15.1.cyber Security Implementation Guidelines For Instrument Control Systems Rev 00

Green PVC Project MUNDRA PETROCHEM LIMITED
Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001

Guidelines for Instrument Control Rev. No. 00
Systems
Cyber Security Implementation Guidelines

for Instrument Control Systems
Vijay Keyur Keyur

00 06.10.2022 IFD Issued for Design
Kulkarni Vora Vora
Rev. Status Prepared Checked Approved AC
Date Status Description
No. Code By By By Code
This document is exclusive property of Mundra Petrochem Limited. It is to be used only for the purpose which it is lent and must not be
copied or used in any way detrimental to the interest of this company and subject to return on demand.
Electronic documents, once printed, are uncontrolled and may become outdated. Page 1 of 22
MDRPL-QAC-000-EB-0012, Rev. 00, Date: 06.09.2022_Word Template for MDRPL Internal use
Systems
Revision History
Sl. Rev.
Date Details of changes Reason for Changes
No. No.
Systems
Table of Contents
1. REFERENCE ....................................................................................................... 4
2. INTRODUCTION .................................................................................................4
2.1 SITE LOCATION.............................................................................................................................................. 4
2.2 PRELIMINARY BLOCK FLOW DIAGRAM OF COAL TO PVC ....................................................................................... 5
3. CYBER SECURITY IMPLEMENTATION PROCESS ..........................................6
4. ANNEXURE-1: FLOW CHART FOR APPLICABILITY OF CYBER SECURITY
COMPLIANCE & MACHINE HARDENING CHECKLIST ....................................8
5. ANNEXURE-2: CYBER SECURITY COMPLIANCE CHECKLIST .......................9
6. ANNEXURE-3: MACHINE HARDENING COMPLIANCE CHECKLIST ............ 16
7. ANNEXURE-4: CYBER RA AND VAPT TESTING ACTIVITY LIST .................. 18
Systems
1. References
Cyber Security Guidelines - Instrumentation: OEPMC-INS-0000-EC-00029
2. Introduction
M/s ADANI Group- Mundra Petrochem Limited (MPL) is setting up a Green PVC Complex. The ultimate capacity
would be of 2,000,000 MTPA of PVC in phased manner, which will be divided into 2 phases of 1,000,000 MTPA
PVC for each Phase I & II. The Phase-I of the Coal to PVC Complex would have an envisaged capacity of
1,000,000 MTPA PVC with all Common Utilities, off sites and associated warehouse for storage of raw material
(coal, limestone & salt), intermediate and finished product storage, necessary switchyard for Power supply to
the Plant and other infrastructure for the entire PVC Complex.
a) Site Location:
Satellite view for the proposed location for the Coal to PVC Project
Tentative plot area availability: Total Area Available: 690 Acres.
Pocket 1: 392 Acres
Pocket 3: 183 Acres
The Mundra port and the proposed project site as highlighted above is fully owned by M/s Adani. The location has its
own uniqueness in having better infrastructure and connectivity which is favorable for importing and exporting of raw
material and finished products, material and various equipment required for the plant and several other advantages.
The PVC Complex will be located near village Tunda & Siracha, Taluka; Mundra, District Kutch in the State of Gujarat,
India.
Systems
b) Preliminary Block Flow Diagram of Coal to PVC Plant
The intent of this document is to provide guideline with detailed activity list for implementation of Cyber Security in all
the Instrument control systems to EPCM contractor in different plants for Green PVC Project.
Systems
3. Cyber Security Implementation Process

EPCM contractor to Implement cyber security in all the Instrument control systems as per MPL’s Cyber Security
Guidelines document (OEPMC-INS-0000-EC-00029).
The Brief explanation of the Scope of EPCM for Cyber Security Implementation is as mentioned below –
Scope of EPCM –
A. Cyber Security Compliance & Machine (Workstation/Server) Hardening

To ensure compliance from each system vendor on MPLs Cyber Security Compliance check sheet and Machine
Hardening Check Sheet attached in Annexure-1.
To ensure incorporation of validation of Machine Hardening checks in Cyber FAT/SAT procedure / document and
also to ensure that these points shall be tested / checked during FAT / SAT.
B. Cyber Security Risk Assessment & testing

