SN

System/Section Description of Problem Action Owner Action Owner Status Closed Date Remarks
     A.3       SCS Trend Micro Anti-Virus license expires on 31OCT2019. Siemens SCS SIEMENS ready Awaiting new License. Currently used Hyosung License
All unwanted Old project backups, PC images and Miscellaneous files to be deleted from EPC-HMI and
     A.4       SCS Siemens SCS SIEMENS ready
HWS PCs.
     A.5       SCS For SCS Control desk cubicle MCBs legend sticker to be provided. NCC NCC ready

     A.6       SCS SCS control desk rear side flexible access shall be provided instead of tightened screw arrangement. NCC NCC ready

     A.7       SCS Control room temperature sensor stainless steel label shall be provided. NCC NCC ready
    A.10      SCS TPI shall be included on LV side for Archives, Real-time and Historical Trends. Siemens SCS SIEMENS ready
    A.12      SCS CAP: X201F TB shall be covered with transparent sheet to avoid electrocution. NCC NCC ready
    A.13      SCS CAP: A202 BCU stainless steel name shall be provided. NCC NCC ready
    A.14      SCS CAP: Space near cable entry glands shall be filled with fire sealant material. NCC NCC ready
    A.15      SCS All SCS Panels, Control Desk Cubicles and PC filters shall be cleaned. NCC NCC ready
    A.16      SCS Transfix & MOXA to be time synchronization with GPS. Siemens SCS/NCC SIEMENS/NCC ready
Laptop Testing shall be completed and project laptop (with all necessary license, software and Laptop purchasing is put on hold by KM. So Laptop testing is
    A.35      SCS Siemens SCS SIEMENS ready
applications) to be handed over to KM EST NA

    A.36      SCS SCS Software’s, including PCs OS (original CD/DVDs) with original license to be handed over to KM EST. Siemens SCS SIEMENS ready
Already handed over
    A.37      SCS Cyber security settings in PCs shall be completed with KM engineer Siemens SCS SIEMENS ready
    A.43      SCS RAP Tests shall be completed after KM cyber Security functional checks of firwall configuration. Siemens SCS SIEMENS ready RAP testing already completed as part of SAT
     B.1       SCADA PSA data shall be provided & to be implemented at NCC & DCC. NCC NCC ready
All documents submission to follow KM information classification guidelines with stamp. Siemens SCS/NCC
     B.3       SCADA SIEMENS/NCC ready
(confidential/internal/public)
Please make sure all SCS equipment’s Log configurations are done properly and as on date mandatory logs are
     B.4       SCADA available (Firewalls, switches, computers, windows, etc). As per MOI recommendation, minimum log retention is 13 Siemens SCS SIEMENS ready
months, contractor to confirm the same at site:Confirm logs shall not be tampered by anyone even by Administrator
To be checked with Ashpher/Dhaneesh
please confirm all the mitigations and solutions are completed in all systems for as on date threat
     B.5       SCADA notifications like Ransomware, patya etc..,. Detailed report including scan result & screen shots shall be Siemens SCS SIEMENS ready
available for verification.
Please confirm related MS patches are adopted & all as on date tested OS security patches are adopted in
     B.6       SCADA Siemens SCS SIEMENS ready
all SCS Systems.& confirm the continuity of patch updates up to warranty period.

All the system security measures done in the SCS system & startup shall be documented & included in the O& M
with detailed implementation and role back steps ,snapshots etc.., including windows shell restrictions, GPO
     B.7       SCADA Siemens SCS SIEMENS ready
Enforced with proper backup, Alt+f4 etc. keys restrictions, other user restrictions like protection users etc..Password
reset procedure document shall include all steps including “netplz” requirements.

PMR testing and completion is pending, to be completed & tested with consultant. PMR test signed test report shall
     B.8       SCADA Siemens SCS SIEMENS ready
be submitted.
Firewalls: 104 firewall, PMR Firewall etc.test for and traffic tests shall be completed.Testing shall be completed with
     B.9       SCADA Siemens SCS SIEMENS ready
consultant & Consultant signed test sheet shall be sent to KM prior inspection.

Antivirus License Expiry to be cross checked. AV to be renewed prior expiry date. Trend Micro Antivirus Latest
tested patterns shall be adopted & scanned up to warranty period.  Siemens recommendation documents for those
updates to be provided. Trend Micro Antivirus Latest tested patterns future availability to be clearly mentioned in
    B.10      SCADA O&M. -License validity to be cross checked.-Licenses must be registered under name of Kahramaa and submitted Siemens SCS SIEMENS ready
securely. -Licenses SHALL be renewed BEFORE End of Expiry date. -Trend micro used version EOL (End of Life)
to be checked & to be make sure the used product in site have more life time. For future AV License renewal
purchase, all the required information’s shall be submitted to KM.
To be Checked with Ashpher / PM
Administrator user account accessibility from EPC to other PC to be verified. Inbuilt windows admin account shall
    B.11      SCADA Siemens SCS SIEMENS ready
be defined password and disabled.

