MAHARASHTRA STATE ELECTRICITY TRANSMISSION CO. LTD.

STATE LOAD DESPATCH CENTRE Airoli

SRM Re-Tender for

Cyber security audit (onsite) of the IT & OT systems hosted at MSLDC Airoli & ALDC
Ambazari, through CERT-IN empanelled Cyber Security Auditor for the period of Two Years.

E-Tender RFX No. 7000030210

Office of the Chief Engineer

Maharashtra State Load Dispatch Centre,

Thane – Belapur Road, P.O. Airoli,

Navi Mumbai – 400708

1
MAHARASHTRA STATE ELECTRICITY TRANSMISSION COMPANY LTD.
Maharashtra State Load Dispatch Centre, Airoli
INDEX

Sr. No. Particular Page No.

1. Cover Page 1
2. Index 2
3. General Instructions to the Bidder 3
4. General Terms and Conditions 4
5. Scope of Works 6
6. Submission of Bid 17
7. Special Terms and Conditions 20
8 Terms and Conditions 22
9. Annexure ‘A’- System/Equipment details 28
10. Annexure ‘B’ - Asset Summary Details 43
11. Annexure ‘C’ – VAPT Checklist 44
12. Annexure ‘D’ – Reference Price Schedule 54
13. Annexure ‘E’- Undertaking 55
Annexure ‘F’- Non-Disclosure
14 57
Agreement

2
 MAHARASHTRA STATE TRANSMISSION CO. LTD.
Maharashtra State Load Dispatch Centre, Airoli.

GENERAL INSTRUCTIONS TO THE BIDDER

Re -Tender RFX No. 7000030210

Dear Sir/s,
Please offer your lowest rates for cyber security audit (onsite) of the IT & OT systems hosted at
MSLDC Airoli & ALDC Ambazari, through CERT-IN empaneled Cyber Security Auditor for the period of
Two Years. The Scope of Work & terms and conditions of the contract may please be studied before submission
of the online bid. You should submit the bid well in advance instead of waiting till last date. MSETCL will
not be responsible for non-submission of Bid due to any website related problems. The Technical/Commercial
bids will be opened as per schedule mentioned in tender notice. Intending Bidders or their representatives may
join online for the bid opening.

Thanking you,

Yours faithfully,

Sd/-
(Mahesh Bhagwat)
Chief Engineer
MSETCL,MSLDC, Airoli.

3
 GENERAL TERMS & CONDITIONS

1. Bidder must be registered for E- tendering process.

2. The e-tender is to be submitted online on website https://srmetender.mahatransco.in/
3. The e-tender documents are not transferable. Changes in the name and address of any kind will not be
entertained.
4. The e-tenders fee paid against the particular e-tenders shall not be refunded / transferred or
adjusted at all.
5. The Tender Documents can be downloaded online from aforesaid website within the aforesaid date
& time
6. The bidder should submit their bids online well in advance within the aforesaid date & time. The
scan copy of EMD & tender fees receipts should be submitted online along with the technical
bid.
7. The EMD amount and tender fees should be paid online only. Bid without E.M.D. & Tender fee
will not be considered. Request for paying EMD while opening the tender will not be
considered.
8. Firm/Bidder has to pay EMD, irrespective of SRM System asks for the same or not in following
cases:
i. If SSI / NSIC Certificate do not indicate Material/Service required against present tender.
ii. If Turnover or manufacturing capacity exceeds the limit indicated in SSI / NSIC
Certificate specified by the concerned authority to avail benefit of EMD exemption.
If required EMD is not paid by the bidder, the offer is liable for rejection.

As per MSETCL circular no.10812 Dt.10/10/2018 the registration certificate as submitted by the
micro & small enterprises should be valid on the date of submission of bid and validity of the
same should be certified by the Charted accountant in practice.

9. Earnest money deposited will be refunded online through SRM System after approval from competent
Authority. EMD will be credited to the bank account maintained by bidder in vendor Profile in SRM
system. Bidders are requested to ensure that
10. the bank details i.e. Account No., IFSC Code, Account Holder Name, Bank Name, Bank Address are
correctly maintained in SRM System and update the same, if required.
It may be noted that:
a. In case bank details are not maintained by the bidders in their SRM Vendor profile, EMD

4
 will not be refunded online and MSETCL will not be responsible for the delay.

b. MSETCL will not be responsible for any financial implications in case incorrect bank
details are maintained by the bidders as it is the sole liability of the bidder to maintain correct
bank details to facilitate online refund of EMD.

11. The EMD is liable to be forfeited under the following conditions:

(a) The bidder refuses to accept the order placed during the bid validity period.

(b) Bidder fails to pay prescribed Security Deposit against the order placed within the prescribed
period.

12. MSETCL will not be responsible for non-submission of Bid due to any Website related problems.

13. The undersigned reserves the right to cancel any or all the tenders at any stage without
assigning any reason.
14. The SRM e-tender s will not be accepted after due date & time of submission.
15. The SRM e-tender fee paid against the particular SRM e-tenders shall not be refunded /
transferred or adjusted at all.
16. Partial or incomplete bid in any respect will be rejected.
17. If the tenderer/bidder finds any ambiguity in the specification and document or is in
doubt as to the true meaning of any part. Bidder shall at once make a request in
writing for an interpretation Clarification to The Chief Engineer (MSLDC) two (2)
days prior to the Pre-Bid Meeting on email [email protected]. The
interpretation clarification shall be discussed in detailed in Pre-Bid Meeting.
MSLDC then will issue interpretation/clarification as he may think fit in writing,
within seven
(07) days from the date of Pre-Bid Meeting. All such interpretations and
clarifications shall form a part of the bidding document and shall accompany the
bidder's proposal. Verbal clarification and information given by the MSLDC or his
employee(s) or his representation(s) shall not in any way be binding on the MSLDC.
18. If the date of opening happens to be holiday, it will stand extended to the next working
day with no change in timings.

19. ELIGIBILTY FOR BIDDING:

(a) All registered vendor of MSETCL whose registration on SRM e-tendering is valid
on the date of submission of bid can participate in the subject tender. The bidder shall
invariably declare the name of the manufacturer of the equipment offered and shall also
indicate its country of origin (mandatory in case of imported items).

5
(b) For bidders from a country that share land border with India the following
restrictions shall be applicable (As per order Public Procurement no. 1 dt. 23.7.2020
from MoF, GOI with subsequent clarifications and latest amendments):
i) Any bidder from a country which shares a land border with India will be eligible
to bid in this tender only if the bidder is registered with the competent authority as
indicated in Annexure-I (Competent Authority and Procedure for registration) of
order Public Procurement no. 1 dt. 23.7.2020 from Ministry of Finance,
Government of India.
ii) The term “Bidder from a country which shares a land border with India” means:
a) An entity incorporated, established or registered in such a country; or
b) A subsidiary of an entity incorporated, established or registered in such a
country; or
c) An entity substantially controlled through entities incorporated, established or
registered in such a country; or
d) An entity whose beneficial owner is situated in such a country; or
e) An Indian (or other) agent of such an entity; or
f) A natural person who is a citizen of such a country; or
g) A consortium or joint venture where any member of the consortium or joint
venture falls under any of the above.
iii) The registration of the bidder from Competent Authority should be valid at the
time of submission of bids and at the time of acceptance of bids. If the bidder was
validly registered at the time of acceptance / placement of order, registration shall
not be a relevant consideration during contract execution.
iv) The bidder shall furnish documentary evidence of valid registration obtained
from the issuing competent authority and submit the following certificate on their
letterhead, duly sealed and signed, alongwith their offer :
“I the undersigned have read the clause regarding restrictions on procurement from
a bidder of a country which shares a land border with India; I certify that
(name of bidder) incorporated on with
its registered office at , participating in the
subject tender, is not from such a country or, if from such a country, has been
registered with the competent authority. I hereby certify that
(name of bidder) fulfills all requirements in this regard and is eligible to be
considered.”
Offer received without the above prescribed certificate shall be liable for rejection.
Further, if the certificate submitted by a bidder is found to be false, it would be a
ground for rejection of offer / immediate termination and further legal action in
accordance with law.
 Scope of Work for Cyber Security Audit.

1) Introduction
MSLDC intends to engage a Cert-In empanelled Cyber Security Auditor for period of two years, for
performing cyber security audit of IT and OT systems of SLDC Airoli and ALDC Ambazari, Nagpur.

➢ Locations for Audit:

a. MSLDC Airoli, Navi Mumbai
b. ALDC, Ambazari, Nagpur

2) Scope Of Work

The Scope of work for Cyber Security Audit would be as per the Guidelines of CERT-IN and CEA
(Cyber Security in Power Sector) Guidelines, 2021 and Information Security Policy of the
organisation (including the applicable controls from NCIIPC control Guidelines) and would be under
the following broad categories but is not limited to:

A. SECURITY AND COMPLIANCE AUDIT OF IT and OT INFRASTRUCTURE FROM

INFORMATION/CYBER SECURITY POINT OF VIEW
i) Review of IT and OT infrastructure from the point of view of Information /Cyber Security
ii) System Administration
iii) Business Continuity Plan, Disaster Recovery Plan/Procedure and Risk Assessment
iv) Special emphasis shall be given to the Implementation audit, configuration audit and
change management audit of the ICT and findings of the same should be made part of
audit report submission.
v) Auditors shall examine in detail whether whitelisting approach has been implemented
by the entity or not. Whitelisting in terms of blocking all the connections (inbound and
outbound) with proper ACL implementation following the white list approach that
allows only good known IP’s / ports / calls / applications / services / protocols etc. shall
be examined Any discrepancy shall be categorically documented in the findings.

B. VAPT OF THE IT & OT SYSTEMS

i) Vulnerability Assessment and Penetration Testing (VA & PT) of IT and OT
Applications. (In case of OT applications VA will be performed)
ii) VA & PT of Network Devices, Security devices, Endpoints.
iii) Configuration Audit.
iv) Re-Scan.
v) Vulnerability Assessment and Penetration Testing reporting

Detailed description of the Scope of work is as under:

A.SECURITY AND COMPLIANCE AUDIT OF IT and OT INFRASTRUCTURE FROM

INFORMATION/CYBER SECURITY POINT OF VIEW

Auditor shall perform security audit as per the Guidelines issued by the Ministry of Electronics &
Information Technology (MietY) /CEA/CERT-In. Govt. of India, and provide recommendations to

6
 MSLDC, so as to ensure integrity, confidentiality and availability of information and resources.
Security & compliance Audit of IT Infrastructure is to be performed twice in the year and for
OT Systems to be performed once in a year during contract period as per the schedule given by
MSLDC.

The detail scope of work includes following:

1) Review of IT and OT infrastructure from Information/Cyber Security point of view. (List

attached as Annexure ‘B’)

I. Review of the Current Security Architecture and Security Technology/solution of the

organization.
II. Verification of technical, physical and administrative controls to ensure information and
information processing infrastructure secured in the organization.
III. Review Secure Configuration Documents adopting best practices as per latest ISO-27001
standards and NCIIPC/CEA guidelines time to time, for Web application, Database, Security
Devices, Network Devices, Desktops, Laptops, Mobile devices, user accounts etc.
IV. The bidder would identify network and design architectural weaknesses in term of security,
performance, scalability, etc.
V. Review of ISMS policy and its implementation.
VI. Review of compliance of previous audit reports
VII. Review of cyber incidents occurred or reported by security agencies (NCIIPC / CERT-In/
CEAetc.) in last 01 year.
VIII. Review of whitelisting approach.
IX. Review of Information/ Cyber Security Incident management system.
X. Conduct Cyber Security risk assessment considering latest cyber-attacks.
XI. Auditor shall check the current adequacy of the cyber security controls based on the risk
assessed.
XII. The bidder shall provide recommendations to increase the effectiveness of the security controls
XIII. Network architecture review: This will include the network architecture review of LAN,
topology classification and various security aspects Analyze the Network security controls
which include study of logic locations of security components like firewall, proxy server, local
server. Security solution etc. The Auditor will review of Network Security Architecture along
with recommendations
XIV. Network Performance Analysis: The Audit team shall be required to conduct Network
performance Analysis to evaluate the bottlenecks, protocol utilization, broadcasting and
network error. Identify their remedial solutions and recommend implementation of the same to
mitigate identified errors. The methodology to evaluate the performance of the network should
contain the steps i.e. Study the scope of Network Architecture & components. Determine the
boundary of analysis. Estimate the scan process (based on the complexity of the target network
and hosts). Scan the targeted network and hosts (based on the defined requirements). Collect the
scan results and analyze for the Bottlenecks. Protocol utilization. Configuration errors etc.
Submission of assessment reports with suggestion and recommendations for error free network.
XV. Network Architecture Audit: Network Architecture Audit should be carried out for security
and performance which include the following:
Review the appropriate segregation of network into various trusted zones.
Review the traffic flow in the network.
Review the route path and table audit.
Review of routing protocols and security controls therein.
Review the security measures at the entry and exit points of the network.
Obtaining information about the architecture and address scheme of the network

7
 Checking redundancy and Load Balancing as per the requirement.
Routing Protocol Analysis.
Analyze protocols used and traffic generated and means to optimize traffic.
Analysis of load balancing mechanism.
Analysis of latency in traffic across various links
Review logical access to business critical applications, OS, database, network, physical
access.
Review of security of network services.