These activities are distributed into four phases –
1. Conceptualization Phase
2. Initial Design
3. Detailed Design
4. Factory / Site Acceptance test
Responsibility of execution of first two phases is with OEPMC contractor. The outcome of these activities will be
recorded and shared with respective plant EPCM.
Respective plant EPCM contractor along with Control system vendor is responsible for execution of remaining
two phase activities. Standard tool (e.g. exSILentia Cyber) to be used for carrying out these activities.
1. Design Stage -
To carry out Detailed level Risk Assessment along with System vendors by reviewing
System/Network architecture & Asses Inventory list in Cyber PHA / Cyber SL tool and generate a report.
To prepare a Cyber Security Requirement Specification (CSRS) document as per Detailed level RA.
To carry out Cyber Security Design workshops (along with System Vendors) for reviewing the Detailed level Cyber
RA report and plan of its implementation.
To implement the mitigations suggested in Detailed Level RA with the help of System Vendors.
2. Testing stage –
To support OEPMC for preparation of guidelines for carrying out Vulnerability Assessment & Penetration Test
(VAPT) during FAT and SAT levels.
To review the Cyber FAT / SAT procedures prepared by System Vendors and to ensure inclusion of VAPT
procedure / steps in FAT/SAT Procedure.
To ensure involvement of competent 3rd party ethical hacker for carrying out VAPT during FAT and SAT through
System Vendors.
To ensure preparation of VAPT report and Closer of open points / identified vulnerabilities through System
Vendors during FAT and SAT.
Systems
To arrange a training to MPL engineers on Cyber Security implementation, VAPT test etc. with the help of System
Vendor.
EPCM to refer
1. Annexure-1 - Flow Chart for Applicability of Cyber Security Compliance & Machine Hardening Check List.
2. Annexure-2 - Format for obtaining compliance from Control System vendors on implementation of Cyber
Security.
3. Annexure-3 - Format for obtaining compliance from Control System vendors on Machine Hardening
(Servers and Workstations).
4. Annexure-4 - For detailed activity list of Cyber Security implementation & Control System testing to be
performed by OEPMC, EPCM & System vendor.
Systems
Annexure - 1
Flow Chart for Applicability of Cyber Security Compliance & Machine Hardening Check List
Instrument Control System
Systems
Annexure – 2
Cyber Security Compliance Check Sheet
Company - Mundra Petrochem Ltd.
Project - Green PVC
Document Name - Cyber Security Compliance Checklist Document
Document Number - MDRPL-INS-000-EC-0001
Vendor / Supplier Name -
Table of Compliance
Compliance Remarks
Sr. No. Clause No Section

Not
YES Partially No Noted
Applicable
Does the Bidder have Competent,

Experienced & Certified (GICSP)
1 11 Instrument Control System (ICS) Cyber
Security certified professionals present in his
team?
Do the Hardware and Software components

supplied by the Bidder are certified by ISA
2 12 Secure, IEC62443 or GE Achilles certification.
Do the Bidder is capable to conduct Cyber

Security Risk Assessment of the offered
13, 13.1 and system with the help of standard tool Ex.
3
13.2 Exida CyberPHAx tool.
Is the Bidder ready to Prepare Cyber

Security Requirements Specifications (CSRS)
4 14 document for the offered Control System.
Do the Bidder is capable to carry out

Vulnerability Assessment test (VAPT) from
third party of the proposed system during
FAT/SAT. Ex. Nessus tool.
Additionally Bidder to confirm implementation
5 15 of all the mitigations related to applicable
vulnerabilities as published by the Control
System OEM.
Systems
Do the Bidder is ready to Prepare

6 16 Manufacturer Cyber Security Manual.
Does the proposed system is Designed as per
approved CSRS (Cyber Security Requirement
7 17 Specifications) Document.
Do the Bidder capable of carrying out

Security Level Verification for each FR
8 18 (Functional Requirements) with the help of
special tool Ex. CyberSL by exida
Do the proposed system is being designed by

20, 20.1 considering defense in depth concept. Ex.
9 & Implementation of various mitigations to
20.2 prevent cyber attacks
Do the Network Segmentation and

Segregation is considered while designing the
proposed system architecture. Ex. Control
21, 21.1, Network and HMI Network is separated,
10 21.2 & Firewalls used between HMI and IT Network,
21.3 DMZ created for non-control system nodes
etc.
Are firewalls (dual) considered between the

