OT Cybersecurity Assessment & Vulnerability Test

At Sui Gas Field

1. Introduction

Pakistan Petroleum Limited (PPL) invites qualified and experienced cybersecurity firms to submit
bids for conducting an OT/ICS cybersecurity assessment and vulnerability test at our Sui Gas
Field. This initiative aims to enhance the security and resilience of our industrial control systems
(Critical infrastructure) against potential cybersecurity threats.

2. Project Background

Sui Purification Plant (SPP) and Sui Gas Compression Station (SFGCS) of Sui Gas Field operates
various critical systems including DCS, SIS, SCADA, PLCs, HMI, UCPs and industrial network
infrastructure. Ensuring the cybersecurity of these systems is crucial to maintaining safe and
efficient operations. This project will identify vulnerabilities, assess our current cybersecurity
posture, and provide actionable recommendations to mitigate risks.

3. Scope of Work (SOW)

The scope of work for the cybersecurity assessment and vulnerability test includes, but is not
limited to:

1. Assessment of Current OT Cybersecurity Posture:

The first activity in the assessment phase should be to identify and characterize the system
under consideration (SuC). This involves examining system inventories, architecture
diagrams, as well as other important documentations to be used as reference points. Other
key activities are as under.

a. Review and evaluation of existing OT/ICS cybersecurity measures.

b. Identification of vulnerabilities and security gaps (Gap Analysis).
c. Assessment of compliance with relevant industry standards and regulations such as
ISA/IEC 62443 for OT infrastructure & ISO 27001 & ISO 27002 for IT infrastructure.
d. Assessing the effectiveness of existing security controls in the OT environment
including access controls, monitoring, and incident response procedure.
e. Previous audits or vulnerability analysis reports are not available.
f. Bidder to quote and use Cyber security evaluation soft tool (CSET) for the purpose.

2. Discovery of OT Asset & Configuration:

a. Full OT Asset discovery (Asset Inventory) with Network ID / IP addresses.
b. Create a comprehensive inventory of all OT Assets within the scope of the assessment,
including hardware, software, firmware and network devices.
 c. Bidder to use Asset discovery soft tools which must be ISA/IEC 62443 compliant and
supports existing IACS system.
d. Soft tool(s) must be professional version and industrially proven for such critical
infrastructure.

3. Vulnerability Assessment & Testing

a. Conduct vulnerability assessment & testing on the OT/ICS network and associated
systems (Active & Passive).
b. Analyze the potential impact of known & identified vulnerabilities on operations
(Threat Analysis).
c. Evaluate the risks associated with each identified threat and vulnerability and determine
the likelihood of each event occurring (Risk Assessment).
d. Bidder to indicate separate soft tools for the active scan and passive scan, which should
be industrially proven and supports the existing IACS and multi-OEM products.
e. In passive scan, the tool will only require to be plugged into the network followed by
a port mirroring where all the environments to be analyzed are reflected, leading to a
passive analysis of the environment.
f. Bidder to offer a non-intrusive vulnerability assessment to see network traffic at near
real time without disruption or harm to the critical infrastructure. Furthermore, it should
support detection and response efforts by providing the ability to conduct deep packet
and traffic analysis.
g. Any activity which could impact the availability and integrity of the IACS system during
the assessment & testing will be first discussed and approved from PPL.

4. Reporting and Recommendations:

a. Provide a detailed report of findings, including identified vulnerabilities and their

potential impacts.
b. Prioritize vulnerabilities based on risk assessment.
c. Offer recommendations for mitigating identified risks and improving overall
cybersecurity posture in accordance with ISA/IEC 62443.
d. Suggest best practices for OT/ICS cybersecurity.
e. Propose strategies for ongoing monitoring and incident response.
f. Bidder’s recommendation to implement a continuous program to detect new threats
and vulnerabilities in the OT environment and to ensure that the security posture
remains effect over time in accordance with ISA/IEC 62443.
g. Bidder’s recommendation for the software solution with the 3rd party software along with
cost for the remote access for managing, securing, and reporting enabling IEC/ISA 62443
and NERC-CIP compliance, Asset discovery & network visualization, vulnerability
assessment and anomaly & thread detection.
5. Participation of Local Rep of OEM

