Professional Documents
Culture Documents
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 1 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
Revision History
Sl. Rev.
Date Details of changes Reason for Changes
No. No.
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 2 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
Table of Contents
1. REFERENCE ....................................................................................................... 4
2. INTRODUCTION .................................................................................................4
2.1 SITE LOCATION.............................................................................................................................................. 4
2.2 PRELIMINARY BLOCK FLOW DIAGRAM OF COAL TO PVC ....................................................................................... 5
3. CYBER SECURITY IMPLEMENTATION PROCESS ..........................................6
4. ANNEXURE-1: FLOW CHART FOR APPLICABILITY OF CYBER SECURITY
COMPLIANCE & MACHINE HARDENING CHECKLIST ....................................8
5. ANNEXURE-2: CYBER SECURITY COMPLIANCE CHECKLIST .......................9
6. ANNEXURE-3: MACHINE HARDENING COMPLIANCE CHECKLIST ............ 16
7. ANNEXURE-4: CYBER RA AND VAPT TESTING ACTIVITY LIST .................. 18
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 3 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
1. References
Cyber Security Guidelines - Instrumentation: OEPMC-INS-0000-EC-00029
2. Introduction
M/s ADANI Group- Mundra Petrochem Limited (MPL) is setting up a Green PVC Complex. The ultimate capacity
would be of 2,000,000 MTPA of PVC in phased manner, which will be divided into 2 phases of 1,000,000 MTPA
PVC for each Phase I & II. The Phase-I of the Coal to PVC Complex would have an envisaged capacity of
1,000,000 MTPA PVC with all Common Utilities, off sites and associated warehouse for storage of raw material
(coal, limestone & salt), intermediate and finished product storage, necessary switchyard for Power supply to
the Plant and other infrastructure for the entire PVC Complex.
a) Site Location:
Satellite view for the proposed location for the Coal to PVC Project
The Mundra port and the proposed project site as highlighted above is fully owned by M/s Adani. The location has its
own uniqueness in having better infrastructure and connectivity which is favorable for importing and exporting of raw
material and finished products, material and various equipment required for the plant and several other advantages.
The PVC Complex will be located near village Tunda & Siracha, Taluka; Mundra, District Kutch in the State of Gujarat,
India.
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 4 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
The intent of this document is to provide guideline with detailed activity list for implementation of Cyber Security in all
the Instrument control systems to EPCM contractor in different plants for Green PVC Project.
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 5 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
The Brief explanation of the Scope of EPCM for Cyber Security Implementation is as mentioned below –
Scope of EPCM –
To ensure incorporation of validation of Machine Hardening checks in Cyber FAT/SAT procedure / document and
also to ensure that these points shall be tested / checked during FAT / SAT.
1. Conceptualization Phase
2. Initial Design
3. Detailed Design
4. Factory / Site Acceptance test
Responsibility of execution of first two phases is with OEPMC contractor. The outcome of these activities will be
recorded and shared with respective plant EPCM.
Respective plant EPCM contractor along with Control system vendor is responsible for execution of remaining
two phase activities. Standard tool (e.g. exSILentia Cyber) to be used for carrying out these activities.
1. Design Stage -
To carry out Detailed level Risk Assessment along with System vendors by reviewing
System/Network architecture & Asses Inventory list in Cyber PHA / Cyber SL tool and generate a report.
To prepare a Cyber Security Requirement Specification (CSRS) document as per Detailed level RA.
To carry out Cyber Security Design workshops (along with System Vendors) for reviewing the Detailed level Cyber
RA report and plan of its implementation.
To implement the mitigations suggested in Detailed Level RA with the help of System Vendors.
2. Testing stage –
To support OEPMC for preparation of guidelines for carrying out Vulnerability Assessment & Penetration Test
(VAPT) during FAT and SAT levels.
To review the Cyber FAT / SAT procedures prepared by System Vendors and to ensure inclusion of VAPT
procedure / steps in FAT/SAT Procedure.
To ensure involvement of competent 3rd party ethical hacker for carrying out VAPT during FAT and SAT through
System Vendors.
To ensure preparation of VAPT report and Closer of open points / identified vulnerabilities through System
Vendors during FAT and SAT.
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 6 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
To arrange a training to MPL engineers on Cyber Security implementation, VAPT test etc. with the help of System
Vendor.
EPCM to refer
1. Annexure-1 - Flow Chart for Applicability of Cyber Security Compliance & Machine Hardening Check List.
2. Annexure-2 - Format for obtaining compliance from Control System vendors on implementation of Cyber
Security.
3. Annexure-3 - Format for obtaining compliance from Control System vendors on Machine Hardening
(Servers and Workstations).
4. Annexure-4 - For detailed activity list of Cyber Security implementation & Control System testing to be
performed by OEPMC, EPCM & System vendor.
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 7 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
Annexure - 1
Flow Chart for Applicability of Cyber Security Compliance & Machine Hardening Check List
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 8 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
Annexure – 2
Cyber Security Compliance Check Sheet
Table of Compliance
Compliance Remarks
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 9 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 10 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 11 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 12 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 13 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 14 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 15 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
Annexure – 3
Machine Hardening Compliance Checklist Document
4 USB ports blocked using registry (except for keyboard/ mouse/ dongle)?
5 All unused Ethernet Switch ports to be disabled through Hardware locks and used
ports to be MAC binded.
