IT/OT Cybersecurity Assessment

should have:

Cybersecurity vulnerability assessment

Network Penetration test

The consultant will utilize industry best practices, methodologies and tools throughout the project to ensure that the assessment is comprehensive, accurate, and will offer the highest riskreduction potential in accordance with what NCA requirements on that regard Scope of penetration tests which must cover Internet-facing services and its technical components including infrastructure, websites, web applications, mobile apps, email and remote access The chosen vendor will perform an extensive cybersecurity vulnerability assessment, including penetration testing and risk assessment. This will involve a thorough examination of the current state of the Information technology network and Industrial Control System (DCS and SCADA) cybersecurity posture within the project company. The vendor will develop a plan for mitigating vulnerabilities and create a prioritized roadmap for enhancing the system(s) cybersecurity position. Within 180 days of reporting the vulnerabilities, the vendor will conduct revalidation to confirm the closure of any issues.

Throughout the project, the consultant will utilize industry best practices, methodologies, and tools to ensure that the assessment is comprehensive and accurate, and that it offers the highest potential for risk reduction in accordance with NCA requirements.

Specifically, the scope of the penetration tests will cover Internet-facing services and their technical components, including infrastructure, websites, web applications, mobile apps, email, and remote access.

This exercise will be divided into the below phases:

Phase (One): Cybersecurity vulnerability assessment:

The work includes, but is not limited to, assessing the following:

IT& ICS security policies and procedures

Network infrastructure, including PCs, servers, routers, firewalls, and switches

System configuration, including installed applications.

Network, firewall and network security policies and access rules.

Current security programs, devices and measures in place, such as anti-virus, antimalware, and intrusion detection and prevention

Wireless network components (if exist)

ICS Internet connectivity.

ICS System Connectivity to corporate Network.

Time system and time synchronization across the plant.

Surveillance system (CCTV)

Susceptibility to advanced persistent threats (APTs) and viruses.

Conducting External Network Penetration test on IT/ICS external connections, the security penetration testing should help identify weaknesses that might be exploited by external attackers:

All ICS External Connections should be evaluated in terms of business advantages and security risks

External Network layer penetration testing is to be performed on network range of IP allocated to the company.

Consider future threats the Company may be exposed to, by the application links on the Internet like exposures to Man in the middle attack; malware attacks and Man in the browser attack (including its variants) and recommendation for minimizing the attack.

Vendor to identify every vulnerable port/service/aspect in the network layer and communicate with the company and seek approval for exploiting.

If authorized, will perform the exploitation and leave an evidence as will be agreed.

Awarded vendor is requested to conduct Application level penetration testing externally using grey-box scenario.

A brief knowledge of applications will be provided (if required).

To cover all of the OWASP Top 10 vulnerabilities.

To perform an automated Application Security Vulnerability test/check/scan using reputed scanners.

Risk assessment is to be performed using approved risk assessment methodology.

Vendor to identify every vulnerable service in the application layer and communicate with the company and seek approval for exploiting.

If authorized, will perform the exploitation and leave an evidence as will be agreed

Application level source code review is specifically excluded from this scope.

In this phase, the Vendor will perform vulnerabilities closure /mitigation verification of vulnerabilities reported within 180 days of the final report.

This will include one-time iteration of the rescan / verification of all findings identified in phase-1 till Phase-3.

1.

A written report documenting the following:

a.

An executive summary detailing the ICS s cybersecurity position

b.

A report outlining identified cybersecurity vulnerabilities and gaps

c.

A recommended mitigation plan(s) including a prioritized road map of activities

d.

An estimated range of the total costs to implement the recommended mitigation plan(s).

e.

An itemized cost estimate for each proposed component, including all licensing, support, maintenance and hosting, and annual costs for subscription-based services.

f.

The report should be in power point presentation as well as a comprehensive report in word format.

g.

Each finding should be supported by appropriate evidence like screen capture, data, etc. and tools used or method followed to arrive at the finding.

Each finding should be classified based on the severity and provide detail implication, testing procedure after fixing the issue.

h.

Each finding should include the priority and criticality of the system based on CIAcriteria (Criticality, Integrity and Availability).