2) System Administration

The study must provide detailed report on the following administrative mechanism:
I. Network Administration.
II. Maintaining details of updated version of each firmware/software, their certification,
expiration/End of Life/Support (EOL) etc.
III. Asset Management
IV. Ensure that critical assets declared as CII are being cover under the purview of audit
V. Anti-virus and Patch management process.
Review of anti-virus and patch management should comprise of the following at both network
and end points:
Policy and procedure for Virus management and patch management.
Review of Antivirus (AV) and patch management process as per the sampling
methodology defined.
Schedule of AV updates and patch updates.
Security controls of AV server and patch update servers.
AV updates status reports, auditing and logging.
Review of AV log review records.
Review of controls against malware.
Other controls as applicable.
VI. Backup management
Review of backup management process should be conducted as per the sampling methodology
and should comprise of the following:
Policies and procedures for backup management.
Review access control, physical security and integrity of backup data and its storage.
Review of backup restoration procedure checks.
Adherence to the policies and procedures.
Other controls as applicable.
VII. Linux/Windows System administration
The security controls review for Operating System should comprise of the following:
Access Management.
User and group privileges.
System and user policies.
Remote access polices.
Logging mechanism.
Domain architecture and trust relationships.
Share permissions and definitions.
Service packs and hot-fixes.
Registry settings, including registry security permissions.
Whitelisting approach for services, ports and Applications
Account lockout
Password policy on OS

8
 Audit settings
VIII. Database administration (as applicable).
The security controls review for database should comprise of the following:
Password Policy.
Database views.
Auditing, logging and monitoring.
DBMS configuration.
User Access Management
Backup and Recovery.
Database Files and Directories Permissions.
Database Access control, authentication, account privileges.
Unnecessary services.
Remote login settings.
Database Patching and updates.
Data encryption
Data retention
IX. Hardware/ Software Configuration
Verify that all the IT and OT systems should be hardened to perform only the minimum
desired services and operating on least privilege principle.
Review the list of installed authorized software / applications in the end point systems
/ servers.
Implementation of OS hardening settings.
Identify insecure configuration, if any and document.

3) Business Continuity Plan, Disaster Recovery Plan/Procedure and Risk Assessment.

OT System shall be audited with respect to each critical activity of utility business for Business
Continuity Plan (BCP) and Disaster Recovery (DR) aspects.
I. Documentation for Business Continuity Plan (BCP) and Disaster Recovery (DR) Plan.
II. Review of existing BCP and DR plan.
III. The consultant will help to prepare the BCP & DR as per latest industry standards & audit.
IV. Implementation of BCP and DRP.
V. User awareness level.
VI. Test plans and drills.
VII. Risk assessment.
VIII. Verify, review and evaluate information security continuity.
IX. Auditor shall also carefully examine the readiness of the organization and effectiveness of
existing security controls at the ground level to deal with the ransomware attacks. Auditor
shall examine the effectiveness of people, process and technologies to deal with such attack
considering both DC and DR have been impacted.

If the utility decides to follow the sample-based approach, following criteria must be adopted by
the auditor while performing cyber security audit:

a) For all critical assets (as defined in CEA guidelines): 100 % samples shall be analyzed.
b) For not so critical assets: more than 25 % and the selection should be based on relative
importance.

Deliverables:

a) Security and Compliance audit report

9
 b) Report of status of white listing approach adopted by entity

c) Compliance status against NCIIPC control guidelines.

The report should be covering all the sections described above in point wise manner with evidences.
Auditor shall provide walkthrough on the report delivered, which will be attended by the concerned
agencies handling the application/equipment

B. VAPT OF THE IT & OT Systems, NETWORK & SECURITY DEVICES, Endpoints and Configuration
Audit.

VAPT/VA/Configuration Review is to be carried out for the systems / application / equipment as per the
Annexure-‘A’.

1) VULNERABILITY ASSESSMENT & PENETRATION TESTING (VA/PT).

VAPT & Configuration Audit for IT Systems to be performed twice in the year and VA &
Configuration Audit for OT Systems to be performed in a year during contract period as per the
schedule given by MSLDC.

The audit team is required to identify and understand the existing vulnerabilities, review existing
security controls and ensure compliance with security standards. Accordingly, the audit team is
required to submit a report containing recommendations and corrective actions for patching up the
identified vulnerabilities. The audit team may ask organization for previous VAPT reports including
threat analysis reports shared by organizations for re-validation.

The bidder should adhere to applicable laws rules regulation and guidelines prescribed by various
regulatory, statutory and government authorities during the execution of the test.

VAPT/VA/Configuration Review is to be carried out as per the Scope of Work for the systems /
equipment specified in Annexure ‘A’. Frequency of the activity shall be as specified in Annexure ‘A’.

Vendor shall use only legal / valid software/ licensed tools for delivering any of the services as
mentioned in the Scope of work. MSLDC shall not bear any cost for the tools used for these
services. MSLDC would not be responsible for any use, either direct or indirect, of illegal software
by the bidder.

Network Vulnerability Assessment (VA): The auditor will conduct Vulnerability Assessment (VA)
against the complete Servers and network infrastructure components to identify services in use and
potential vulnerabilities present. (List attached as Annexure ‘B’)

MSDLC requirements under VA are

• Provide accurate network discovery details.
• Identify network risks and prioritize issues.
• Enable network-wide efficient remediation.

10
a. Configuration of all Network Equipment installed at SLDC and ALDC should be verified for
any Security threats which include the following like
• Smurf and SYN Flood.
• DOS Attacks.
• Protection against well known Viruses like root kits. Slammer, and Trojans etc.
• Communication Controls.
• TCP Ports.
• Firewall/ACLS (Access Control List) /Firewall Rules
• Whether LAN Access policy are well defined.
• Whether the redundant power source is connected to different power sources
• Port Scan.
• Checking of VLAN architecture and Security measures.
• Servers Security Policies.
• Misconfiguration related to access lists, account settings.
• Validate the key registry settings & group policies/local policies.
• Scanner should be run to check and verify for only application specific ports are open.
• Unpatched holes in the operating system of the critical and important Servers especially
Proxy Servers, database Servers, DNS Servers. DHCP servers AD policies.
• Does the Server setup conduct proper authentication to suit the risk associated with their
access.
• Observe, analyze and assess the operations being performed from desktop system Analyze
the vulnerability scanning report.
• Check network systems connected to unauthorized network / internet.
• Detailed report on findings with suggestions and recommendations, etc.

b. The assessment should check for various categories of threat to the network like
• Unauthorized access into the network and extent of such access possible.
• Unauthorized modifications to the network and the traffic flowing over network.
• Extent of information disclosure from the network.
• Spoofing of identity over the network.
• Possibility of denial of services.
• Possible threats from malicious codes (viruses and worms).
• Effectiveness of Virus Control system.
• In usage of other media-Floppies/CD/USB-ports.
• Control over network points.
• Can visitor plug in laptops/devices.
• Control over access.
• Possibility of traffic route poisoning.
• Configuration issues related to access lists, account settings.
• Whether the IOS has been latest not been in the Security Advisories etc.

c. Validate following services for security, effectiveness and efficiency on all Network devices
• IP directed broadcasts
• Incoming packets at the router sourced with invalid addresses
• TCP small services
• UDP small services
• All source routing
• All web services running on router.
• What standardized SNMP community strings used

11
 • Logging & Auditing

Penetration Testing:

Penetration Testing (PT) shall be done through all possible ingress and egress points/segments within the IT
network (both internal and external) of entity. Attempt shall be made to exploit the identified vulnerabilities,
evaluate the impact of the exploitation and attempt to escalate privileges. Following shall also be evaluated: -

a) Evaluate the organization's ability to detect and respond to an attack.

b) Attempt to cover tracks and maintain access.
c) Evaluate the potential for data exfiltration
d) IT-OT integration traversal of attack from

Note: During the penetration testing activity adequate precaution should be taken so as to ensure that NO
damage is done to the systems in any sense

• Attempt to guess passwords using password cracking tools.

• Search for back door trap in the application.
• Attempt to overload the system using DDoS & DOS.
• Check for commonly known holes in the software like browser, email application.
• Check for common vulnerabilities like IP Spoofing. Buffer overflows. session hijacks
account spoofing, frame spoofing, caching of web pages, cross site scripting, SQL
injection etc.
• Secured Server authentication procedures.
• Review logical access to OS. database, network. Physical access control.
• Review logical access to MSLDC's web applications. OS. database, network, physical access control.
• Program change management.
• Check for vulnerabilities that could be exploited for website defacement & unauthorized
modification of internet website.
• Analysis of the findings and Guidance for Resolution of the same.
• Known attacks against particular versions of framework.
• Access control for critical applications.

Detailed Checks to be Done during VAPT are noted at Annexure ‘C’

Evaluation & Submission of Preliminary Reports of findings:

• Document the security gaps ie, vulnerability, security flaws. loopholes threats. etc. observed during
the course of the VAPT activity as per the scope of work.
• Document recommendations and solutions for addressing these security gaps and categorize the
identified security gaps based on their criticality.
• Chart a roadmap for the MSLDC to ensure compliance and address these security gaps.

Deliverables:

12
 Vulnerability Assessment & Penetration Testing Report with recommendations for
mitigation of risks. The report should be covering all the sections described above in point wise manner with
evidences. Auditor shall provide walkthrough on the report delivered, which will be attended by the
concerned agencies handling the application/equipment.

2) CONFIGURATION AUDIT OF SERVERS, NETWORK DEVICES & SECURITY DEVICES

The configuration Audit of servers, network devices, and security devices (List attached as
Annexure ‘B’) shall be carried out based on the best practices as per ISO-27001 Std for IT
infrastructure, 62443 for OT and NCIIPC/CEA guidelines time to time. The audit team shall audit
the Information Systems for Physical, Administrative logical Policies & Procedures and other
relevant controls and suggest additional controls for mitigation of risk. The audit team shall be
required to study and analyze the Servers, Network Device's role and their configuration to evaluate
the loopholes in the configuration, if any. The Audit team shall submit a configuration report with
recommendations.

❖ CONFIGURATION AUDIT OF FIREWALLS

Review the configuration parameters and rule base of the firewall(s) which include the following
controls:

• Placement of firewall within the network.

• Policies and rule sets.
• Authentication, Authorization and accounting.
• Auditing, logging, monitoring, alerting mechanism.
• Password control and security controls for administrative / management interfaces.
• Configuration to defy commonly known security attacks.
• Configuration of access control and priority of traffic flow.
• Allowed inbound and outbound services.
• Service proxies, circuit-level gateways, and packet filters.
• Surrounding firewall security issues.
• Domain name services.
• Router protection and participation in firewall functionality.
• VPN configuration and encryption.
• Updated version of OS / patches.
• Unnecessary services and Ports
• Geo -Fencing Implementation and its efficacy check though practical testing.
• Change Management Policy in place and is being followed for configurations/ rule set
changes etc.
• Redundant unused rules.

❖ CONFIGURATION AUDIT OF ROUTERS, Managed Switches

Review the configuration of routers based on following security controls:

• User authentication and password management.

• Authentication, authorization and account settings
• Security settings on different management interfaces (physical and logical)
• SNMP configuration

13
 • Use of logging and monitoring
• Configuration to defy common security attacks like IP spoofing, ICMP redirects
• Delegation of privileged use in accordance with job function
• Routing protocols configured and appropriate security settings
• Review of access lists for different network segments (to different outside networks)
• Remote login settings
• Updated version of IOS / patches
• Unnecessary services and Ports
• Change Management Policy in place and is being followed for configurations changes etc
Physical accessibility due to locations

➢ Desktop Review
Review of desktops (both connected to network and standalone should comprise of the following:
• Policy and procedure for desktop management
• Review of desktop controls
• Review of configuration for all workstations
• Review of desktop use policy
• Clear desk and clear screen policy
• Other controls as applicable

Deliverables: Configuration Audit Report with recommendations for mitigation of risks. The report should be
covering all the sections described above in point wise manner with evidences. Auditor shall provide
walkthrough on the report delivered, which will be attended by the concerned agencies handling the
application/equipment.