11 Remove and uninstall all the unnecessary programs and applications that is not
required for the intended functional purpose of the system. E.g. MS-Office, Adobe,
Internet, E-mail, TFTP, TELNET, Games, favorites, pictures, games, My Pictures, My
music etc.
12 Approved 3rd Party Software list to be submitted to Adani (MPL) and same should
be cross checked on all the HMI stations
13 Disable the unused ports and unnecessary services. (DCOM ports and Windows
Services)
14 Disable vulnerable services like NetBIOS over TCP, Printer sharing etc.
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 16 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
17 Ensure that OPC write is disabled (enabled for tags as per requirement)
18 The portable laptop used for carrying out PCN related activities shall be restricted
from connecting to alternate network through Bluetooth/Wi-Fi /Ethernet/serial E.g.
to download software or updates while being connected to PCN network.
21 Latest Patches and firmware of Application software to be installed on all the PC's.
32 All Software (Os and As) Licenses should be on Adani (MPL) Name
37 Time synchronization with a GPS/ GPS synced server to be implemented for PCN/
DMZ machines. All machines synced with NTP source(s).
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 17 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
Annexure – 4
Cyber RA and VAPT Testing Activity List
Instrument Control System (DCS/ESD/PLC/MCMS/CEMS/F&G etc.) Cyber Security Risk Assessment and Audit -- List of Activities / Scope of
Work
Phase Sr. Activity Perform by Participation Overall Prerequisites Deliverable Target Remark
No Responsibility Date
.
1 Scope of work (SoW) Prepare OEPMC/MPL OEPMC Independent Scope of 9/5/2022
and activity Work
Sign off
2 Risk Matrix Target Likelihood MPL-OT NA MPL Independent Project Risk 9/10/2022
Corporate Risk Criteria Team activity Assessment
Matrix
3 Creation of Project / BU Threat OEPMC MPL-OT & OEPMC Availability of Threat 30-09-22 a) As listed in
Profiling Reference Table C&I team CyberPHA Profiling Cyber Risk
including Software Reference Assessment
Likelihood of Initiation and Table tool from
Threat exida to be
Strength and link to RAM used
likelihood b) Workshop to
be
arranged by
OEPMC to
complete
activity
4 Guidelines document for OEPMC MPL OEPMC Project Cyber 15-10-22
complete cyber security life security Life
cycle to be cycle
Prepared / updated for point 1, 2 Guidelines
and
3.
4. Approval of Guideline Document OEPMC MPL MPL Project Cyber 30-10-22
a security Life
cycle
Guidelines
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 18 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
5 Preliminary Hazard review e.g. OEPMC MPL OEPMC QRA inputs from Listing of 30-11-22 This Hazard
Major Hazards of the process MPL Preliminary Sitewide review can be
Risk Study report Preliminary y generic at
(EIA Report) Pro Complex
cess Hazards, Level/Plant
its Level and may
relationship not be
p with dependent on
Cyber the individual
Security. detailed plant
wise HAZOP.
QRA study
performed by
MPL for
complex will
be basis for
the cyber
security.
Also add
Consequential
Business Loss
data from
MPL Project/
Business
Team. OEPMC
to arrange
meeting to
discuss &
finalize &
release
preliminary
Hazard review
report for
Cyber
security.
6 Prepare Preliminary System OEPMC MPL OEPMC Availability of Preliminary / 12/10/2022 To be
Architecture Diagrams, based on CyberPHA Typical completed
Project Cybersecurity Guidelines Software System now based on
and Architecture control
Cybersecurity Standards (IEC system
62443/NIST etc.) -- architecture
DCS/ESD/PLC/MCMS/CEMS/F&G received by
etc. MPL from
various
vendors
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 19 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
8 Conducting High Level Risk OEPMC MPL OEPMC Availability of High Level Cyber 12/31/2022 Input as
assessment using Cyber PHA and CyberPHA PHA report Approved
Cyber SL tool and as per SoW Software Architecture/
table / Project OT Cyber Guideline Network/ FO
documents. diagrams
Updating System under Include
Consideration findings in
MR/TQ/TBE of
applicable
Control
Systems
9 Update Preliminary / Typical OEPMC MPL OEPMC System 1/10/2023
Architecture, policies, and Architecture,
procedure for Cybersecurity (as Cyber security
and if required) Guidelines
10 Detailed System Architecture EPCM / OEPMC / MPL OEPMC Finalized System Inventory 2 Months System Vendor
Diagrams, Inventory List, Control vendor List, System from prepares all
Dataflows of ICS System . Availability of Logical KOM date of documents
Hardware/software and other Vendor CyberPHA (Network) respective related to
network components (including all Software. EPCM Diagram EPCM architecture/FDS
3rd Party Connections) PLC (Including etc.
