the GW?
B Network Server Answer
6 What is the network server application ?
Does the network server application support on premise
7 or cloud deployment?
Does the network server support device managements
8 (GW & sensors)?
Does the network server support multi-tenancy
9 installation?
C Experience Answer
Did you have any deployment of the GW ins Saudi
10 Arabia?
Did you have any GW deployment in the oil & gas /
11 petrochemical industry?
Did you have any deployment of the Network server ins
12 Saudi Arabia?
Do you have any current physical presence in Saudi
13 Arabia ?
14 Do you have any partners in Saudi Arabia ?
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
4. Responsibility:
Vendor
Vendor is responsible to provide a fully working platform that covers supplying all required
items and licenses (including third parties license to use, if any). It is the responsibility of the
Vendor to have this clearly considered and indicated in the proposed solution.
Vendor to adhere to use SABIC industrial practices and standards
Vendor should cooperate with other third party suppliers that SABIC might foresee the need
to use their solution either hardware or software part of IIoT Platform.
SABIC will
Provide details of Edge Tier and Enterprise Tier devices and applications relevant for IIoT
devices and platforms
Facilitate entrance access to SABIC facilities
Provide cyber security requirements
Review and approve the implementation final plan
Identify the pilot location and drive Proof of Concept to cover deployed sensor
Review and approve post-implementation evaluation
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
5. Standards:
SABIC Engineering Standards (SES)
RI114_LPWAN
LoRaWan Alliance
The Industrial Internet of Things Volume G1: Reference Architecture. Version 1.9. June 19th,
2019.
The Industrial Internet of Things Volume G5: Connectivity Framework. Version 1.0. February
28th, 2017.
IEEE 2413-2019. IEEE Standard for an Architectural Framework for the Internet of Things
(IoT). October 3rd. 2020
ISO/IEC 21823-1, Internet of things (IoT) – Interoperability for IoT systems – Part 1:
Framework, Edition 1.0, February 2019
ISO/IEC 21823-2, Internet of things (IoT) –Interoperability for IoT systems –Part 2: Transport
interoperability, Edition 1.0, April 2020
ISO/IEC 30161:2020 Internet of Things (IoT) — Requirements of IoT data exchange platform
for various IoT services
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
• Suppliers must comply with the National Products Mandatory List when sourcing
products stated on the list by filling up the attached National Products Mandatory
List Compliance Form. If the Supplier is found to be non- or partially-compliant, the
Supplier will be excluded from the Bid Evaluation.
• Failure to submit the LC documents will result in excluding the supplier from the
Bid Evaluation.
Version.1
Scope of Work Document (SOW)
July 2015
Response and
MSR ID Requirement Evidence
Description (if any)
IDENTIFY
Policies for information security
MSR-01 Suppliers shall have policies for information security, approved by
their management and communicated to all the people with access to
their information systems.
Inventory of Assets
SABIC and/or its Affiliate information, other Assets associated with
MSR-02 SABIC and/or its Affiliate information processing facilities managed
by the Supplier shall be identified and an inventory of these Assets
shall be drawn up and maintained by the Supplier.
Self-assessments
Suppliers will perform, at minimum, a self-assessment of their
operational resilience and Cybersecurity practices in order to identify
and appropriately manage potential risks. The self-assessment shall
MSR-03 include, at minimum, all the requirements included in this document.
The self-assessment must be repeated at yearly intervals (or when
requested by SABIC and/or its Affiliate(s)).
The Supplier shall develop plans and promptly take steps that are
required to mitigate the risks identified.
Audit reports
If the Supplier is subject to Cybersecurity audits, like ISO 27001, SOC 2
Audit and similar audits, the certificates or the reports will be shared
by the Supplier with SABIC and/or its Affiliate(s) at the request of
MSR-04 SABIC and/or its Affiliate(s).
