The Consultant shall perform a comprehensive CVA of the Energy Management System critical infrastructure environment that, at a minimum, shall include the following activities: 1. Cyber Vulnerability Assessment: Conduct an active CVA in a manner that is non-intrusive and does not adversely affect EMS operations. Penetration testing is not allowed. Identify any gaps or deficiencies related to compliance by evaluating the current systems to NERC CIP-10-4 R3. 2. Active Network Discovery: Identify all active assets within detected network range to determine if any are unauthorized. Verify that the discovered assets and their communication paths align with current documentation of the network infrastructure using Nmap or other similar discovery tools. 3. Vulnerability Scanning and Identification: Perform detailed vulnerability scans on in-scope cyber assets and services to identify potential cybersecurity vulnerabilities, risks, strengths, and best practices. Activities will include performing the following: a. Perform an active scan of up to 250 cyber assets located between the primary and backup control centers for known network vulnerabilities, as well as a representative sampling of no more than 3 of 9 Digi serial to IP converters. These assets are distributed across 2 facilities situated 6 miles apart, with multiple virtual local area networks (9-VLANs) stretched across both sites. All LAK assets are located on premises, no assets are located in the cloud...