Note:

VAPT & Configuration Audit for IT Systems to be performed twice in the year and VA &
Configuration Audit for OT Systems to be performed once in a year during contract period as per the
schedule given by MSLDC.

3) RE-SCAN
Rescan is a verification process to ensure that all vulnerabilities found during the audit have been fixed
or not. The Audit team shall verify that all the vulnerabilities which were discovered during the audit
have been patched up successfully. If recommendations for Risk Mitigation/Removal could not be
implemented as suggested, alternate solutions to be provided.

Deliverables:
The security auditor, after the completion of the work, shall issue the "Security audit clearance
certificate" stating that all the vulnerabilities found/identified during the security audit have been
closed/fixed/accepted.

4) Cyber Security Audit & Vulnerability Assessment Analysis Report format:

The VAPT Report should contain the following (but not limited to) :-
a. Identification of auditee (Address & contact information).
b. Dates and Locations of VAPT
c. Terms of reference.
d. Standards followed.
e. Summary of audit findings including identification tests, tools used and results of tests performed

14
 (like vulnerability assessment. penetration testing, application security assessment. website
assessment, etc.)
• Tools used and methodology employed.
• Positive security aspects identified.
• List of vulnerabilities identified.
• Description of vulnerability.
• Risk rating or severity of vulnerability (Method for assessing the risk score will be shared
with auditee)
• Category of Risk: Very High/High/Medium/Low
• Test cases used for assessing the vulnerabilities.
• Illustration of the test cases.
• Applicable screenshots.
• Impact
• Associated systems names along with categories viz. CII/PS, non-CII etc
• Timeline for closure of Vulnerabilities/findings

f. Analysis of vulnerabilities and issues of concern.

g. Recommendations for corrective action / compensatory actions.
h. Personnel involved in the audit.
i. Any presence of malware
j. Network access controls, authentication mechanisms, encryption. Same for wireless (if applicable).
k. VPN applicability, strength, management policy with key rotation
l. Encryption of data at rest and transit
m. Prioritization of criticalities
n. Third party security controls
o. Inventory updated management including disposal procedures

The bidder may further provide any other required information as per the approach adopted by them and
which they feel is relevant to the audit process. All the gaps. deficiencies. vulnerabilities observed shall be
thoroughly discussed with MSLDC before finalization of the report.

All the VAPT reports submitted should be signed by technically qualified persons, and he/she should take
ownership of document and he/she is responsible and accountable for the document/report submitted to
MSLDC.

3) SERVICE LEVEL AGREEMENT (SLA)

The audit contract will be of two years and the contractor will have to perform audit as per given
below schedule:
Sr Activity Deliverables Timelines
no.

01. Pre-Audit 01. Soft copy of Audit Plan 07 days from date of issue
detailing the methodology of PO
of audit and should include
the escalation matrix.
02. SOP, structure, and
contents of final deliverable
for each type of audit
reports.

15
02 Security & Compliance Audit of 1. Security and 30 days from the date of
ITand OT Infrastructure Compliance audit report intimation by MSLDC

2.Report of status of
whitelisting approach adopted
by entity.

3.Compliance status against

NCIIPC control guidelines

03 VAPT OF THE IT & OT Systems, 01. Vulnerability Assessment 30 days from the date of
NETWORK & SECURITY & Penetration Testing intimation by MSLDC
DEVICES, Report
Endpoints and Configuration Audit 02. Configuration Audit Report
04 Walkthrough of deliverables @Sr. Walkthrough Attendance 10 days from the date of
No 02 & 03 Report intimation by MSLDC

05 Re-Scan Security audit clearance 15 days from the date of

certificate intimation by MSLDC

The penalties for any non-compliance is defined under Section Terms and Conditions.

Sd/-
(Mahesh Bhagwat)
Chief Engineer
MSETCL,MSLDC,Airoli.

16
 Submission of bid

Offer must be submitted online on the MSETCL e-Tender portal https://srmetender.mahatransco.in/

If the tenderer/bidder finds any ambiguity in the specification and document or is in doubt as to the
true meaning of any part. Bidder shall at once make a request in writing for an interpretation
Clarification to The Chief Engineer (MSLDC) two (2) days prior to the Pre-Bid Meeting on email
[email protected]. The interpretation clarification shall be discussed in detailed in Pre-
Bid Meeting. MSLDC then will issue interpretation/clarification as he may think fit in writing,
within seven (7)days from the date of Pre-Bid Meeting. All such interpretations and clarifications
shall form a part of the bidding document and shall accompany the bidder's proposal. Verbal
clarification and information given by the MSLDC or his employee(s) or his representation(s) shall
not in any way be binding on the MSLDC.
Bids must be in two parts, i.e. Part-I (Technical) and Part-II (Commercial Bid).

Technical bid

Under Technical bid, the bidder should upload the Following digitally signed documents: -

1. Certificate of Incorporation.
2. PAN registration certificate.
3. GST registration certificate.
4. Constitution of bidder’s firm (Partnership deed, Articles of Association, MOA etc.) if
applicable. However, JV (Joint Venture) is not allowed.
5. The bidder should be CERT-In empaneled Information Security Auditors for the last
FIVE years (from the date of issue of RFP) and should continue to remain empaneled
during the term of contract/ agreement. Bidder shall submit Proof of CERT-In
empanelment for the last FIVE years from the date of issue of RFP.
6. Valid ISO 27001:2013 certification as on the date of bid submission.

7. Experience: Bidder should have Experience of successfully completed similar works

during the last Five years ending the last day of month previous to one in which the E-
Tender are invited should be either of following.

a. “Three similar completed works costing not less than the amount equal to 30%
of estimated cost.”
OR
b. “Two similar completed works costing not less than the amount equal to 40%
of estimated cost.”
OR
c. “One similar completed work costing not less than the amount equal to 70%
of estimated cost.

For experience purpose, amount pertaining to similar nature of work will only be considered instead
of complete Work Order Value.

17
 Note - Similar works means Cyber Security Audit / VAPT of the IT / OT systems.

Copy of work order & work completion certificate to that effect from concern organization is
required to be uploaded at the time of submission of tender.

Note: Bids from consortium/Joint venture shall not be accepted. Joint venture/Consortium
experience shall not be considered. Experience of only the bidding entity as a prime contractor
shall be considered. A work executed by a bidder for their in-house or capital use or project of
their Sister concern/Group Company shall not be considered as experience for the purpose of
meeting requirement of experience criteria.

8. Bidder should have more than 100 employees on their payroll. Out of which at least 15
employees should have cyber security certification CEH / OSCP / CISA / CISSP / ISO
27001. Bidder should submit the undertaking as per the Annexure ‘E’ – Undertaking from
Bidder.

9. A written power of attorney authorizing the signatory of the bid to commit the bidder, If applicable.

10. Audited annual accounts including balance sheets and other financial statements for Last Three
Financial Years OR Bidder should submit digitally signed ITR from income tax department for
last Three financial years.
11. The average annual turnover of the bidder during last three Financial years should not be less
than 60% of estimated cost. Certificate from CA stating turnover of last 3 financial years
required to be uploaded.
12. Bidder should submit valid solvency certificate from nationalized/ Scheduled Bank/Co-operative
Bank for amount Not Less than 25% of the estimated cost of tender.

Failure to provide the desired information and documents may lead to disqualification of the
Bidder. The Bidder should not be currently blacklisted by any Government/Government
agency/ Bank/ institution in India or abroad.

MSETCL has a right to verify/cross verification of authenticity of above related documents

whenever felt necessary including right to ask for hard copies of bidders registered with
MSETCL and if found fake documents or manipulated documents are submitted the vendor will
be blacklisted by MSETCL

Commercial Bid

This should contain only price bid of the bidder.

1. Bidder has to fill in the rate he desires to quote as per the requirement of the bid online.
Commercials in any other format may make bid invalid and hence rejected without giving any
reason/notice to the Bidder.

2. Bidders are requested to refer Scope of Work and Terms & Conditions before quoting the rate
online.

18
3. Prices must be quoted in accordance with the instructions provided in the bid.

4. After verifying the full documents/certificates Pre-qualification as above in Technical Bid, fulfilling
the desired Pre-requisites, commercial bid will be considered/ opened. If the same is not found to be
meeting the pre-requisites, commercial bid shall be kept without opening & considered cancelled.

5. Firm/Agency should quote all applicable charges clearly while submitting the quotation. No extra
charges will be paid later

6. Only one rate should be quoted against each item; quoting of multiple rates against a single item will
amount to violation of the tender clauses and the bid will be rejected.

7. Partial Bid will be summarily rejected without giving any reason/notice to the Bidder.

8. The prices should be quoted in Indian Rupees.

9. The price shall be written both in figures & words in the prescribed offer format.

10. Incomplete and/or conditional bids shall be liable to rejection.

11. Any variation arises between the unit rate and the corresponding quoted total cost then the unit rate
will prevail for calculating the total cost.

12. If there is a discrepancy between amount in words and figures, the amount in words will prevail.

13. The rates quoted by the bidder shall be fixed for the duration of the contract and shall not be subject
to adjustment on any account.

19
 SPECIAL TERMS and CONDITIONS:
All the Audit reports would be prepared module-wise /functionality wise keeping the following points in view.

1. A pre-audit report needs to be submitted on usage of Computer Assisted Audit Tools. Auditor’s
domain expertise. Audit plan & timelines along with detailed audit methodology has to be submitted
to MSLDC team before start of the actual audit work.
2. Identification of gaps/deviations deficiencies vulnerabilities/risks & detailed observations and its
potential impact on the working of various stakeholders of all business application software.
3. As per ISO-27001 Standard and NCIIPC/CEA guidelines issued time to time.
4. Specific recommendations for improvement of security solution implemented at MSLDC & ALDC
5. Adequately verifiable audit evidences.
6. Risk analysis, Security and control review of all business software application of MSLDC & ALDC.
7. As per the security solution suggested, the selected bidder should guide MSLDC in reconfiguring of
the security devices. If required, they should guide in fine-tuning of the Network Architecture.
8. All observations will be thoroughly discussed with IT / OT Cell Audit team/application owners of
MSLDC / ALDC, before finalization of report and the users view/explanations to be noted for
deviations/ recommendations. However this should not influence the independent views
/Observations of the auditors.
9. Recommendation regarding best practices & corrective measures for all the observations keeping in
view of the present requirement and implemented environment and recommendation regarding
competencies and training needs of personnel deployed in application software management All the
documents and audit evidences. documentary should be discussed with all concerned stakeholders
and provide documents/training sessions for knowledge transfer.
10. The Auditor should provide recommendation regarding imparting of additional technical solution
/up gradation of existing infrastructure due to absolution, IT/OT security or compliance requirement,
Technology refreshment etc. The above listed requirements/ specifications of intended Information
System Audit are only indicative which may undergo a change during the Audit process and the
landscape of the IS Audit should not be limited to the above requirements only and the Auditor
should suggest and ensure inclusion of all such requirements / features not specifically mentioned
above but are required in the overall context of the intended Information System Audit.
11. The Auditor shall bring state-of-the-art audit tools/ software / hardware (Laptops and/or Desktops)
and other audit associated equipment’s required for efficient IS Audit. The bidder shall ensure that
the tools/software used in the IS Audit have the required licenses as applicable. Any use of such
tools / software should be as per the mutually agreed audit plan submitted by the IS Auditor. Cost of
all the proposed tools, software applications, scripts etcetera shall be inclusive of the prices indicated
for the subject Audit work Bidder is required to furnish list of all the computer assisted Audit Tool
required to efficiently complete the scope of audit work.
12. Bidder should disclose the details of the automated tools accomplish the assessment process. All the
works / activities shall be executed / carried out as per the instructions of MSLDC. The work shall
be carried out only during the office hours: however, to work beyond office hours. the Consultant
has to take prior permission. The security auditor, after the completion of the work, shall issue the
“Security audit clearance certificate” stating that all the vulnerabilities found / identified during the
security audit have been closed / fixed / accepted. The auditing firm, and its auditors (personal)
engaged should sign Nondisclosure agreement (NDA) before starting the security audit work. Any
data collected during the audit work and reports prepared thereof is not allowed to be taken out of the
MSLDC/ALDC premises by such auditors /firm

20
13. Wherever, formal policies/ processes are not available, the review should be conducted based on the
current implementation or practices followed vis-a-vis industry practices and standards such
NCIIPC, CERT, NIST, ISO etc. The bidder will also help framing policies/processes/guidelines and
its due approval during the audit process. The assessment shall also include review of
implementation effectiveness of the controls across IT & OT environment.