The Supplier shall promptly rectify on their own any problem and/or
deficiencies identified in the audits. A remediation plan approved and
executed by the Supplier at their own cost shall be in place to correct
the issues reported.
PROTECT
Access control management
Supplier shall have a defined, documented and enforced Access
MSR-05 Management Policy for physical and Logical access to networks,
systems and applications in Supplier Environment that processes,
accesses, or stores SABIC and/or its Affiliate(s) information/data.
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
Response and
MSR ID Requirement Evidence
Description (if any)
Information Backup
Backup copies of information, software and system images that
process SABIC and/or its Affiliate(s) information in the Supplier
Environment or support services provided to SABIC will be taken
MSR-07 regularly in accordance with industry best practices.
Recovery testing of Backup media shall be conducted periodically to
demonstrate that recovery procedures are fast and effective and the
data contained in media is readable after its recovery from the Backup
media.
Network controls
Networks in the Supplier Environment shall be managed and
MSR-08 controlled to protect information in systems and applications.
Network controls shall be deployed by means of Firewalls and other
network security technologies acting as network policy enforcement
points.
Change management
Suppliers which process, access, or store SABIC and/or its Affiliate(s)
information/data shall have an established change management
process in place for making changes to the information systems
MSR-10 used.
Changes and modifications to any connection or configuration
between SABIC and the Supplier or update/upgrade of the
system/platform will be performed only after obtaining SABIC and/or
its Affiliate(s) prior written approval.
Media protection
Supplier shall protect both paper information and electronic
MSR-12 information or any other media storing SABIC and/or its Affiliate(s)
information/data, by limiting access to information on those media to
the authorized System Users and Sanitize or destroy information
system media before disposal or release for reuse.
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
Response and
MSR ID Requirement Evidence
Description (if any)
Personnel security
Supplier shall apply preventive measures confirming the adequacy
and integrity of their System Users involved in the provision of goods
and/or services to SABIC and/or its Affiliate(s). These measures shall,
at minimum, include the verification of their references and identity
and the employees agreement for proper use of information systems.
MSR-13 The Supplier shall report all changes related to System Users with
access to SABIC and/or its Affiliate(s) information systems so that
their access authorization can be updated by SABIC and/or its
Affiliate(s) accordingly.
The Supplier shall have formal procedures for off-boarding
employees and contractors. Off-boarding procedures must include
the return of Assets, and removal of all associated access rights.
Patching
Supplier technology Assets and systems must be regularly updated
MSR-16 with the operating system (OS), software and applications Patches
provided by their manufacturer according with industry best
practices.
Anti-Malware
Supplier technology Assets must be protected with Anti-Malware
MSR-17 software. Updates must be applied daily, and full system scans must
be performed at least every two weeks. In case of virus/malware
detection, the virus/malware shall be eradicated promptly and the
affected systems restored to a clean status.
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
Response and
MSR ID Requirement Evidence
Description (if any)
DETECT
Audit and accountability
Supplier shall create and maintain information system Audit Logs
MSR-18 needed to allow the analysis, investigation, and reporting of
unauthorized, or inappropriate information system activity in the
Supplier Environment and ensure that the actions of individual
information System Users can be attributed to those System Users.
RESPOND
Incident response
MSR-19 Supplier shall have an incident handling process for information
systems in the Supplier Environment, which includes the preparation
to detect, analyze, contain, recover and response to incidents.
Version.1
Scope of Work Document (SOW)
July 2015
Software that is designed to detect, and remove, block, or contain various forms of
Anti-Malware
malicious software.
In relation to a party, any individual or entity that at any time controls, is controlled by,
or is under common control with, such party, provided that references to SABIC’s
Affiliate shall be limited to any person that is controlled by SABIC and/or Saudi Aramco.