Network scanning may inadvertently cause denial of service (DoS) and downtime to
devices or industrial processes. An active approach can be useful for deeper vulnerability
identification against known risk issues; however, we don’t have the standby/redundant
Servers/Workstation on the IACS network to test in the lab environments, therefore, PPL
will engage OEM’s local Rep of critical equipment or devices to handle any untoward
situation during active vulnerability test specially for SIS, DCS, GTG, TUCO. Therefore,
bidder’s site visit plan must be aligned with the OEM local Rep visit to Sui Gas Field and
bidder’s collaboration with them during these activities is highly desired.

6. Assessment & Testing Tools, Software and Methodology

Bidder to use industrially proven vulnerability soft tools on DCS, SIS and HMIs & PLCs
network.
a. For the passive scan, Dragos or Claroty, or Nozomi Network with Nessus platform
or equivalent to be used to apply the ISA/IEC 62443 standards subject to it supports
and proven with the existing IACS under testing.
b. Cyber security evaluation soft tool (CSET) to be used, which provides a systematic
disciplined and repeatable approach for evaluating an organization’s security posture.
c. Detailed methodology for the OT Cybersecurity assessment & vulnerability test is to
be submitted with the bid.
d. Vulnerability assessment & Testing tool(s) should be OEM certified and supports existing
ICS/OT system or devices.
e. Software tool must have full asset discovery feature.
f. Bidder shall explicitly mention in their bid regarding 3rd party OT cybersecurity
assessment & testing tools (Active & passive separately).
g. Software should possess AI-driven detection and incident management features.
h. Bidder to conduct the OT cybersecurity assessment & vulnerability test by using
professional version of the software.

7. Field Visit (Pre-bid & Post PO)

Bidder may conduct pre-bid visit to site at their own cost to study & assess the scope of
works. Bid should include post PO site visits plan along with schedule of activities. PPL
will arrange travelling from Karachi to Sui Gas Field & back and boarding & lodging at
Sui Field.

8. Project Timeline
o Bidder to submit project timeline with their bid, which includes but not limited to post-
PO kick-off meeting, site visit, Assessment report of the current security posture,
network scanning, vulnerability assessment & test report, threats analysis report, risk
 assessment report based on vulnerability test, recommendations for online monitoring
& detection, strategies & incident response plan etc.

9. Deliverables

The successful bidder will be required to deliver the following:

a. An up-to-date asset inventory database.

b. Comprehensive assessment report detailing findings and identified vulnerabilities.
c. Vulnerability test (Passive & Active) results and analysis.
d. Risk assessment based on vulnerability test (active & passive) in conformity to ISA/IEC
62443.
e. Prioritized list of recommendations for risk mitigation.
f. Zone & conduit network diagram.
g. Developing / establishing OT Cybersecurity Framework (Policies & Procedures and
Governance) for Sui Field (SPP & KFGCS).
h. Developing NIST CSF Framework for Sui Gas Field (SPP & KFGCS).
i. Recommendation to implement a continuous program to detect new threats and
vulnerabilities in the OT environment and to ensure that the security posture remains
effect over time.
j. Comprehensive discovery report of OT Assets & configurations.
k. List of hardware and software (IDS. DPI & NGFW, Data Diode etc) with complete
specifications which are recommended for the cybersecurity of IACS. Any
recommended device should preferably be at least IEC/ISA 62443 SL-2 compliant.

10. Bidder Qualifications

Bidders must meet the following qualifications:

a) Proven experience in conducting OT/ICS cybersecurity assessments and vulnerability

tests.
b) Demonstrated knowledge of industrial control systems and related cybersecurity
challenges.
c) Ability to provide references from at least five similar projects completed within the
past five years.
d) Compliance with all relevant certifications and industry standards.
e) Vulnerability test is to be performed by an experienced and qualified Engineer. He must
be an ISA/IEC 62443 cybersecurity expert and possess ISA/IEC 62443 level-4
certifications (IC32, IC33, IC34, IC37).
f) Bidder must possess minimum 5 years’ practical experience in managing Firewalls,
IDS/IPS, SIEM (Security Incident & Event Management), Data Diode, DMZ and
conducting vulnerability assessment & test, threats modelling and Cybersecurity Risk
assessment of OT/IACS system.
g) Bidder must be a Managed Security Service Provider (MSSP) for OT/critical
infrastructure.
 h) Five-year experience in industrial control system/IACS.

