A. PLANNING ACTIVITIES The Consultant, in collaboration with Lakeland Electric staff, shall carry out the following activities prior to the start of the on-site CVA: 1. Personnel & Training: For all individual involved with conducting the CVA, provide evidence in accordance with CIP-004-6 R2 - completed cyber security training, R3 - Personal Risk Assessment including a 7-years criminal background check and R4 - authorization and provisioning to access Control Center facilities and systems. 2. Kickoff Meeting: Schedule planning meeting with identified project participants. Obtain agreement on execution plans, monitoring requirements and exit plans for scheduled or forced terminations of the CVA scanning process. 3. Documentation Review: Review LAK’s documentation outlining security management practices, network diagrams and device configurations. 4. Personnel Interviews: Obtain a list of key individuals from LAK including 3rd parties who can provide the insight into the organization’s security processes, network structure and technical aspects of configurations. 5. Project Plan: Provide a detailed project plan outlining the assessment process, methodologies, and timeline. A. ASSESSMENT ACTIVITIES The Consultant shall perform a comprehensive CVA of the Energy Management System critical infrastructure environment that, at a minimum, shall include the following activities: 1. Cyber Vulnerability Assessment: Conduct an active CVA in a manner that is non-intrusive and does not adversely affect EMS operations. Identify any gaps or deficiencies related to compliance by evaluating the current systems to NERC CIP-10-4 R3. 2. Active Network Discovery: Identify all active assets within detected network range to determine if any are unauthorized. Verify that the discovered assets and their communication paths align with current documentation of the network infrastructure. 3. Vulnerability Scanning and Identification: Perform detailed vulnerability scans on in-scope hosts and services to identify potential cybersecurity vulnerabilities, risks, strengths, and best practices. Activities will include performing the following: a. Scan up to 200 hosts located between the primary and backup control center for known network vulnerabilities, as well as a representative sampling of no more than 3 of 9 Digi devices. These assets are distributed across 2 facilities situated 6 miles apart, with multiple virtual local area networks (VLANs) stretched across both sites. b. Identify, and document known vulnerabilities associated with services running on network-accessible ports. c. Evaluate the effectiveness of security controls used to detect and alert on malicious or unauthorized activities. d. Review hardware and software to ensure that the latest applicable updates and releases have been installed. 4. Network Port and Service Identification: Identify ports and services that are enabled on identified network hosts. This includes classifying each device and virtual machines, according to operating system, hardware vendor, physical network address and hostname. 5. Wireless Scanning: Review wireless network traffic to identify any unauthorized wireless signals and networks within the physical perimeter of a BES Cyber System. 6. Password Management: Verify that appropriate password controls are implemented and followed on all system devices for default accounts, shared accounts, and network management accounts, ensuring that no default passwords exist. 7. Personnel Interviews: Conduct interviews of key individuals with governance related to management of cyber security services. Note: Penetration testing is not permitted during the cyber vulnerability assessment.