For the purpose of this definition, an entity or person “controls” another person, and
that other person is “controlled” by it, when, either directly or indirectly through one or
more other “controlled” entities, it:
(a) holds a majority of the voting rights in the other person;
Affiliate (b) is a member or shareholder of the other person and has the right to appoint or
remove a majority of that other person’s board of directors or equivalent managing
body;
(c) is a member or shareholder of the other person and, pursuant to an agreement
with other shareholders or members, is able to hold or direct a majority of the voting
rights in the other person; or
(d) has the right to exercise a dominant influence over the other person pursuant to its
constitutional documents or otherwise pursuant to a Contract.
Anything that has value to an organization, including but not limited to, another
Asset organization, person, computing device, information technology (IT) system, IT
network, IT circuit, software, virtual computing platform, and related hardware.
A backup, or data backup is a copy of computer data taken and stored elsewhere so
Backup
that it may be used to restore the original after a data loss event.
It is a policy stipulating constraints and practices that a System User must agree to for
Cybersecurity
access to a corporate network, the internet or other resources. It states what a System
Acceptable Use User can and cannot do when using computers and computing resources.
Assessment conducted by SABIC to ensure that the Supplier is in full compliance with
Cybersecurity
the Supplier Minimum Cybersecurity Requirements included in this document and any
Assessment Contract.
Classification: Internal Use
Version.1
Scope of Work Document (SOW)
July 2015
Term Definition
Hardware and/or software technology that protects network resources from
Firewall unauthorized access. A firewall permits or denies computer traffic between networks
with different security levels based upon a set of rules and other criteria.
Providing an authorized System User the ability to access one or more computer
system resources such as a workstation, network, application, or database through
Logical access automated tools. A Logical access control system requires validation of an individual’s
identity through some mechanism such as a personal identification number,
smartcard, username and password, biometric, or other token.
Method of authenticating a system user whereby at least two factors are verified.
These factors include something the System User has (such as a smart card or
Multi-Factor
dongle), something the System User knows (such as a password, passphrase, or PIN),
Authentication or something the System User has or does (such as fingerprints and other biometric
elements).
The document, including any attachments thereto, issued by Purchaser to order goods
Purchase Order
and/or services from Supplier.
The action of permanently removing all data and/or licensed software, through
Sanitize overwriting or degaussing methods, from an Asset before that Asset is disposed,
loaned, destroyed, donated, transferred, or surplused.
Saudi Arabian Oil Company, a joint stock company incorporated under the laws of the
Kingdom of Saudi Arabia, having its head office located at P.O. Box 5000, Dhahran,
Saudi Aramco 31311, Kingdom of Saudi Arabia, registered with the Commercial Register under
number 2052101150, and having a share capital of 60,000,000,000 Saudi Riyals fully
paid.
SAUDI BASIC SAUDI BASIC INDUSTRIES CORPORATION, a joint stock company incorporated under
the laws of the Kingdom of Saudi Arabia, having its head office located at P.O. Box 5101,
INDUSTRIES
Riyadh, 11422, Kingdom of Saudi Arabia, registered with the Commercial Register of
CORPORATION Riyadh on 14 Muharram 1397H corresponding to 4 January 1977 under number
(SABIC) 1010010813, and having a share capital of 30,000,000,000 Saudi Riyals fully paid.
SOC is an acronym that now stands for System and Organization Controls (previously
Service Organization Controls) and is a standard of organization’s controls to help
SOC ensure the security, availability, processing integrity, confidentiality and privacy of their
customers data. The SOC control standards were created and overseen by the
American Institute of Certified Public Accountants (AICPA).
Version.1
Scope of Work Document (SOW)
July 2015
Term Definition
A manipulation technique that exploits human error to gain private information,
Social access, or valuables. In cybercrime, these “human hacking” scams tend to lure
Engineering unsuspecting System Users into exposing data, spreading malware infections, or
giving access to restricted systems.
Supplier The legal entity specified in the relevant Purchase Contract as supplying Party.
Supplier employees, contractors and others who have access to the Supplier
System Users
information systems.