14. Care shall be taken not to disturb the network during testing process . Following should also be
taken care of during audit process:-

a)The firm must make use of all audit tools (freeware, commercial & proprietary) as listed in the
respective snap shot of skills & competence of CERT-IN empaneled auditing organization.
b) The firm shall maintain confidentiality of the information received obtained or gathered by
them during the process of conduct of the VA or during interaction with the customer personnel
or Vendors. The firm have to ready for any addition or removal of scope of work by MSLDC as
and when required.
c) Final Report: After incorporation of resolutions and mitigation of possible vulnerabilities
within short time and with the help of internal resources, the same shall be reviewed and the
Final Audit report shall be furnished within TWO WEEKS along with the open items for long
term resolutions.
d) Working schedule for the Audit team shall be six days week excluding holidays 10:00 AM to
6:00PM. However, any requirement to work beyond office hours and on holidays shall not be
considered as additional working day/hours and no additional compensation shall be provided
by MSLDC.
e) Any travel requirement arising out of this subject audit work shall be purely at the cost of the
audit firm and no additional compensation shall be borne by MSLDC.
f) The audit firm shall be solely responsible for any travel, medical and insurance requirements for
its resources deployed at MSLDC/ALDC during the subject audit work.
g) The intent of the Audit firm should be to successfully complete the entire audit work with the
proposed & dedicated onsite audit team members. Any instance of replacement of the resource
or alternate member should be considered only in genuine cases.
h) During audit work, If any of the deployed resource is leaving the Auditor Organization, the
resource replacement has to be with the similar or higher qualification & experience and after
the interview and acceptance of the MSLDC
i) The leaving resource should provide knowledge transfer to the replacing resource for at 6
working days and alternate resource should be deputed in case any of the resource is absent for
more than 3 business days consecutively, within one month.
m) The bidder will have to submit bid for all the scope of work. If the bidder submits the part bid.
then that bid shall be rejected
s) If the information provided by the firm/ company is found to be false at any point of time, the
MSLDC reserves the right to reject such tender at any stage or to cancel the contract. if
awarded, and forfeit the Earnest Money.

21
 TERMS and CONDITIONS:
Bidder should carefully read all the terms and conditions/ Instructions of the tender
document and follow the same scrupulously

1) Contract Period: Contract period will be for 2 Years. After the expiry of the contract period, the
service need not be continued taking it as deemed extension of period.

2) You should carry out the Cyber Security Audit of the IT & OT systems as per the scope of work at
respective location (onsite) i.e. at MSLDC Airoli & ALDC Ambazari. No remote connection will be
provided.

3) You should deploy the CEH / OSCP / CISA / CISSP certified professional with minimum experience
of the 1 year 6 months at MSLDC Airoli & ALDC Ambazari to carry out the Cyber Security Audit of
the IT & OT systems as per the scope of work. Their registration/certificate should be valid as on
date. You shall submit the relevant documents such as ID Proof, Valid Cyber Security certificate,
Experience Certificate for the same. No any system access will be permitted to the professional not
qualifying these criteria.

4) It should be ensured by the bidder that before installing any software in the PCs of MSLDC, it is a
licensed version of the original software. Unauthorized/unlicensed software should not be installed in
the PCs of MSLDC.

5) Time Limit : Time limit to complete the task specified in Scope of Work shall be as per the Sr. No. 3
Service Level Agreement (SLA) of the Scope of Work.
It is, however to be explicitly understood that, you will have to execute and complete the work under
contract strictly in accordance with the time bound program and as directed by Engineer-in- charge.

6) Consignee for supply

The consignee are as below or his authorized representative

Chief Engineer(SLDC), State Load Despatch Centre, MSETCL,Thane Belapur Road, Airoli, Navi
Mumbai 400 708

7) Security Deposit: If case order is placed, You will have to pay security deposit amounting to 5% of
the ordered value through F.D.R./Bank guarantee within 15(Fifteen) days from the date of receipt of
order. The FDR/Bank Guarantee should be valid till the expiry of 60 days after the end of Contract
Period. The same will be refunded to you after the expiry of FDR/Bank guarantee if the performance
is satisfactory. In the event of unsatisfactory performance of the contract or non-compliance to T&C
this amount will be forfeited. No interest will be allowed on this deposit.

8) Terms of Payment:
Payment will be affected to you within 30-45 days, on submission of the invoice in triplicate along
with
1. Deliverables as per Sr. No 3 (Service Level Agreement (SLA)) of the Scope of Works
2. Valid CERT-IN empanelment certificate
3. Work Completion Certificate verified by IT/ OT engineer
on the basis of actual measurement recorded by the engineer-in-charge.

22
Sr no. Activity Payment

01. Pre-Audit NIL

02 Security & Compliance Audit of IT Infrastructure NIL

as per Scope of Work.

03 Walkthrough of deliverables @Sr. No 02 70 % of the amount quoted by the bidder for ‘One
Time Security & Compliance Audit of IT Infrastructure’

04 Security & Compliance Audit of NIL

OTInfrastructure

05 Walkthrough of deliverables @Sr. No 04 70 % of the amount quoted by the bidder for ‘One
Time Security & Compliance Audit of OT
Infrastructure’
06 VAPT OF THE IT Systems, IT NETWORK NIL
&
SECURITY DEVICES, IT Endpoints and
Configuration Audit
07 Walkthrough of deliverables @Sr. No 06 70 % of the amount quoted by the bidder for ‘ONE
TIME VAPT OF THE IT SYSTEMS’

08 VAPT OF THE OT Systems, OT NETWORK NIL

&
SECURITY DEVICES, OT Endpoints and
Configuration Audit
09 Walkthrough of deliverables @Sr. No 08 70 % of the amount quoted by the bidder for ‘ONE
TIME VAPT OF THE OT SYSTEMS’

10 Re-Scan of the observation identified @ Sr. 30% of the amount quoted by the bidder for ‘One
No. 02 & 06 Time Security & Compliance Audit of IT
Infrastructure’ & ‘ONE TIME VAPT OF THE IT
SYSTEMS’
11 Re-Scan of the observation identified @ Sr. 30% of the amount quoted by the bidder for ‘One Time
No. 04 & 08 Security & Compliance Audit of OT Infrastructure’ &
‘ONE TIME VAPT OF THE OT SYSTEMS’

However release of payment may depend on availability of funds. There will be no advance payment
against this supply order.

9) DELIVERABLES: Submission of Deliverables shall be as per the Sr. No. 3 Service Level
Agreement (SLA) of the Scope of Work.
10) Penalty (Liquidated Damages (LD)): If the contractor fails to complete the work within stipulated
period as above, penalty towards delay @ ½ % per week of the invoice value maximum extent of
10% of order value will be levied and deducted from bill for non-execution of work. For the purpose
of penalty clause, the completion of works in all respects to the satisfaction of the MSETCL shall be
considered to be applicable.

23
11) Technical Support Period: You shall provide Onsite Technical Support during the contract period.

12) The Vendor shall provide a clear-cut escalation matrix to MSLDC.

13) Vendor is expected to examine all instructions, forms, terms and specifications in this tender
document and study the tender document carefully. Bid shall be deemed to have been submitted after
careful study and examination of this tender with full understanding of its implications.

14) The firm should clearly mention for any taxes, duties, levies, freight, forwarding and installation for
FOR, FSI. Otherwise the rates quoted by the firm shall be considered inclusive of all taxes.

15) MSLDC will consider the inability of the Bidder to deliver the services within the specified time
limit, as a breach of contract and would entail the payment of Liquidation Damages on the part of the
Bidder. MSLDC shall, without prejudice to its other remedies under the Contract, deduct from the
Contract Price, as liquidated damages, a sum as specified in Terms and Conditions

16) Acceptance of Bid: The company does not bind to accept the lowest or any bid neither will any
reasons be assigned for rejection of any tender. It is also not binding on the company to disclose any
analysis report of tender.

17) MSLDC reserves its right to reject any or all the offers without assigning any reason thereof
whatsoever also reserves the right to re-tender.

18) Conditional Bids:

Conditional bids shall not be accepted on any ground and shall be rejected straightway. If any
clarification is required, the same should be obtained before submission of bids.

19) If any dispute arises, the decision of the undersigned is final and binding on you.

20) No any payment will be made for partially executed work.

21) Period of validity of Bids:

a) The bids shall remain valid for 120 days from the date of bid opening prescribed by
MSLDC, MSETCL.
b) In exceptional circumstances, MSLDC, MSETCL may solicit the bidder's consent for an
extension of the period of validity. The request and the response thereafter shall be in writing. A
bidder may refuse the request without forfeiting its bid security. A bidder granting the request
shall not be permitted to modify its bid. The bid security furnished by the bidder shall also be
suitably extended.

22) MSLDC, MSETCL reserves the right at the time of award of contract to increase or decrease of the
quantity of goods or services

23) Any effort by the Bidder to influence the MSLDC, MSETCL in its decisions on Bid evaluation, Bid
comparison may result in the rejection of the Bidder’s Bid.

24) All the software, hardware equipment’s like Laptops, tools etc. to execute the work as per scope of
work has to be brought by the Vendor at no extra cost.

25) Adherence to safety procedures, rules regulations and restriction:

24
 i) Bidder shall comply with the provision of all laws including labour and industrial laws, rules,
regulations and notifications issued there under from time to time. All safety and labour and industrial
laws enforced by statutory agencies and by Purchaser shall be applicable in the performance of this
Contract and Bidder shall abide by these laws. The Bidder shall indemnify and keep indemnified and
hold harmless the
Purchaser for any loss, damage, claims, costs, charges, expenses, etc arising out of and/or suffered on
account of actions, litigations, proceedings, suits, arising out of breach of the above laws.
ii) Bidder shall take all measures necessary or proper to protect the personnel, work and facilities and
shall observe all reasonable safety rules and instructions.
iii) The Bidder shall report as soon as possible any evidence, which may indicate or is likely to lead to
an abnormal or dangerous situation and shall take all necessary emergency control steps to avoid such
abnormal situations.
iv) Bidder shall also adhere to all security requirement/regulations of the Purchaser during the
execution of the work.

26) No extra charges for transportation, T&P, labour, packing, insurance, excise, material etc. will be
paid, it will be arranged by you only.

27) Quality of work and Material: Bidder will be responsible for quality of work and workmanship.

28) Accident: If any accident occurs to the contractor‘s labor, while on duty, department will not be
responsible in any way either legal or financial for the accident to the contractor‘s labor and the same
shall be at the risk and cost of the contractor. The contractor will have to pay the compensation as per
workman’s compensation Act to the labors.

29) Expenses
i) Prices payable to the Bidder as stated in the Contract shall be firm and not subject to adjustment
during performance of the Contract, irrespective of reasons whatsoever, including exchange rate
fluctuations, changes in taxes, duties, levies, charges, etc. However, MSLDC, MSETCL shall be
entitled to make applicable deductions including adjustment in the payment of Contract price in the
event of levying liquidated damages on the Bidder as provided under the Contract.
ii) It may be noted that MSLDC, MSETCL will not pay any amount / expenses / charges / fees /
traveling expenses / boarding expenses / lodging expenses / conveyance expenses / out of pocket
expenses other than the ‘Agreed Price’.

30) Force Majeure

Any failure or delay by selected Vendor or MSLDC in the performance of its obligations, to the
extent due to any failure or delay caused by fire, flood, earthquake or similar elements of nature, or
acts of God, war, terrorism, riots, civil disorders, rebellions or revolutions, acts of governmental
authorities or other events beyond the reasonable control of non-performing party, is not a defaulter a
ground for termination. The affected party shall notify the other party of the occurrence of a Force
Majeure Event forthwith.

31) Indemnity
Vendor shall indemnify MSLDC and keep the MSLDC indemnified for any loss or damage, cost or
consequences that MSLDC may sustain, suffer or incur on account of violation of intellectual
property rights of third party by the Vendor. Vendor shall always remain liable to the MSLDC for any

25
 Losses suffered by the MSLDC due to any technical error or negligence or fault on the part of the
Vendor, and the Vendor also shall indemnify the MSLDC for the same.

32) For any loss to the company’s property during execution of work, the bidder will be liable to pay the
equivalent compensation as per the recommendation of concerned engineer.

33) MSETCL will not be responsible for any accident (fatal or non-fatal) or injury to the personnel of the
agency or any financial implication arising there from.

34) All the terms and conditions for the supply, testing and acceptance, payment terms, penalty etc. shall
be as those mentioned herein and no change in the terms & conditions will be acceptable

35) The tender should be completed with all particulars & Annexures. Wherever it is mentioned the
tender must be signed along with seal. Any document of the tender not bearing the signature of bidder
is liable to be rejected.