OT (HMI) network and IT network.
The fire walls are to be configured as per MPL
11 22 & 22.1 Cyber Security Guideline document, please
confirm.
Do the Bidder complies the guideline

document for the usage of below mentioned
23 Communication Protocols - DNS, HTTP,
12 23.1 to FTP/TFTP, Telnet, DHCP, SSH, SMTP, SNMP,
23.13 MODBUS TCP/IP, DCOM, NAT, OPC etc.
Does the Bidder agree to provide

Redundancy in Various Cyber Security
Nodes - OS / AV Patching Server,
Backup Recovery Server, NAS
13 24 (Network Access Storage), Application
Whitelisting Server (AWL), Network
Management Server (NMS), SIEM, Domain
Controller etc.
Do the Bidder complies to Password & User

Management guidelines mentioned in MPL
14 25 Cyber Security Document.
Systems
Do the Bidder confirms configuration of

System Hardening parameters as mentioned
15 26 in MPL Cyber Security Guidelines Document
and Sheet 2 of this document.
Do the Bidder complies to implementation of

User Roles, Authentication and Authorization
in the proposed system as mentioned in MPL
16 27 Cyber Security Guideline document.
Do the Bidder complies to configuration of

Windows System Event Audit Policy Settings
in the HMI nodes (OS/ES) of proposed system
17 27.1 as mentioned in MPL Cyber Security
Guideline document.
Do the Bidder complies to configuration of

Domain Controller server considered in the
proposed network architecture, as
18 28 mentioned in MPL Cyber Security Guideline
document.
Do the Bidder complies to implement the

measures to ensure the Data Integrity and
Loss Prevention as mentioned in MPL Cyber
Security Guideline document.
1. Restricting access to unauthorized
users.
19 29
2. Denying read/write access to all
portable devices trying to connect to the
System Network / HMI.
3. Implementation of Redundancy at
Hard disk level (RAID 1/RAID5)
Implementation of physical access control.
Do the Bidder is proposing Data Loss
Prevention (DLP) solution to avoid data loss
incidents.
20 30
What sort of Anti-Virus Management system

(Signature up dation at regular intervals) do
the Bidder is proposing. Refer MPL Cyber
21 31 Security Guideline document for more
details.
Systems
What sort of Windows patch Management

system (WSUS) do the Bidder is proposing.
Refer MPL Cyber Security Guideline
22 32 document for more details.
Do the Bidder is complying to the guidelines

mentioned in the MPL Cyber Security
guideline document for the Wireless Devices
23 33 & 33.1 considered in the proposed package.
Do the Bidder is implementing the

Application Whitelisting system (AWL server
& client) for the proposed nodes (OS/ES).
24 34 Refer MPL Cyber Security Guideline
document for more details.
Do the Bidder is providing Modbus Firewall

for each third-party Interface MODBUS
Communication.
25 35
Do the Bidder is complying following

measures for GPS connectivity - 1) System
receiving the time from GPS should verify
the time change with allowable set time
change and if the time change requirement
26 36 is more it shall reject the time change.
2) System should be connected
to redundant GPS if time critical
functions are implemented.
3) System shall not be connected to internet
to fetch time synchronization signal.
Systems
Do the Bidder is complying to the following

points while usage of Vulnerability
Assessment Tool -
a) Software shall be proven and well
accepted by the industry and shall have
owner’s approval.
b) Only nodes of the ICS network and
DMZ network are to be scanned.
c) Any ICS equipment in IT enterprise
network shall be scanned.
d) Scanning shall be done offline or
online without effecting the ICS network and
27 37 its performance.
e) Proper risk assessment shall be
prepared before doing the scanning. f)
Software scanning consumes resources
which can impact system performance so
when to use this software shall be analyzed
carefully. Preference is to scan in FAT, SAT,
before start-up and during opportunity for
stead state operation.
Do the Bidder is supplying Intrusion

Detection / Prevention Systems (IPS/IDS) for
28 38 the Network firewalls and Host Intrusion
Prevention System for each HMI (OS/ES)
Node.
Do the Bidder is supplying Event Log and