finalized Zones &
Conduits)
11 HAZOP / SIL Study EPCM MPL / OEPMC OEPMC Completion of SIL Fine tuning As per
recommendations of each plant - study for plant High Level Project
review / study for inclusion in under assessment Cyber PHA Schedule
Cyber PHA / RA report
12 Detailed Level Risk assessment EPCM EPCM / MPL / OEPMC Finalized System Detailed Level
using Cyber PHA and Cyber SL tool System vendor Cyber Within 2
and as per SoW table/ Project OT Vendors . Availability of PHA report, SL weeks from
Cyber CyberPHA Assessment HAZOP/SIL
Guideline documents Software. EPCM report and
PLC recommendatio
finalized n
ions
13 Cyber Security Design Workshop EPCM / OEPMC / MPL OEPMC Finalized System FDS & Cyber 4 weeks
and Control vendor DDS from
Detailed Design Review with System . Availability of System
System Vendor Vendor CyberPHA Vendor PO
Software. EPCM
PLC
finalized
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 20 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
14 Modify System Architecture and EPCM / OEPMC / MPL OEPMC FDS & Cyber 6 weeks
other control system documents. Control DDS from
Implement the identified counter System System
measures (Hardware). Updation in Vendor Vendor PO
System Vendor documentation
(FDS) and actual system
configuration.
Updating Network Architecture if
required.
15 Preparation of Cyber Security EPCM OEPMC / MPL / OEPMC Availability of CSRS 8 weeks Control
Requirement Specifications System CyberPHA from System
(CSRS) Document. Vendor Software. System Vendor may
Vendor PO be involved
for inputs to
CSRS during
preparation of
CSRS
Document.
16 Preparation of VAPT Guidelines / OEPMC / EPCM / OEPMC 3rd Party Ethical VAPT 12 weeks Review
Steps for carrying out VAPT during EPCM System Hacker Guidelines from /approval by
FAT and SAT vendor/ (Agency) by System System EPCM/ MPL
3rd Party vendor Vendor PO Teams Inputs
Ethical Hacker are required
(Agency) / from
MPL MPL/EPCM for
VAPT
guidelines
which shall be
used for VAPT
by System
Vendor
17 Preparation of Detailed Cyber Control OEPMC / MPL EPCM Finalized FAT/ SAT/ VAPT Review
FAT and SAT Procedure System System vendor Procedures /approval by
including VAPT Vendor & EPCM EPCM/ MPL
Teams
18 Cyber FAT and SAT Procedure EPCM OEPMC / MPL EPCM Finalized System FAT/ SAT/
review and comments vendor VAPT
Procedures
19 Updation of Cyber FAT and SAT Control OEPMC / MPL EPCM Finalized System FAT/ SAT/
procedure System vendor VAPT
Vendor Procedures
20 Conducting Cyber FAT, VAPT and Control EPCM / EPCM Finalized System FAT/ SAT/ TBA Cyber FAT,
preparation of VAPT report. System OEPMC / MPL vendor. Availability VAPT Report SAT and VAPT
Implementation of Control Vendor / 3rd teams of 3rd party & Punch Point shall be
Measures as per VAPT report. Party Ethical interface devices conducted by
hacker as available 3rd Party
(Agency) (Ethical
Hacker
Community)
hired by Main
System
Vendor
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 21 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001
Guidelines for Instrument Control Rev. No. 00
Systems
Notes:
a. Third Party Conducting Cyber VAPT to consider minimum two visits per control system @ vendor works & one visit at
site after installation of control system. Third party agency to be arranged by system vendor.
b Vendor person working shall have active Certification (ISA/IEC/Exida/CISSP) to carryout cyber security checks.
c Any observations/report made shall be kept confidential & share with client only. NDA shall be signed by vendor
d The implementation of counter measures is responsibility of system vendor. In case of counter measure is not taken
during FAT/SAT, vendor shall visit again for verification
e System Vendors are to be assessed and certified according to the requirements of IEC 62443-2-4
f Respective EPCM to carry out Cyber RA by using standard tool eg. exSILentia CYBER Version 4.12.4 and later.
g Cyber PHA shall be performed by Control system supplier in presence of /Owner / OE-PMC/EPCM
h Above SoW is minimum guidelines, OEPMC to include any other scope to comply with IEC62443 & Project
Specifications.
If any EPCM contractor is not competent to conduct and comply Cyber Security Requirement specified in MPL's
i Engineering specifications then EPCM shall hire competent 3rd party vendor approved by EPCM, OEPMC and Owner.
EPCM to provide a PTR of such activity performed in past project.
It is OEPMCs responsibility to implement Cyber Security Requirement specified in MPL's
Engineering specifications during any stage of implementation. The OEPMC shall depute
j
competent and experienced person / Engineers to meet the project requirement.
OEPMC may also hire 3rd party during project life cycle in case it is required approved by owner.
The prospective 3rd party vendors for carrying out this activity are -
1. M/s Exida
k 2. M/s KPMG
Vendor may be selected based on their capability & PTR by EPCM / OEPMC.
Niladri Roy
Lokendra Atri
Manojkumar Patel
Keyur Vora
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 22 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use