36) In case of dispute, if any, the legal jurisdiction of the court shall be Mumbai only.

37) In case L-1 is more than one, then the Technical qualification of the Bidder will be the criteria and
the decision of MSLDC, MSETCL will be final and binding.

38) Earnest Money Deposit: Each bidder will be required to pay an EMD as mentioned in Tender before
due time of closing. Request for payment of EMD after closing of tender & consideration of tender
shall not be entertained.
The EMD is liable to be forfeited under the following conditions :
a) In case of tender is withdrawn at the specified time or date of tender opening, but before
expiry of the validity period.
b)The bidder refuses to accept the order placed during the validity period.
c)Bidder fails to pay prescribed SD against the order placed within the prescribed period

39) The Bidder should have the qualified engineers/ staff to execute the work as per the scope of work.
40) Cancellation of Contract and Compensation
MSLDC, MSETCL reserves the right to cancel the contract of the selected Vendor and recover
expenditure incurred by MSLDC, MSETCL in any of the following circumstances. MSLDC,
MSETCL would provide 30 days’ notice to rectify any breach / unsatisfactory progress if:

• Vendor commits a breach of any of the terms and conditions of the bid/contract;
• Vendor becomes insolvent or goes into liquidation voluntarily or otherwise;
• an attachment is levied or continues to be levied for a period of 7 days upon effects of the
bid;
• the progress regarding execution of the contract, made by the Vendor is found to be
unsatisfactory;
• if the Vendor fails to complete the due performance of the contract in accordance with the
agreed terms and conditions.
After the award of the contract, if the selected Vendor does not perform satisfactorily or delays
execution of the contract, MSLDC, MSETCL reserves the right to get the balance contract executed
by another party of its choice by giving one month’s notice for the same. In this event, the selected
Vendor is bound to make good the additional expenditure, which MSLDC, MSETCL may have to
incur to select and carry out the execution of the balance of the contract. This clause is also applicable,
if for any reason, the contract is cancelled.
MSLDC, MSETCL reserves the right to recover any dues payable by the selected Vendor from any
amount outstanding to the credit of the selected Vendor, including the pending bills and / or invoking
26
 Bank Guarantee / Security Deposit, if any, under this contract.

41) Office space and normal office facilities shall be provided by MSLDC.

42) Income tax, WCT or other statutory taxes if applicable will be deducted at the prevailing rate.

43) All the expenses shall be borne by the Vendor.

44) Travelling Expenses:- No travelling expenses will be reimbursed or paid to the services &
Maintenance Engineers or any other staff for visiting offices of the MSLDC for maintenance
work.

45) Any loss occurs to MSLDC property during execution of works, you should make it at good at
your cost.

46) MSLDC may at its discretion abandon the tender process any time before the issuance of Purchase Order.

47) Where there is a discrepancy between the amounts in figures and in words, the amount in words
shall govern.

48) Partial Bid will be summarily rejected without giving any reason/notice to the Bidder.

49) No increase or any other changes in the price will be acceptable after the opening of the bid.

50) Any variation in the rates, etc. will not be allowed on any ground such as mistake, misunderstanding,
typographic etc. after the Enquiry has been submitted. The quoted rate must include all charges
including free replacement of spare parts.

51) During the period of contract, no upward revision of charges will be accepted.

52) You shall abide to M.S.E.T.C.L. standard terms and conditions regarding work contract.

53) Apart from the above points, all the terms and conditions published by MSETCL in
booklet “Tender & Contract of Works” are applicable here also.

54) Signing of Contract Agreement: In case order is placed, you will have to enter an agreement with
MSLDC, MSETCL, in the prescribed format on bond paper of appropriate Amount at your cost
within 7 days from the date of the receipt of this order as per the D O ltr no. Mudrank-
2009/2707/Pra.Kra./326/M-1 dtd 09.10.09. And Co. `s Adm. Circular no. 207 dtd 17.04.10. (Circular
attached along with). The MSLDC, MSETCL will not be liable to pay nor shall you be entitled to
claim any bill amount due or payable under the contract until the agreement is executed with
MSLDC, MSETCL. The necessary Stamp Duty for the agreement shall be borne by you.

55) The successful Bidder shall have to sign a Non-Disclosure Agreement as per the format of Annexure
‘F’ with MSLDC within 7 (Seven) days from the date of receipt of Letter of Award/Work Order.

Sd/-
(Mahesh Bhagwat)
Chief Engineer
MSETCL, SLDC, Airoli.

27
 Annexure-A
System/Equipment details
1. IT Applications (VAPT to be performed on Bi-Annual basis)
Third
party
No of
Sr. Technolo No of APIs Activity
Static/
No App Name Business purpose in brief gies user to Onsite/
dynami
. Used roles be Offsite
c pages
tested
?
1. To generate Daily
System Report out of
various data points. These
J2EE
data points are collected
Struts,
from Generating stations, Static
Backend -
Substations, Circle office Pg - 1
Oracle
1 DSR of MSETCL. Some data is 20 Dynami NO Onsite
10G,
fed into the system at c pg -
Applicatio
SLDC and ALDC. 60
n Server:
Tomcat
2. To track Outage
management workflow in
the system
The QCA and RE-DSM
Management Tool is to
manage the deviation
Spring
settlements between the
Boot,
QCA(Qualified
Spring,
coordinating agency) and 14 Static
QCA & Hibernate,
Load Dispatching centers, ( SLDC Pg - 02
RE-DSM ThymeLea YES
2 by providing the provision : 13, Dynami Onsite
Manageme f, 02
to generate weekly energy QCA : c pg -
nt Tool JavaScript
deviation settlement for the 01 ) 147
,
QCAs, provision to settle
JQuery,
the Payments for the same
MySQL.
and different Reports
generation with the
available data.

28
 2. OT Applications (VA to be performed on Annual basis)
No of
No of Third party Activity
Sr. Business purpose Technologies Static/
App Name user APIs to Onsite/
No. in brief Used dynamic
roles be tested? Offsite
pages
SCADA System in
SLDC is used for OS: Solaris
Monitoring of 5.10,
1 Maharashtra State SCADA 3 NA NO Onsite
Power System and Spectrum
control of the Grid 4.5.1
SCADA is done manually
Renewable Energy
Windows
Management
Server 2016,
System (REMC) is
RHEL 7.3,
used for Static Pg -
Siemens
Monitoring, 06
2 REMC Spectrum 2 NO Onsite
Scheduling and Dynamic
power 7,
forecasting of pg - 02
Nagios,
Renewable Energy
Acronis,
(RE) generating
Java, Oracle
stations.
Unified Real Time
Dynamic State
ESXI 6.7.0,
Measurement
RHEL 6.5,
(URTDSM) is used
RHEL 6.7,
for visualization of
RHEL 7.1
the dynamic
Windows 7 Static Pg -
3 URTDSM behavior of the 2 NO Onsite
professional, 06
Power System.
Windows
Data is collected
server2012
through Phasor
R2, Windows
Measurement Units
10 pro
(PMUs) installed at
Substations.

3. IT Firewalls (VAPT & Configuration review to be performed on Bi-Annual basis)

1 Total no. of Firewalls for review. Two numbers
1. CHECKPOINT 5100 NGTX => OS GAIA
R80.40
2 Name and version details of each Firewall.
2. SOPHOS XGS4300 => OS SFOS 18.5.1 MR-
1-1-Build358
3 Firewall ACL rule set review to be conducted? YES
If yes, total number of firewall ACL rules to 1. CHECKPOINT 5100 NGTX => 52
4
review? 2. SOPHOS XGS4300 => 33

29
 Internal firewall security baseline documents to
5
refer, available? NO
6 Activity to be done onsite/offsite? ONSITE

30
7 Configuration files shared with offsite team? NO

4. OT Firewalls ( VAPT & Configuration review to be performed on Annual basis)

1 Total no. of Firewalls for review. Five numbers
1. REMC => FortiGate 201E (OS Version 7.2.3)
2. REMC => Watchguard M4600 (OS Version
12.9)
2 Name and version details of each Firewall. 3. SCADA => SOPHOS XG430 (OS SFOS
17.5.15 MR-15)
4. URTDSM => Fortigate 300D v6.2.12
5. URTDSM => Checkpoint R80.40
3 Firewall ACL rule set review to be conducted? YES
FortiGate 201E => 22
If yes, total number of firewall ACL rules to Watchguard M4600 => 42
4
review? SOPHOS XG430 => 04
FORTIGATE 300D & Checkpoint R80.40 => 72
Internal firewall security baseline documents to
5
refer, available? NO
6 Activity to be done onsite/offsite? ONSITE
7 Configuration files shared with offsite team? NO

5. OT Systems (VAPT & Configuration Review to be performed on Annual basis)

Sr. Equipment Firmware/OS

System Name Make Model Application
No Type with Version

Main Production
Server holding the
Database and critical
Database Management
Softwares. Proper
functioning of
information master
Server is critical for
Solaris 10
1 Server SCADA-SLDC SUN SPARC T4-1 smooth functioning of
Version 5.10
SCADA System as it
the administrator
Server which
maintains a common
database and critical
System Database
Management
processes

31
 Backup of main
Production Server
Solaris 10 holding the Database
2 Server SCADA-SLDC SUN SPARC T4-1
Version 5.10 and critical Database
Management
Softwares.
Real time Server used
Solaris 10 to perform various
3 Server SCADA-SLDC SUN SPARC T4-1
Version 5.10 real time calculations
of data
Real time Server used
Solaris 10 to perform various
4 Server SCADA-SLDC SUN SPARC T4-1
Version 5.10 real time calculations
of data.
Front end processor
Solaris 10 (FEP) server for field
5 Server SCADA-SLDC SUN SPARC T4-1
Version 5.10 IED/RTU data
communication.
Front end processor
Solaris 10 (FEP) server for field
6 Server SCADA-SLDC SUN SPARC T4-1
Version 5.10 IED/RTU data
communication.
Works on ICCP
protocol to felicitate
Solaris 10
7 Server SCADA-SLDC SUN NETRA 240 data exchanges
Version 5.10
between control
centers.
Works on ICCP
protocol to felicitate
Solaris 10
8 Server SCADA-SLDC SUN NETRA 240 data exchanges
Version 5.10
between control
centers.
Solaris 10 EMS server for
9 Server SCADA-SLDC SUN NETRA 240
Version 5.10 Network Applications.
EMS server for
Solaris 10
10 Server SCADA-SLDC SUN NETRA 240 Automatic Generation
Version 5.10
Control
Solaris 10 EMS server for EMS
11 Server SCADA-SLDC SUN NETRA 240
Version 5.10 calculations.
Used to take real time
Solaris 10 network snapshot for
12 Server SCADA-SLDC SUN NETRA 240
Version 5.10 SCADA (EMS)
operation.
It is the SCADA User
Solaris 10 Interface (HMI) to
13 Workstation SCADA-SLDC SUN ULTRA 25
Version 5.10 display GUI data to
operators
Solaris 10 It is the SCADA User
14 Workstation SCADA-SLDC SUN ULTRA 25
Version 5.10 Interface (HMI) to

32
 display GUI data to
operators
It is the SCADA User
Solaris 10 Interface (HMI) to
15 Workstation SCADA-SLDC SUN ULTRA 25
Version 5.10 display GUI data to
operators
It is the SCADA User
Solaris 10 Interface (HMI) to
16 Workstation SCADA-SLDC SUN ULTRA 25
Version 5.10 display GUI data to
operators
It is the SCADA User
Solaris 10 Interface (HMI) to
17 Workstation SCADA-SLDC SUN ULTRA 25
Version 5.10 display GUI data to
operators
Solaris 10
18 Server SCADA-SLDC SUN NETRA 240 All-In-One Server.
Version 5.10
It is the SCADA User
Solaris 10 Interface (HMI) to
19 Workstation SCADA-SLDC SUN ULTRA 25
Version 5.10 display GUI data to
operators
20 Switch (L2) SCADA-SLDC CISCO Catalyst 2960 NA NA

21 Switch (L2) SCADA-SLDC CISCO SG 300 NA NA

22 Switch SCADA-SLDC D-LINK DES 1024A NA NA

23 Switch L3 SCADA-SLDC D-LINK 3630 NA NA

24 Switch L3 SCADA-SLDC D-LINK 3630 NA NA

Catalyst 2960
25 Switch L2 SCADA-SLDC CISCO NA NA
X
Catalyst 2960
26 Switch L2 SCADA-SLDC CISCO NA NA
X
MPLS
27 Router SCADA-SLDC CISCO 3945 NA
Communication
MPLS
28 Router SCADA-SLDC CISCO 3945 NA
Communication
Solaris 10
29 Server SCADA-ALDC SUN SPARC T4-1
Version 5.10
Solaris 10
30 Server SCADA-ALDC SUN SPARC T4-1
Version 5.10
Solaris 10
31 Server SCADA-ALDC SUN SPARC T4-1
Version 5.10