Monitoring (SIEM) system for collection and
monitoring of system events / logs as
mentioned in Cyber Security Guideline
29 39
document (OEPMCINS-0000-EC-
00029_000_00_Cyber
Security Guidelines-Instrumentation).
Systems
Do the Bidder complies to the requirements

mentioned in Cyber Security Guideline
document for
Secure Remote Connection of the
Control system -
1. Control System shall be connected
thru dedicated firewall to outside network (IT
30 40 LAN).
2. Remote connection shall be given
as and when required.
3. The procedure of establishing the
connection shall be as mentioned in MPL
Cyber Security Guideline document.
Do the Bidder is proposing the

Redundant Backup and Recovery solution
(Server and NAS) for storage of all backups.
31 41 & 41.1 Refer MPL Cyber Security Guideline
document for more details.
Do the Bidder is complying to the following

points while using his
Configuration Laptops / PCs -
1. Vendor’s Laptops or other portable
tools for ICS programming, configuration,
troubleshooting tools etc. is not
recommended. Dedicated
42 & programming laptop / PC shall be
32 used.
42.1
2. These Laptops/PCs shall also follow
the system hardening and password policy
as mentioned in MPL Cyber Security
Guideline document.
Do the Bidder is complying to the Supplier

Management process for the usage of
hardware / software supplied from sub
vendors / available commercially off the
shelf.
33 43 Bidder shall have quality control, and
validation process in place. In addition,
exhaustive testing, including vulnerability
scanning process implemented for these
items.
Do the Bidder is arranging a training for each

phase of “cyber security lifecycle” to owner’s
34 44 members by certified trainers as per IEC
62443.
Systems
A. Do the Bidder has considered Cyber

Security FAT (CFAT) of the proposed system
35 45 as mentioned in MPL Cyber Security
Guideline document.
Do the Bidder has considered Cyber Security

SAT (CSAT) of the proposed system as
36 46 mentioned in MPL Cyber Security Guideline
document.
In case Remote FAT of control system is

done, how Bidder will comply to
37 NA Cyber Security Guidelines and IEC62443
standard. Bidder to elaborate.
Systems
Annexure – 3
Machine Hardening Compliance Checklist Document
Company - Mundra Petrochem Ltd.
Project - Green PVC
Document Name – Machine Hardening Compliance Checklist Document
Document Number - MDRPL-INS-000-EC-0001
Vendor / Supplier Name -
MACHINE (PC/SERVER) HARDENING PARAMETERS
SN PARAMETER DETAILS COMPLIANCE REMARKS

BY VENDOR
1 Disable all guest accounts and default passwords
2 CD/DVD/USB ports locking using software.
3 USB ports locking using hardware locks
4 USB ports blocked using registry (except for keyboard/ mouse/ dongle)?
5 All unused Ethernet Switch ports to be disabled through Hardware locks and used
ports to be MAC binded.
6 Disable unused LAN Ports?
7 Password Protection for BIOS.
8 Auto run disabling.
9 Scheduler disabling wherever it is not being used.
10 Implementation of HIPS. (Host Intrusion Prevention Software)
11 Remove and uninstall all the unnecessary programs and applications that is not
required for the intended functional purpose of the system. E.g. MS-Office, Adobe,
Internet, E-mail, TFTP, TELNET, Games, favorites, pictures, games, My Pictures, My
music etc.
12 Approved 3rd Party Software list to be submitted to Adani (MPL) and same should
be cross checked on all the HMI stations
13 Disable the unused ports and unnecessary services. (DCOM ports and Windows
Services)
14 Disable vulnerable services like NetBIOS over TCP, Printer sharing etc.
15 Unused/unwanted files sharing shall be disabled.
16 Remote desktop services shall be disabled in all critical machines.
Systems
17 Ensure that OPC write is disabled (enabled for tags as per requirement)
18 The portable laptop used for carrying out PCN related activities shall be restricted
from connecting to alternate network through Bluetooth/Wi-Fi /Ethernet/serial E.g.
to download software or updates while being connected to PCN network.
19 Tested and certified Antivirus to be installed in all the PC's
20 Tested and certified OS patches to be regularly updated in all the PC's.
21 Latest Patches and firmware of Application software to be installed on all the PC's.
22 Disabling of Hibernation of PC.
23 Disabling of Screen Saver and Power saver mode.
24 Disabling of Fast User switching option in OS.
25 Windows Auto lock functionality is enabled in ES. (< 3 min)
26 Install Whitelisting and put it in control mode. (Status Active)
27 Complex passwords are configured as per Adani (MPL) policy.
28 Account lockout to be set after 10 attempts and for 30 min.
29 Windows Audit Policy to be enabled for user logging info.
30 Windows Desktop to be locked, Task Bar, Shutdown button to be disabled in operator

login.
31 Different OS users to be defined for - Instrument Engineer, Instrument Manager and
Panel Operator logins other than Administrator and other mandatory logins.
32 All Software (Os and As) Licenses should be on Adani (MPL) Name
33 Windows Firewall should be enabled and Exception list to be provided to Adani