11. Proposal Submission Requirements

Interested bidders are required to submit a proposal that includes:

a) Company profile and relevant experience.

b) Detailed methodology and approach for the assessment and testing.
c) Timeline for project completion.
d) Cost breakdown and total bid price.
e) References from previous clients.
f) Any additional information that demonstrates the bidder's capability to successfully
complete the project.
g) OT cybersecurity solutions provider must be IEC/ISA 62443 certified (IEC 62443 -4-1,
2018).
h) List of similar projects (At least 5 Nos.) undertaken & successfully implemented in Oil &
Gas industry, power & chemical plant during last 5-years is required.
i) After sales support set up in Pakistan.
j) Compliance / Deviations in the Scope of Works / ITB to be submitted with the bid.

12. Scanning as a Service under SLA

Alternate to scope Sr. # 16, bidder to separately quote as an option, if PPL opt for the
“Scanning as a Service” on stipulated schedule/intervals from successful bidder at Sui Gas
Field without supplying OT cybersecurity assessment & testing soft tools to PPL, under
SLA. This includes assessment & testing reports and recommendations. The scope &
methodology will be same as stipulated in this ITB document.

13. After Sales Support

a. Bidder to confirm after sales support set up in Pakistan, provide details & supporting
documents and their availability at short notice.
b. Detailed Company profile including staff strength and detailed CVs of employees
working on similar projects as mentioned in this RFQ / ITB Document.

14. Confidentiality & Non-Disclosure Agreement (NDA)

This Invitation to Bid (ITB) contains material that is confidential. The recipient shall not
disclose any of the information contained in this ITB without prior written approval from
Pakistan Petroleum Limited (PPL). PPL specifically requires the recipient not to disclose the
contents of this document, or the fact that this ITB has been issued, with any other party
other than a representative of PPL.
If the recipient breaches this confidentiality requirement, they will be excluded from the
bidding process.
 Furthermore, the vendor shall sign a Confidentiality Compliance Document / Non-
disclosure Agreement and ensure that the consultants provided to work under this contract
adhere to the status thereof. Consultant will also be responsible that all permanent and
sub-contract consultant shall abide by the Non-Disclosure Agreement between PPL and
selected bidder.

15. Online Monitoring, Detection & Reporting

For the online monitoring, detection & reporting of OT/ICS critical networks (Minimum
three nodes per plant, scalable) following hardware & software to be supplied, installed
& commissioned at Sui Gas Field (SFGCS & SPP Plants). Bidder to separately quote it as
an option.

a. Ruggedcom fully managed compact ethernet layer-2 switch (Minimum 3 numbers)

b. OT cybersecurity assessment & testing soft tool(s), OEM compliant and industrial
proven.
c. Server / Workstation with secure web access from PPL HO for monitoring of data &
reports.
d. All supplied software for the OT cybersecurity assessment & vulnerability tests must
be professional version type and licensed to Pakistan Petroleum Limited (unlimited
validity).
e. Bidder to offer separate quote for the software item either on the basis of perpetual
license or annual Subscription.

16. Evaluation Criteria

Proposals will be evaluated based on the following criteria:

a) Experience and qualifications of the bidder as stipulated in Sr # 10 & 11 of ITB.

b) Understanding of the project scope and methodology.
c) Fully compliance with the scope of works given in ITB documents.
d) Proposed timeline and ability to meet deadlines.
e) Cost-effectiveness of the bid.
f) References and past performance as stipulated in Sr # 10 & 11 of ITB.
g) Submission of compliance / deviations from Scope of works / ITB.

Annexure A – Non-Disclosure Agreement