33
 Solaris 10
32 Server SCADA-ALDC SUN SPARC T4-1
Version 5.10
Solaris 10
33 Server SCADA-ALDC SUN NETRA 240
Version 5.10
Solaris 10
34 Server SCADA-ALDC SUN NETRA 240
Version 5.10
Solaris 10
35 Server SCADA-ALDC SUN NETRA 240
Version 5.10
Solaris 10
36 Server SCADA-ALDC SUN NETRA 240
Version 5.10
Solaris 10
37 Server SCADA-ALDC SUN NETRA 240
Version 5.10
Solaris 10
38 Server SCADA-ALDC SUN NETRA 240
Version 5.10
Solaris 10
39 Server SCADA-ALDC SUN NETRA 240
Version 5.10
Solaris 10
40 Server SCADA-ALDC SUN NETRA 240
Version 5.10
Solaris 10
41 Server SCADA-ALDC SUN NETRA 240
Version 5.10
Solaris 10
42 Workstation SCADA-ALDC SUN Ultra 25
Version 5.10
Solaris 10
43 Workstation SCADA-ALDC SUN Ultra 25
Version 5.10
Solaris 10
44 Workstation SCADA-ALDC SUN Ultra 25
Version 5.10
Solaris 10
45 Workstation SCADA-ALDC SUN Ultra 25
Version 5.10

46 Switch SCADA-ALDC D-LINK D-LINK NA NA

47 Switch SCADA-ALDC D-LINK D-LINK NA NA

CATAL
48 Switch SCADA-ALDC 2960 NA NA
YST
CATAL
49 Switch SCADA-ALDC 2960 NA NA
YST

50 Switch SCADA-ALDC CISCO NA NA

51 Switch SCADA-ALDC Catalyst 2960 X NA NA

52 Switch SCADA-ALDC RSG RSG 2100 NA NA

34
 D- DES - 3200 -
53 Switch SCADA-ALDC NA NA
LINK 28

54 Router SCADA-ALDC CISCO 3800 NA NA

55 Router SCADA-ALDC CISCO 3900 NA NA

56 Router SCADA-ALDC CISCO 3900 NA NA

57 Router SCADA-ALDC CISCO 1800 NA NA

58 Router SCADA-ALDC CISCO 1800 NA NA

59 Router SCADA-ALDC CISCO 1800 NA NA

60 Router SCADA-ALDC CISCO NA NA

61 Router SCADA-ALDC CISCO NA NA

ProLiant
62 Server REMC-SLDC HPE RHEL 7.3 ISR 1
DL360 Gen9

ProLiant
63 Server REMC-SLDC HPE RHEL7.3 ISR 2
DL360 Gen9

ProLiant
64 Server REMC-SLDC HPE RHEL7.3 SCADA 1
DL360 Gen9

65 Workstation REMC-SLDC N/A N/A RHEL7.3 User Interfce

ProLiant
66 Server REMC-SLDC HPE RHEL7.3 SCADA 2
DL360 Gen9

67 Workstation REMC-SLDC N/A N/A RHEL7.3 User Interfce

ProLiant
68 Server REMC-SLDC HPE RHEL7.3 ICCP 1
DL360 Gen9

69 Server REMC-SLDC N/A N/A RHEL7.3 IFS1

ProLiant
70 Server REMC-SLDC HPE RHEL7.3 ICCP 2
DL360 Gen9

35
71 Server REMC-SLDC N/A N/A RHEL7.3 IFS2

ProLiant
72 Server REMC-SLDC HPE RHEL7.5 Forcasting Software
DL360 Gen9

ProLiant
73 Server REMC-SLDC HPE RHEL7.5 Forcasting Software
DL360 Gen9

ProLiant Windows
74 Server REMC-SLDC HPE Historian software
DL360 Gen9 Server2016

ProLiant Windows
75 Server REMC-SLDC HPE Historian Software
DL360 Gen9 Server2016

ProLiant Network Management

76 Server REMC-SLDC HPE RHEL7.3
DL360 Gen9 Software

ProLiant Network Management

77 Server REMC-SLDC HPE RHEL7.3
DL360 Gen9 Software

ProLiant Windows
78 Server REMC-SLDC HPE Active Directory
DL360 Gen9 Server2016

Windows
79 Server REMC-SLDC N/A N/A (Virtual in SA1 )DMS
Server2016

ProLiant Windows
80 Server REMC-SLDC HPE Active Directory
DL360 Gen9 Server2016

ProLiant Windows Patch Management

81 Server REMC-SLDC HPE
DL360 Gen9 Server2016 application

ProLiant Windows
82 Server REMC-SLDC HPE Antivirus
DL360 Gen9 Server2016

Windows Historian web

83 Server REMC-SLDC N/A N/A
Server2016 software

ProLiant Windows
84 Server REMC-SLDC HPE Historian software
DL360 Gen9 Server2016

Corporate DR
85 Server REMC-SLDC N/A N/A RHEL7.3
software

ProLiant Windows
86 Server REMC-SLDC HPE Historian software
DL360 Gen9 Server2016

36
 Windows
87 Server REMC-SLDC N/A N/A VM SQL
Server2016

ProLiant Forcasting application

88 Server REMC-SLDC HPE RHEL7.5
DL360 Gen9 Software

ProLiant Forcasting application

89 Server REMC-SLDC HPE RHEL7.5
DL360 Gen9 Software

ProLiant Windows Historian web

90 Server REMC-SLDC HPE
DL360 Gen9 Server2016 software

Corporate web (VM

91 Server REMC-SLDC N/A N/A RHEL7.3
In 106.1)

92 Server REMC-SLDC N/A N/A RHEL7.5 Forcasting web

ProLiant Windows Historian web

93 Server REMC-SLDC HPE
DL360 Gen9 Server2016 software

Corporate web (VM

94 Server REMC-SLDC N/A N/A RHEL7.3
In 106.2)

95 Server REMC-SLDC N/A N/A RHEL7.5 Forcasting web

ProLiant Windows Server management

96 Server REMC-SLDC HPE
DL360 Gen9 Server2012 Console

ProLiant
97 Server REMC-SLDC HPE RHEL7.3 CMC
DL360 Gen9

ProLiant
98 Server REMC-SLDC HPE RHEL7.3 PDS
DL360 Gen9

Windows
99 Server REMC-SLDC N/A N/A PDS Server VM
Server2012
PDS (All in One
100 Server REMC-SLDC N/A N/A Windows10
Virtual)
StoreEasy Windows
101 Server REMC-SLDC HPE NAS
1850 server2016

Z240 Tower Windows

102 Workstation REMC-SLDC HP Operator Console 1
Workstation Enterprise10

Z240 Tower Windows

103 Workstation REMC-SLDC HP Operator Console 2
Workstation Enterprise10

37
 Z240 Tower Windows
104 Workstation REMC-SLDC HP Operator Console 3
Workstation Professional10

Z240 Tower Windows

105 Workstation REMC-SLDC HP Operator Console 4
Workstation Professional10

Windows VPS Screen

106 Server REMC-SLDC Barco MVL 4x2
Professional10 Controller

Z240 Tower Windows

107 Workstation REMC-SLDC HP PDS Console 1
Workstation Professional10

Z240 Tower Windows

108 Workstation REMC-SLDC HP PDS Console 2
Workstation Enterprise10

109 Switch REMC-SLDC Aruba 2930F NA SCADA SWITCH 1

110 Switch REMC-SLDC Aruba 2930F NA SCADA SWITCH 2

111 Switch REMC-SLDC Aruba 2930F NA ICCP SWITCH 1

112 Switch REMC-SLDC Aruba 2930F NA ICCP SWITCH 2

113 Switch REMC-SLDC Aruba 2930F NA NMS SWITCH 1

114 Switch REMC-SLDC Aruba 2930F NA NMS SWITCH 2

INT DMZ SWITCH

115 Switch REMC-SLDC Aruba 2930F NA
1
INT DMZ SWITCH
116 Switch REMC-SLDC Aruba 2930F NA
1
EXT DMZ SWITCH
117 Switch REMC-SLDC Aruba 2930F NA
1
EXT DMZ SWITCH
118 Switch REMC-SLDC Aruba 2930F NA
2

119 Switch REMC-SLDC Aruba 2930F NA MGMT SWITCH 1

120 Switch REMC-SLDC Aruba 2930F NA MGMT SWITCH 2

Techrout TSR 8000

121 Router REMC-SLDC NA ICCP ROUTER 1
e Series

38
 Techrout TSR 8000
122 Router REMC-SLDC NA ICCP ROUTER 2
e Series
Techrout TSR 8000
123 Router REMC-SLDC NA IFS ROUTER 1
e Series
Techrout TSR 8000
124 Router REMC-SLDC NA IFS ROUTER 1
e Series
OPC OPEN
Windows
125 Server REMC-SLDC N/A N/A PLATFORM
Server 2016
COMMUNICATION
OPC OPEN
Windows
126 Server REMC-SLDC N/A N/A PLATFORM
Server 2016
COMMUNICATION
127 Server REMC-SLDC N/A N/A RHEL web1cluster

128 Server REMC-SLDC N/A N/A RHEL web2cluster

RHEL 6.5
(VM 1)
Windows
URTDSM- Programming
129 Server CISCO C240-M3 Server 2012
SLDC Development Server
(VM 2)
ESXI 6.0
(Base OS)
RHEL 6.5
(VM 1)
RHEL 6.7
URTDSM- (VM 2) Analytical Application
130 Server CISCO C240-M3
SLDC RHEL 6.7 Server with 3 VM
(VM 3)
ESXI 6.0
(Base OS)
RHEL 6.5
(VM 1)
RHEL 6.7
URTDSM- (VM 2) Analytical Application
131 Server CISCO C240-M3
SLDC RHEL 6.7 Server with 3 VM
(VM 3)
ESXI 6.0
(Base OS)
URTDSM-
132 Server CISCO C240-M3 RHEL 6.7 Data Historian Server
SLDC
URTDSM-
133 Server CISCO C240-M3 RHEL 6.7 Data Historian Server
SLDC

39
 Windows
server 2012
(VM 1)
RHEL 7.1
(VM 2)
Windows
server 2012
(VM 3) NMS Server cum
Windows Centralised
URTDSM- server 2012 Management
134 Server CISCO C240-M3
SLDC (VM 4) Console / Patch
RHEL 6.7 Management Server
(VM 5) / Identity Server
Windows
server 2012
(VM 6)
RHEL 6.7
(VM 7)
ESXI 6.0
(Base OS)
Windows
server 2012
NMS Server cum
(VM 1)
Centralised
RHEL 7.1
URTDSM- Management
135 Server CISCO C240-M3 (VM 2)
SLDC Console / Patch
RHEL 6.7
Management Server
(VM 3)
/ Identity Server
ESXI 6.0
(Base OS)
Server for PGCIL
URTDSM-
136 Server CISCO C420-M4 RHEL 6.7 Owned Analytical
SLDC
Applications
Server for PGCIL
URTDSM-
137 Server CISCO C420-M4 RHEL 6.7 Owned Analytical
SLDC
Applications
Workstation Console
integrated with dual
URTDSM- Windows 10 Touch-screen
138 Workstation HP Z840
SLDC Professional Monitors with
Windows 7 (PDC
Workstation))
Workstation Console
integrated with dual
URTDSM- Windows 10 Touch-screen
139 Workstation HP Z840
SLDC Professional Monitors with
Windows 7 (PDC
Workstation))
Workstation Console
URTDSM- Windows 7
140 Workstation HP Z820 integrated with dual
SLDC Professional
Touch-screen