(MPL).
34 Disable IPv6 on all Windows hosts and network devices as IPv6 addresses and
protocol is not used.
35 Windows log size and time settings to be set to sufficiently high limits (Minimum
512MB size and 90 days’ time)
36 Disabled 'Alt+Ctrl+Del' for operator stations?
37 Time synchronization with a GPS/ GPS synced server to be implemented for PCN/
DMZ machines. All machines synced with NTP source(s).
Systems
Annexure – 4
Cyber RA and VAPT Testing Activity List
Instrument Control System (DCS/ESD/PLC/MCMS/CEMS/F&G etc.) Cyber Security Risk Assessment and Audit -- List of Activities / Scope of
Work
Phase Sr. Activity Perform by Participation Overall Prerequisites Deliverable Target Remark
No Responsibility Date
.
1 Scope of work (SoW) Prepare OEPMC/MPL OEPMC Independent Scope of 9/5/2022
and activity Work
Sign off
2 Risk Matrix Target Likelihood MPL-OT NA MPL Independent Project Risk 9/10/2022
Corporate Risk Criteria Team activity Assessment
Matrix
3 Creation of Project / BU Threat OEPMC MPL-OT & OEPMC Availability of Threat 30-09-22 a) As listed in
Profiling Reference Table C&I team CyberPHA Profiling Cyber Risk
including Software Reference Assessment
Likelihood of Initiation and Table tool from
Threat exida to be
Strength and link to RAM used
likelihood b) Workshop to
be
arranged by
OEPMC to
complete
activity
4 Guidelines document for OEPMC MPL OEPMC Project Cyber 15-10-22
complete cyber security life security Life
cycle to be cycle
Prepared / updated for point 1, 2 Guidelines
and
3.
4. Approval of Guideline Document OEPMC MPL MPL Project Cyber 30-10-22
a security Life
cycle
Guidelines
Systems
5 Preliminary Hazard review e.g. OEPMC MPL OEPMC QRA inputs from Listing of 30-11-22 This Hazard
Major Hazards of the process MPL Preliminary Sitewide review can be
Risk Study report Preliminary y generic at
(EIA Report) Pro Complex
cess Hazards, Level/Plant
its Level and may
relationship not be
p with dependent on
Cyber the individual
Security. detailed plant
wise HAZOP.
QRA study
performed by
MPL for
complex will
be basis for
the cyber
security.
Also add
Consequential
Business Loss
data from
MPL Project/
Business
Team. OEPMC
to arrange
meeting to
discuss &
finalize &
release
preliminary
Hazard review
report for
Cyber
security.
6 Prepare Preliminary System OEPMC MPL OEPMC Availability of Preliminary / 12/10/2022 To be
Architecture Diagrams, based on CyberPHA Typical completed
Project Cybersecurity Guidelines Software System now based on
and Architecture control
Cybersecurity Standards (IEC system
62443/NIST etc.) -- architecture
DCS/ESD/PLC/MCMS/CEMS/F&G received by
etc. MPL from
various
vendors
7 Conducting Cyber Security OEPMC MPL OEPMC Availability of Terms of 12/20/2022