    B.12      SCADA System security checklist hardening points to be cross verified, if any missing points to be corrected. Siemens SCS SIEMENS ready

    B.13      SCADA all Test reports and documents to be stored in EPC with proper restrictions Siemens SCS/NCC SIEMENS/NCC ready NCC to provide the latest scanned copy of test reports
Latest Revision of cyber security checklist to be used. Cyber security checklist settings & configuration &
    B.14      SCADA procedures for Windows 10 platform to be provided. All additional settings provided by SIEMENS like Wake on LAN, Siemens SCS SIEMENS ready
etc to be verified & added in the checklist as next sheet.
Recommended Application whitelisting to be done in all PC’s. to be cross verified with consultant and
    B.15      SCADA Siemens SCS SIEMENS ready
demonstrated to KM.
System services that is not related/required for SCS systems operation to be disabled in each PC
    B.16      SCADA (Unnecessary services running by default in system will consume more system resources). Document shall Siemens SCS SIEMENS ready
be kept in EPC mentioning the list of services required for SCS working To be checked with Dhaneesh
Please make sure, passwords information’s are not kept at Substation documents (hard copy). Please make sure all
    B.17      SCADA Siemens SCS SIEMENS ready
SCS passwords are as per KM prerequisite.
    B.18      SCADA Update the root Certificate to be disabled in all the PCs (Crypt32 error) Siemens SCS SIEMENS ready
- SIEMENS letter of confirmation shall be provided for confirming future Antivirus/OS tested pattern file updating
    B.19      SCADA method and how the tested patterns future availability to Kahramaa for SIEMENS provided SCS systems.(SIEMENS Siemens SCS SIEMENS ready
notification for security updates). To be Checked with Ashpher / PM
PMR/RAP/IEC 104 Firewall: please confirm the policy is defined as ““deny all, allow explicitly” method, only required
services, ports, IPs shall be allowed & To be One directional. Confirm it is source to destination IP specific.
    B.20      SCADA Siemens SCS SIEMENS ready
Contractor to Clarify necessity of any other services& port numbers if seen in the configuration… if it is not
necessary for services this shall be removed.
Please confirm all the recent User profile modifications (Engineer, protection engineer splitting etc..) are completed &
    B.21      SCADA Siemens SCS SIEMENS ready
verified. And all final submittals are submitted to KM.
Command prompt is disabled in admin user (SCS PC’s). as per checklist requirement the disabling cmd is required Cmd prompt is dsiabled as per check list. Enabled only for
    B.22      SCADA Siemens SCS SIEMENS ready
only for non-privileged user, please cross check & correct. EPC Administrator
    B.23      SCADA Default root sharing of C:,D:,E etc. drives noted , to be cross checked and corrected unwanted shares. Please clarify Siemens SCS SIEMENS ready
Mail from Dhaneesh to be used for clearing the Point
Firewall log server’s configuration to EPC to be properly configured. All critical, unauthorized access, error, etc.. logs
    B.24      SCADA Siemens SCS SIEMENS ready
shall be available & viewable.
Password resetting O&M manual shall include details of Windows and Applications password change procedures
    B.25      SCADA Siemens SCS SIEMENS ready
including “netplwiz” necessity while password change. Part of O&M Manual
MMC snap GPO Policy final settings done at SCS PC’s shall be saved, and provided along with backup submittal.
    B.26      SCADA Siemens SCS SIEMENS ready
(For easy restoring whenever after a roll out task) Steps of restoration shall be detailed. Shall be done during project backup handing over
    B.27      SCADA Necessary Logs availability in Windows, Switch, Firewall, AV etc. to be cross checked and confirmed Siemens SCS SIEMENS ready

Unrestricted
 Banner settings : Display a general notice warning in SCS devices, that the SCS system should only be
    B.28      SCADA accessed by authorized users; to be configured in all SCS system equipment’s like switches, Firewalls, PC Siemens SCS SIEMENS ready
etc. (to be discussed with Concerned KM department for Warning message data required.) Banner setting applied to SS, GW1 & GW2
Please confirm that all security features are configured in IEC 104 Firewalls. & Confirm that no latency in traffic NCC
    B.29      SCADA communication. (any ping timeout to be checked & resolved). Siemens SCS SIEMENS ready

    B.30      SCADA IEC 104 firewall testing Siemens SCS SIEMENS ready

Unrestricted