40
 Monitors for PDS
Application
Workstation Console
integrated with dual
URTDSM- Windows 10
141 Workstation HP Z840 Touch-screen
SLDC Professional
Monitors for PGCIL
Owned Application
URTDSM- Windows 10 VPS Workstation
142 Workstation HP Z4 G4
SLDC Professional Console
URTDSM- HP A5500-
143 Switch HP NA NA
SLDC 24XG
URTDSM- HP A5500-
144 Switch HP NA NA
SLDC 24XG
URTDSM- HP A5500-
145 Switch HP NA NA
SLDC 24XG
URTDSM- HP A5500-
146 Switch HP NA NA
SLDC 24XG
URTDSM- HP A5500-
147 Switch HP NA NA
SLDC 24XG
URTDSM- HP A5500-
148 Switch HP NA NA
SLDC 24XG
URTDSM- HP A5500-
149 Switch HP NA NA
SLDC 24XG
URTDSM- HP A5500-
150 Switch HP NA NA
SLDC 24XG
URTDSM- HP A5500-
151 Switch HP NA NA
SLDC 24XG
URTDSM- HP A5500-
152 Switch HP NA NA
SLDC 24XG
URTDSM- HP A5500-
153 Switch HP NA NA
SLDC 24XG
URTDSM- HP A5500-
154 Switch HP NA NA
SLDC 24XG
URTDSM- HP-MSR-
155 Router HP NA NA
SLDC 3024
URTDSM- HP-MSR-
156 Router HP NA NA
SLDC 3024
URTDSM- HP-MSR-
157 Router HP NA NA
SLDC 3024
URTDSM- HP-MSR-
158 Router HP NA NA
SLDC 3024
URTDSM- HP-MSR-
159 Router HP NA NA
SLDC 3024

41
 6. Other Systems
Sr. Name of Application / System Type
Activity Schedule
No Equipment (IT/OT)
Configuration
1 Active Directory IT-SLDC Bi-Annually
Review
Desktop / End Point (Count :
2 IT-SLDC VAPT Bi-Annually
39)
Desktop / End Point (Count :
3 IT-ALDC VAPT Bi-Annually
06)
Application Server
4 IT-ALDC VAPT Bi-Annually
(Win Server 2016 OS)
Configuration
5 Backup System IT-SLDC Bi-Annually
Review
Configuration
6 Antivirus Solution IT-SLDC Bi-Annually
Review
Configuration
7 Antivirus Solution IT-ALDC Bi-Annually
Review
Configuration
8 Antivirus Solution OT-REMC Annually
Review
OT-REMC- Configuration
9 Active Directory Annually
SLDC Review
OT-REMC- Configuration
10 Backup System Annually
SLDC Review
OT-URTDSM- Configuration
11 Backup System Annually
SLDC Review

42
 Annexure-B

ASSET SUMMARY DETAILS

Sr. ASSETS DETAILS SLDC SLDC-OT ALDC- ALDC-

No. -IT IT OT
SCADA REMC URTDSM SCAD
A

1 Windows Servers 6+5 - 20 6 (VM) 2 -

(VM)

2 Linux/Unix Servers 10 - 23 4 + 12 - -
(VM)

3 ESXI Server 1 - - 5 - -

4 Solaris Servers - 13 - - - 13

5 Firewalls 4 2 4 3 - -

6 Intrusion - - - - - -
Detection/Prevention
Systems

7 Routers - 2 4 5 4 8

8 Switches 29 7 12 12 5 8

9 Desktops / Laptop/ - 6 - - - 4
WorkStation
(Solaris)

10 Desktops / Laptop/ - - 2 - - -
WorkStation
(RHEL)

11 Desktops / Laptop/ 153 - 6 5 24 -

WorkStation
(Windows)

12 Public IP's 10 - 2 - - -

Security & compliance Audit of IT Infrastructure is to be performed twice in the year and for OT

Systems to be performed once in a year during contract period as per the schedule given by
MSLDC.

43
 Annexure-C

Minimum checks to be done for Vulnerability Assessment and Penetration Testingare noted
below:

Sr. Description/indicative List of activities butnot Internet/

Name of the test
No limited to Intranet
Penetration Testing

Gather entity’s domain information using

i. Who is,
1 OSINT Internet
ii. DNS queries etc.
iii. E-mail Harvesting
iv. Check for leakage of passwordsfor
compromised e-mails.
v. Historical Data analysis
vi. Google Dorking.
vii. Dark Web.

Identify active hosts on a network, for simulating

attack and also for network security assessment using
below
procedures but not limited to
2 Network scanning Internet
i. Name server responses
ii. Review the outer wall of the network.
iii. Review tracks
iv. Review information leaks
v. WAF Fingerprinting
Identify active ports on server port addresses
i. Error Checking
ii. Enumerate Systems
iii. Enumerating Ports Internet
iv. Verification of Various Protocol
3 Port scanning Responses
v. Verification of Packet Level Response
Scan multiple hosts for a
4 Port sweep specific listening port for potential Internet
vulnerabilities

Guess the system information i.e., type andversion of

5 System & OS OS etc. Internet
fingerprinting

44
 Sr. Description/indicative List of activities butnot Internet/
Name of the test
No limited to Intranet
System identification Perform the system
and trusted system identification & trusted system scanning which
scanning would include but not limited to thefollowing
6
i. Identify server uptime to latest patch
releases.
ii. Match each open port to a service.
iii. Identify the application behind the service
and the patch level using banners or
fingerprinting. Internet
iv. Verify the application on the system and the
version.
v. Locate and identify service remapping or
system redirects.
vi. Identify the components of the listening
service.
vii. Use UDP-based service

45
Sr. Description/indicative List of activities butnot Internet/
Name of the test
No limited to Intranet
Perform below listed penetration testing
Web Application/ services but not limited to:
applications/ website
penetration testing i. Automated fuzzing.
services ii. Encryption usage testing (e.g.,
applications’ use of encryption)
iii. Testing systems for user session management
to see if unauthorized access can be permitted
including but notlimited to.
a. Input validation of login fields.
b. Cookie security.
c. Lockout testing.
d. User session integrity testing.
iv. The solution partner shall
perform the application
penetration test Services on
mobile applications of entities
v. Injection attacks.
vi. Broken Authentication and Session
7 Management. Internet / Intranet
vii. Secure direct object references
viii. Security misconfiguration.
ix. Sensitive data exposure.
x. Missing function level access control.
xi. Cross Site Request Forgery (“CSRF”).
xii. Using components with known
vulnerabilities.
xiii. Invalidated redirects and forwards.
xiv. Review of specific controls against Web
Defacing and uploading of Trojan/ Virus/
Malware/ Spyware etc. on various serversand
further spread of the same to
clients/connected machines.
xv. LDAP injection
xvi. OWASP top 10 and SANS Top 25 CWE.

46
Sr. Description/indicative List of activities butnot Internet/
Name of the test
No limited to Intranet
Perform network penetration testing servicesas
listed below but not limited to:

i. The auditor should be able to identify

network services exposed over entities
system’s IP addresses. This should alsobe
able to identify if the services blockedby
network security solutions could also be
exposed to internet.
ii. Identify targets and map attack vectors
(i.e., threat modelling).
iii. Provide penetration testing from both
inside and outside of Client’s network.
iv. Internet Protocol (“IP”) address mappingof
network devices.
8 v. Logical location mapping of network
Network Penetration
devices. Internet
Testing Services vi. Transmission Control Protocol (“TCP”) and
scanning, connect scan, SYN scan, RST Intranet
scan, User Datagram Protocol (“UDP”)
scan, Internet Control Message Protocol
(“ICMP”) scan, and Remote Procedure Call
(“RPC”) port scan etc.
vii. Operating System (“OS”) fingerprinting
(OS fingerprinting is the combination of
passive research and active scanning tools
to generate an accurate network map).
viii. Banner grabbing.
ix. Brute force attacks.

Wireless Penetration Perform wireless penetration testing as listed

Testing Services below but not limited to:

//If Applicable//
i. Wireless network testing / war driving.
ii. / Wi-Fi cracking (WPA2 or WPA3).
iii. Telephony or Voice over Internet
Protocol (“VoIP”) testing, as requested

47
Sr. Description/indicative List of activities butnot Internet/
Name of the test
No limited to Intranet
Vulnerability Assessment
Perform the system identification scanning which
would include but not limited to the following in
intranet

i. Obtain internal IP information about approved

System identification on targets
intranet ii. In stealth mode perform a port sweep to
10 develop a map of internal network structure
and design
iii. Attempt to identify critical businesssystems
iv. Attempt to identify databases systems, web
applications and other technologies based on
footprint.
v. Scan multiple hosts for a specific listening
port for potential vulnerabilities
vi. Determine the system information i.e., type
and version of OS etc.

48
Sr. Description/indicative List of activities butnot Internet/
Name of the test
No limited to Intranet

11 Vulnerability scanning Carry out vulnerability assessment for entire IT

assets. Auditor shall conduct the research including
but not limited to the following
i. Integrate the currently popular scanners,
latest scanning definitions/signatures,
hacking tools, and exploits into the tests.

ii. Measure against the

currently popular scanning tools.

iii. Determine vulnerability by system

and application type.

iv. Match vulnerabilities to services.

v. Determine application type and serviceby

vulnerability.

vi. Perform redundant testing with at least 2

automated vulnerability scanners.

vii. Identify all vulnerabilities according to

applications.

viii. Identify all vulnerabilities accordingto

operating systems, servers, network
devices etc

ix. Identify all vulnerabilities from similar or like

systems that may also affect the targetsystems

x. Verify all vulnerabilities found during the

scanning phase for false positives and false
negatives.

i. Comprehensive scanning required for existing

hostile or intrusive software, including
computer viruses, worms, Trojans,
Malware scanning ransomware, spyware, adware, scareware, and
12 other malicious programs.
ii. Verify whether Endpoint Detection and
Response (EDR) is installed/implemented and
activated or not.

Assess the scope of potential spoofing attacks i.e.,

IP, ARP, DNS server spoofing Email spoofing etc.
Internet
13 Spoofing and other applicable ones in the entity's
environment

49
Sr. Description/indicative List of activities butnot Internet/
Name of the test
No limited to Intranet
Carry out the assessment of OS hardening of
14 OS hardening entity’s servers as per Center for Internet Security Intranet
assessment (CIS) or customized CIS standards.

i. Perform authorization & authentication testing

Authorization testing
15 for administrative accounts for the present AD
/IDAM/ etc. systems.
ii. Verify that administrative accounts and system
Intranet
files and resources are secured properly and all
access is granted with "Least Privilege".
iii. Perform known attacks for AD abuse.

Lockout testing Perform the brute force attack etc., lockout to

identify any vulnerabilities Internet
16
Review the cookie settings in all session
Cookie security and web management servers and identify the Intranet and
17
bug analysis vulnerabilities internet

Assess web applications and websites with and

Website/web applications without credentials having different access levels
18 assessment like operator, supervisor, administrator, etc., to Internet and
check for vulnerabilities like privilege escalation, Intranet
input validation, etc.

Broken Authentication Identify vulnerabilities using mix of automatic Internet and

18a and Session and manual assessment techniques Intranet
Management

Identify vulnerabilities using mix of automatic Internet and

18b Cross-Site Scripting Intranet
and manual assessment techniques

Insecure Direct Object Identify vulnerabilities using mix of automatic Internet and
18c References and manual assessment techniques Intranet

Identify vulnerabilities using mix of automatic Internet and

Sensitive Data Exposure
18d and manual assessment techniques Intranet

50
Sr. Description/indicative List of activities butnot Internet/
Name of the test
No limited to Intranet

Missing Function Level Identify vulnerabilities using mix of automatic

Internet and
Access Control and manual assessment techniques
18e Intranet

Cross-Site Request Identify vulnerabilities using mix of automatic

Internet and
Forgery (CSRF) and manual assessment techniques
18f Intranet

Un-validated Redirects Identify vulnerabilities using mix of automatic Internet and

18g and Forwards and manual assessment techniques Intranet

Identify vulnerabilities
Failure to Restrict URL using mix of automatic and manual Internet and
18h Access Intranet
assessment techniques

Identify vulnerabilities using mix of automatic Internet and

18i Insufficient Transport and manual assessment techniques Intranet
Layer Protection

Any other vulnerability

types, applicable to web Identify vulnerabilities using mix of automatic
Internet and
applications and manual assessment techniques
18j Intranet

Web defacing and Review of specific controls against Web

uploading of malware Defacing and uploading of Trojan/ Virus/ Internet and
18k Malware/ Spyware etc. on various servers and Intranet
further spread of the same to clients/connected
machines

OWASP 10 web To review the applications against OWASP top Internet and
application 10 vulnerabilities as on the date of assessment
19 vulnerabilities Intranet
and SANS Top 25 CWE.