workshop for the whole Project CyberPHA Reference for
and Identifying System under Software Cyber RA
Consideration. Spread awareness Workshop, Cyber
about the cyber security, Cyber RA workshop
RA, Methodology of RA, Risks sheet
associated with each plant etc.
Systems
8 Conducting High Level Risk OEPMC MPL OEPMC Availability of High Level Cyber 12/31/2022 Input as
assessment using Cyber PHA and CyberPHA PHA report Approved
Cyber SL tool and as per SoW Software Architecture/
table / Project OT Cyber Guideline Network/ FO
documents. diagrams
Updating System under Include
Consideration findings in
MR/TQ/TBE of
applicable
Control
Systems
9 Update Preliminary / Typical OEPMC MPL OEPMC System 1/10/2023
Architecture, policies, and Architecture,
procedure for Cybersecurity (as Cyber security
and if required) Guidelines
10 Detailed System Architecture EPCM / OEPMC / MPL OEPMC Finalized System Inventory 2 Months System Vendor
Diagrams, Inventory List, Control vendor List, System from prepares all
Dataflows of ICS System . Availability of Logical KOM date of documents
Hardware/software and other Vendor CyberPHA (Network) respective related to
network components (including all Software. EPCM Diagram EPCM architecture/FDS
3rd Party Connections) PLC (Including etc.
finalized Zones &
Conduits)
11 HAZOP / SIL Study EPCM MPL / OEPMC OEPMC Completion of SIL Fine tuning As per
recommendations of each plant - study for plant High Level Project
review / study for inclusion in under assessment Cyber PHA Schedule
Cyber PHA / RA report
12 Detailed Level Risk assessment EPCM EPCM / MPL / OEPMC Finalized System Detailed Level
using Cyber PHA and Cyber SL tool System vendor Cyber Within 2
and as per SoW table/ Project OT Vendors . Availability of PHA report, SL weeks from
Cyber CyberPHA Assessment HAZOP/SIL
Guideline documents Software. EPCM report and
PLC recommendatio
finalized n
ions
13 Cyber Security Design Workshop EPCM / OEPMC / MPL OEPMC Finalized System FDS & Cyber 4 weeks
and Control vendor DDS from
Detailed Design Review with System . Availability of System
System Vendor Vendor CyberPHA Vendor PO
Software. EPCM
PLC
finalized
Systems
14 Modify System Architecture and EPCM / OEPMC / MPL OEPMC FDS & Cyber 6 weeks
other control system documents. Control DDS from
Implement the identified counter System System
measures (Hardware). Updation in Vendor Vendor PO
System Vendor documentation
(FDS) and actual system
configuration.
Updating Network Architecture if
required.
15 Preparation of Cyber Security EPCM OEPMC / MPL / OEPMC Availability of CSRS 8 weeks Control
Requirement Specifications System CyberPHA from System
(CSRS) Document. Vendor Software. System Vendor may
Vendor PO be involved
for inputs to
CSRS during
preparation of
CSRS
Document.
16 Preparation of VAPT Guidelines / OEPMC / EPCM / OEPMC 3rd Party Ethical VAPT 12 weeks Review
Steps for carrying out VAPT during EPCM System Hacker Guidelines from /approval by
FAT and SAT vendor/ (Agency) by System System EPCM/ MPL
3rd Party vendor Vendor PO Teams Inputs
Ethical Hacker are required
(Agency) / from
MPL MPL/EPCM for
VAPT
guidelines
which shall be
used for VAPT
by System
Vendor
17 Preparation of Detailed Cyber Control OEPMC / MPL EPCM Finalized FAT/ SAT/ VAPT Review
FAT and SAT Procedure System System vendor Procedures /approval by
including VAPT Vendor & EPCM EPCM/ MPL
Teams
18 Cyber FAT and SAT Procedure EPCM OEPMC / MPL EPCM Finalized System FAT/ SAT/
review and comments vendor VAPT
Procedures
19 Updation of Cyber FAT and SAT Control OEPMC / MPL EPCM Finalized System FAT/ SAT/
procedure System vendor VAPT
Vendor Procedures
20 Conducting Cyber FAT, VAPT and Control EPCM / EPCM Finalized System FAT/ SAT/ TBA Cyber FAT,
preparation of VAPT report. System OEPMC / MPL vendor. Availability VAPT Report SAT and VAPT
Implementation of Control Vendor / 3rd teams of 3rd party & Punch Point shall be
Measures as per VAPT report. Party Ethical interface devices conducted by
hacker as available 3rd Party
(Agency) (Ethical
Hacker
Community)
hired by Main
System
Vendor
Systems
Notes:
a. Third Party Conducting Cyber VAPT to consider minimum two visits per control system @ vendor works & one visit at
site after installation of control system. Third party agency to be arranged by system vendor.
b Vendor person working shall have active Certification (ISA/IEC/Exida/CISSP) to carryout cyber security checks.
c Any observations/report made shall be kept confidential & share with client only. NDA shall be signed by vendor
d The implementation of counter measures is responsibility of system vendor. In case of counter measure is not taken
during FAT/SAT, vendor shall visit again for verification
e System Vendors are to be assessed and certified according to the requirements of IEC 62443-2-4
f Respective EPCM to carry out Cyber RA by using standard tool eg. exSILentia CYBER Version 4.12.4 and later.
g Cyber PHA shall be performed by Control system supplier in presence of /Owner / OE-PMC/EPCM
h Above SoW is minimum guidelines, OEPMC to include any other scope to comply with IEC62443 & Project
Specifications.
If any EPCM contractor is not competent to conduct and comply Cyber Security Requirement specified in MPL's
i Engineering specifications then EPCM shall hire competent 3rd party vendor approved by EPCM, OEPMC and Owner.
EPCM to provide a PTR of such activity performed in past project.
It is OEPMCs responsibility to implement Cyber Security Requirement specified in MPL's
Engineering specifications during any stage of implementation. The OEPMC shall depute
j
competent and experienced person / Engineers to meet the project requirement.
OEPMC may also hire 3rd party during project life cycle in case it is required approved by owner.
The prospective 3rd party vendors for carrying out this activity are -
1. M/s Exida
k 2. M/s KPMG
3. M/s Honeywell etc.
Vendor may be selected based on their capability & PTR by EPCM / OEPMC.
MPL Adani OT Cyber Team tkIS
Niladri Roy
Lokendra Atri
Vijay Kulkarni Gyanendra Kumar Rajanish Lokhande
Manojkumar Patel
Keyur Vora