Perform IDS/IPS review including but not limitedto

IDS/IPS review and fine the following:
20 tuning of signatures
i. IPS and features identification Intranet
//if Applicable// ii. Testing IPS configuration
iii. Reviewing IPS logs and alerts

51
Sr. Description/indicative List of activities butnot Internet/
Name of the test
No limited to Intranet
Perform man in the middle attack to identify
sensitive data exposure vulnerability
Man in the Middle attack
21 Internet

Perform man in the browser attack to identify

Man in the browser
22 attack sensitive data exposure vulnerability Internet

Directory Traversal Assess and identify the

directory travel vulnerabilities in entity’s Internet
23
systems

Any other vulnerability

associated with entity’sIT Identify vulnerabilities using mix of automatic and
24 components Internet & Intranet
manual assessment techniques

Identify vulnerabilities in
Cryptographic controls implementation of below technologies but not
25 Internet
limited to
i. SSL configuration
ii. Validate cryptographic strength

Scan DNS servers for finding below listed

vulnerabilities but not limited to
26 DNS Internet & Intranet
i. Zone transfer
ii. DOS and DDOS
iii. Cache Poisoning etc.
Perform the vulnerability assessment & wirelessleak
test through below listed activities but not limited to
Wireless Leak Tests i. Verify distance in which the wireless
27
//If Applicable// communication extends beyond the
physical boundaries of the organization.
ii. Verify authentication methods of the
clients. Intranet and
iii. List equipment needed for testing. physically shouldbe
iv. Verify that encryption is configured and present
running - and what key length used.
v. Verify that clients can't be forced to
fallback to plaintext mode.
vi. Probe network for possible DoS problems
vii. Controls for rogue access points

52
Sr. Description/indicative List of activities butnot Internet/
Name of the test
No limited to Intranet
Perform Penetration testing as provided belowbut
not limited to:
Additional Penetration
testing services i. OWASP web application penetration
testing methodologies
ii. PCI standard penetration testing services(if
existing)
iii. Verify if the EDR / anti-malware/Antivirus
28 services on servers and endpoints can be
terminated through penetration testingtools.
iv. On termination of EDR / anti-malware/ Antivirus
services, does it send any alert to SIEM or
console at centralised location ?

Entire IT infrastructure, applications, Databases,

Black Box websites etc.
29
Testing

Grey Box Entire IT infrastructure applications, Databases,

30 Testing websites etc.
Cloud Infrastructure The auditor shall identify various attack
VAPT vectors by delving deeply into the cloud
architecture, which ranges from the network
//If Applicable// layer of the cloud design, access management,
testing of cloud management interfaces to the
cloud applications running on cloud data
centres. The scope of audit/ VAPT should be
limited to the components/ services managed
by the Regulated Entities. In addition to above,
31
the resources deployed for such cloud
assessment should possess sufficient skills and
expertise to detect the cloud specific risks (Ex.:
multi-tenant isolation, cloud management
interface security etc.).

53
 Annexure –D
Price Schedule for reference only

Sr. Description SAC QTY Frequency GST

No
SECURITY AND COMPLIANCE AUDIT OF
1 IT INFRASTRUCTURE 998316 4 Bi- Annually 18%
(As per Scope of Work)
SECURITY AND COMPLIANCE AUDIT OF
2 OT INFRASTRUCTURE 998316 2 Annually 18%
(As per Scope of Work)
3 VAPT OF THE IT SYSTEMS 998316 4 Bi- Annually 18%
(As per Scope of Work)
4 VAPT OF THE OT SYSTEMS 998316 2 Annually 18%
(As per Scope of Work)

Note: Security & compliance Audit of IT Infrastructure is to be performed twice in the year i.e. four times in
the contract period of two years as perthe schedule given by MSLDC.

Security & compliance Audit of IT Infrastructure is to be performed once in the year i.e. two times in the
contractperiod of two years as perthe schedule given by MSLDC.

Bidder has to fill in the rate online in SRM e-Tendering portal.

Bidders are requested to read carefully scope of workbefore filling the commercial online.

54
 Sheet to be furnished along with Technical Bid

Annexure –E
UNDERTAKING

(On Company’s Letterhead)

To,
Chief Engineer (SLDC)
Maharashtra State Load Despatch Centre,
Airoli, Navi Mumbai
(RFX No:- 7000030210)

Dear Sir,

I / We quote our rates for the Cyber security audit (onsite) of the IT & OT systems hosted at MSLDC
Airoli & ALDC Ambazari, through CERT-IN empanelled Cyber Security Auditor for contract period of
Two Years, as per scope of work and terms and conditions mentioned in the tender document.

I / We have carefully read and which I / We have thoroughly understood and to which I / We hereby
agree.

I / We the undersigned have read the clause regarding restrictions on procurement from a bidder of a
country which shares a land border with India; I certify that << (name of bidder) >> incorporated on
<< Date >> with its registered office at << Address>> , participating in the subject tender, is not
from such a country or, if from such a country, has been registered with the competent authority. I
hereby certify that I / We fulfills all requirements in this regard and is eligible to be considered.

I / We hereby agree to keep this offer open for 120 days from the opening date of the tender and shall be
bound by communication of acceptance dispatched within the prescribed time.

I / We hereby declare that I/we have not been blacklisted by the registering authority or any department
of the Central /State Government, Semi-Government, public undertakings, corporate etc.

I / We hereby declare that I/we have more than 100 employees on my payroll. Out of which at least 15
employees are having the cyber security certification CEH / OSCP / CISA / CISSP/ ISO 27001. Details
of the certified professionals are as below,

Sr. Employee Employee Date Of Years of Qualification Designation Certification

No ID Name Joining Experience

01

02

55
 .
.
.
19

20

The information given by me is true and in future if it is found that the information given by me is false
then MSETCL is free to take legal action including termination of the contract, against me.

Yours faithfully,

Seal & Signature of the Bidder

Date:

Place:

56
 Annexure-F

NON-DISCLOSURE AGREEMENT
[To be submitted on duly notarized stamp paper of INR 100]

Date:

This Declaration (“Declaration”) is entered into as of

(the “Effective Date”) by and between:

Disclosing Party: Maharashtra State Electricity Transmission Company limited

(MSETCL)

and

Receiving Party: , as a(n) (Check one)

☐ Individual Corporation ☐ Limited Liability Company ☐ Partnership ☐

Limited Partnership ☐ Limited Liability Partnership ("Receiving Party")

Disclosing Party and Receiving Party have entered into a business relationship relating to:

(the “Transaction”).

In connection with its respective evaluation of the Transaction, each party, their respective affiliates
and their respective directors, officers, employees, agents or advisors (collectively,
“Representatives”) may provide or gain access to certain confidential and proprietary information.
A party disclosing its Confidential Information to the other party is hereafter referred to as a
“Disclosing Party.” A party receiving the Confidential Information of a Disclosing Party is
hereafter referred to as a “Receiving Party.” In consideration for being furnished Confidential
Information, Disclosing Party and Receiving Party agree as follows:

1. Confidential Information. Confidential information is: (Check One)

☐ All information shared by Disclosing Party. "Confidential Information" shall mean (i) all
information relating to Disclosing Party’s products, business and operations including, but not
limited to, financial documents and plans, customers, suppliers, manufacturing partners, marketing
strategies, vendors, products, product development plans, technical product data, product samples,
costs, sources, strategies, operations procedures, proprietary concepts, inventions, sales leads, sales
data, customer lists, customer profiles, technical advice or knowledge, contractual agreements,

57
price lists, supplier lists, sales estimates, product specifications, trade secrets, distribution methods,
inventories, marketing strategies, source code, software, algorithms, data, drawings or schematics,
blueprints, computer programs and systems and know-how or other intellectual property of
Disclosing Party and its affiliates that may be at any time furnished, communicated or delivered by
Disclosing Party to Receiving Party, whether in oral, tangible, electronic or other form; (ii) the
terms of any agreement, including this Agreement, and the discussions, negotiations and proposals
related to any agreement; (iii) information acquired during any tours of Disclosing Party’s facilities;
and (iv) all other non-public information provided by Disclosing Party whosoever. All Confidential
Information shall remain the property of Disclosing Party.

☐ Only information marked ‘Confidential.’ "Confidential Information," exchanged by the parties

and entitled to protection hereunder, shall be identified or marked as such by an appropriate stamp
or marking on each document exchanged designating the information as confidential or
proprietary.

☐ Specific information. The term “Confidential Information” as used in this Agreement shall
mean any data or information that is competitively sensitive material and not generally known to
the public, including, but not limited to, information relating to any of the following specified
information, which Disclosing Party considers confidential:

2. Exclusions from Confidential Information. The obligation of confidentiality with respect to

Confidential Information will be approved by CISO of disclosing Party only after providing proper
justification.

3. Obligation to Maintain Confidentiality. With respect to Confidential Information:

a. Receiving Party and its Representatives agree to retain the Confidential Information of the
Disclosing Party in strict confidence, to protect the security, integrity and confidentiality of such
information and to not permit unauthorized access to or unauthorized use, disclosure, publication or
dissemination of Confidential Information except in conformity with this Agreement.
b. Receiving Party and its Representatives shall adopt and/or maintain security processes and
procedures to safeguard the confidentiality of all Confidential Information received by Disclosing
Party using a reasonable degree of care, but not less than that degree of care used in safeguarding
its own similar information or material.
c. Upon the termination of this Agreement, Receiving Party will ensure that all documents,
memoranda, notes and other writings or electronic records prepared by it that include or reflect any
Confidential Information are returned or destroyed as directed by Disclosing Party.
d. If there is an unauthorized disclosure or loss of any of the Confidential Information by Receiving
Party or any of its Representatives, Receiving Party will promptly, at its own expense, notify
Disclosing Party in writing and take all actions as may be necessary or reasonably requested by
Disclosing Party to minimize any damage to the Disclosing Party or a third party as a result of the
disclosure or loss; and

58
e. The obligation not to disclose Confidential Information shall: (Check one)
☐ Survive the termination of this Agreement, and at no time will Receiving Party or any of its
Representatives be permitted to disclose Confidential Information, except to the extent that such
Confidential Information is excluded from the obligations of confidentiality under this Agreement
pursuant to Paragraph 2 above.
☐ Remain in effect until or until the Confidential Information ceases to be a
trade secret, except to the extent that such Confidential Information is excluded from the
obligations of confidentiality under this Agreement pursuant to Paragraph 2 above.

4. Non-Disclosure of Transaction. Without Disclosing Party’s prior written consent, neither

Receiving Party nor its Representatives shall disclose to any other person, except to the extent, the
provisions of Paragraph 2 apply.

5. Representatives. Receiving Party will take reasonable steps to ensure that its Representatives
adhere to the terms of this Agreement. Receiving Party will be responsible for any breach of this
Agreement by any of its Representatives.

6. Disclaimer. There is no representation or warranty, express or implied, made by Disclosing

Party as to the accuracy or completeness of any of its Confidential Information. Except for the
matters set forth in this Agreement, neither party will be under any obligation with regard to the
Transaction. Either party may, in its sole discretion: (a) reject any proposals made by the other
party or its Representatives with
respect to the Transaction; (b) terminate discussions and negotiations with the other party or its
Representatives at any time and for any reason or for no reason; and (c) change the procedures
relating to the consideration of the Transaction at any time without prior notice to the other party.

9. Remedies. Each party agrees that use or disclosure of any Confidential Information in a manner
inconsistent with this Agreement will give rise to irreparable injury for which: (a) money damages
may not be a sufficient remedy for any breach of this Agreement by such party; (b) the other party
may be entitled to specific performance and injunction and other equitable relief with respect to
any such breach; (c) such remedies will not be the exclusive remedies for any such breach, but will
be in addition to all other remedies available at law or in equity; and (d) in the event of litigation
relating to this Agreement, if a court of competent jurisdiction determines in a final non-appealable
order that one party, or any of its Representatives, has breached this Agreement, such party will be
liable for reasonable legal fees and expenses incurred by the other party in connection with such
litigation, including, but not limited to, any
appeals.

10. Notices. All notices given under this Agreement must be in writing. A notice is effective upon
receipt and shall be sent via one of the following methods: delivery in person, overnight courier
service, certified or registered mail, postage prepaid, return receipt requested, addressed to the
party to be notified at their address or by facsimile at the respective contact number or in the case of
either party, to such other party, address or facsimile number as such party may designate upon
reasonable notice to the other party.

11. Miscellaneous. This Agreement will inure to the benefit of and be binding on the respective
successors and permitted assigns of the parties. Neither party may assign its rights or delegate its
duties under this Agreement without the other party’s prior written consent. Any provision of this

59
Agreement shall not be affected and shall continue to be valid, legal and enforceable as though the
invalid, illegal or unenforceable parts had not been included in this Agreement. Neither party will
be charged with any waiver of any provision of this Agreement, unless such waiver is evidenced by
a writing signed by the party and any such waiver will be limited to the terms of such writing.

IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date first
written above.

Disclosing Party: Maharashtra State Electricity Transmission Company limited (MSETCL).

Disclosing Party Representative Signature:

Disclosing Party Representative Full Name:

Receiving Party:

Receiving Party and Representative Seal/Signature:

Receiving Party and Representative Full Name:

60