15.1.cyber Security Implementation Guidelines For Instrument Control Systems Rev 00

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

15.1.cyber Security Implementation Guidelines For Instrument Control Systems Rev 00

Uploaded by

Copyright:

Available Formats

Green PVC Project MUNDRA PETROCHEM LIMITED

Cyber Security Implementation Doc. No. MDRPL-INS-000-BD-0001

Cyber Security Implementation Guidelines

Vijay Keyur Keyur

Tentative plot area availability: Total Area Available: 690 Acres.

Pocket 1: 392 Acres

Pocket 3: 183 Acres

b) Preliminary Block Flow Diagram of Coal to PVC Plant

3. Cyber Security Implementation Process

A. Cyber Security Compliance & Machine (Workstation/Server) Hardening

B. Cyber Security Risk Assessment & testing

Instrument Control System

Company - Mundra Petrochem Ltd.

Project - Green PVC

Document Name - Cyber Security Compliance Checklist Document

Document Number - MDRPL-INS-000-EC-0001

Vendor / Supplier Name -

Sr. No. Clause No Section

Does the Bidder have Competent,

Do the Hardware and Software components

Do the Bidder is capable to conduct Cyber

Is the Bidder ready to Prepare Cyber

Do the Bidder is capable to carry out

Do the Bidder is ready to Prepare

Do the Bidder capable of carrying out

Do the proposed system is being designed by

Do the Network Segmentation and

Are firewalls (dual) considered between the

Do the Bidder complies the guideline

Does the Bidder agree to provide

Do the Bidder complies to Password & User

Do the Bidder confirms configuration of

Do the Bidder complies to implementation of

Do the Bidder complies to configuration of

Do the Bidder complies to configuration of

Do the Bidder complies to implement the

What sort of Anti-Virus Management system

What sort of Windows patch Management

Do the Bidder is complying to the guidelines

Do the Bidder is implementing the

Do the Bidder is providing Modbus Firewall

Do the Bidder is complying following

Do the Bidder is complying to the following

Do the Bidder is supplying Intrusion

Do the Bidder is supplying Event Log and

Do the Bidder complies to the requirements

Do the Bidder is proposing the

Do the Bidder is complying to the following

Do the Bidder is complying to the Supplier

Do the Bidder is arranging a training for each

A. Do the Bidder has considered Cyber

Do the Bidder has considered Cyber Security

In case Remote FAT of control system is

Company - Mundra Petrochem Ltd.

Project - Green PVC

Document Name – Machine Hardening Compliance Checklist Document

Document Number - MDRPL-INS-000-EC-0001

Vendor / Supplier Name -

MACHINE (PC/SERVER) HARDENING PARAMETERS

SN PARAMETER DETAILS COMPLIANCE REMARKS

2 CD/DVD/USB ports locking using software.

3 USB ports locking using hardware locks

6 Disable unused LAN Ports?