Search by job, company or skills

k20s - kinetic technologies private limited

IT/OT Cybersecurity Assessment - Dubai, UAE

k20s - kinetic technologies private limited
United Arab Emirates, Dubai
5-7 Years
Save
new job description bg glownew job description bg glow
  • Posted 2 hours ago
  • Be among the first 10 applicants
Early Applicant

Job Description

Job Role: IT/ OT Cyber security Assessment

Experience: 5+ years

Location: Dubai, UAE (Onsite)

Duration: 1 month

Mandatory: Should have Own Visa

Skills Should Have

Cybersecurity vulnerability assessment

Network Penetration test

Application Penetration Test

Revalidation Test

Scope

The consultant will utilize industry best practices, methodologies and tools throughout the project to ensure that the assessment is comprehensive, accurate, and will offer the highest riskreduction potential in accordance with what NCA requirements on that regard Scope of penetration tests which must cover Internet-facing services and its technical components including infrastructure, websites, web applications, mobile apps, email and remote access The chosen vendor will perform an extensive cybersecurity vulnerability assessment, including penetration testing and risk assessment. This will involve a thorough examination of the current state of the Information technology network and Industrial Control System (DCS and SCADA) cybersecurity posture within the project company. The vendor will develop a plan for mitigating vulnerabilities and create a prioritized roadmap for enhancing the system(s) cybersecurity position. Within 180 days of reporting the vulnerabilities, the vendor will conduct revalidation to confirm the closure of any issues.

Requirements

Throughout the project, the consultant will utilize industry best practices, methodologies, and tools to ensure that the assessment is comprehensive and accurate, and that it offers the highest potential for risk reduction in accordance with NCA requirements. Specifically, the scope of the penetration tests will cover Internet-facing services and their technical components, including infrastructure, websites, web applications, mobile apps, email, and remote access. This exercise will be divided into the below phases:

Phase (One): Cybersecurity vulnerability assessment:

The work includes, but is not limited to, assessing the following:

  • IT& ICS security policies and procedures
  • Network infrastructure, including PCs, servers, routers, firewalls, and switches
  • System configuration, including installed applications.
  • Network, firewall and network security policies and access rules.
  • Current security programs, devices and measures in place, such as anti-virus, antimalware, and intrusion detection and prevention
  • Wireless network components (if exist)
  • ICS Internet connectivity.
  • ICS System Connectivity to corporate Network.
  • Time system and time synchronization across the plant.
  • Surveillance system (CCTV)
  • Susceptibility to advanced persistent threats (APTs) and viruses.

Phase (Two): Penetration test:

  • Network Penetration test (Grey Box Test)

Conducting External Network Penetration Test On IT/ICS External Connections, The Security Penetration Testing Should Help Identify Weaknesses That Might Be Exploited By External Attackers

  • All ICS External Connections should be evaluated in terms of business advantages and security risks
  • External Network layer penetration testing is to be performed on network range of IP allocated to the company.
  • Consider future threats the Company may be exposed to, by the application links on the Internet like exposures to Man in the middle attack; malware attacks and Man in the browser attack (including its variants) and recommendation for minimizing the attack.
  • Vendor to identify every vulnerable port/service/aspect in the network layer and communicate with the company and seek approval for exploiting. If authorized, will perform the exploitation and leave an evidence as will be agreed.
  • Application Penetration Test (Grey Box Test):

Awarded vendor is requested to conduct Application level penetration testing externally using grey-box scenario.

  • A brief knowledge of applications will be provided (if required).
  • To cover all of the OWASP Top 10 vulnerabilities.
  • To perform an automated Application Security Vulnerability test/check/scan using reputed scanners.
  • Risk assessment is to be performed using approved risk assessment methodology.
  • Vendor to identify every vulnerable service in the application layer and communicate with the company and seek approval for exploiting. If authorized, will perform the exploitation and leave an evidence as will be agreed
  • Application level source code review is specifically excluded from this scope.

Phase (Three) RevalidationTest

In this phase, the Vendor will perform vulnerabilities closure /mitigation verification of vulnerabilities reported within 180 days of the final report. This will include one-time iteration of the rescan / verification of all findings identified in phase-1 till Phase-3.

Deliverables

  • A written report documenting the following:
  • An executive summary detailing the ICS's cybersecurity position
  • A report outlining identified cybersecurity vulnerabilities and gaps
  • A recommended mitigation plan(s) including a prioritized road map of activities
  • An estimated range of the total costs to implement the recommended mitigation plan(s).
  • An itemized cost estimate for each proposed component, including all licensing, support, maintenance and hosting, and annual costs for subscription-based services.
  • The report should be in power point presentation as well as a comprehensive report in word format.
  • Each finding should be supported by appropriate evidence like screen capture, data, etc. and tools used or method followed to arrive at the finding. Each finding should be classified based on the severity and provide detail implication, testing procedure after fixing the issue.
  • Each finding should include the priority and criticality of the system based on CIAcriteria (Criticality, Integrity and Availability).
  • Vendor to provide vulnerability tracker along with each report in excel sheet format.
  • Detailed findings report mentioned above will at the minimum include:
  • Each finding wise
  • Implications,
  • Application/Asset /system at which it was identified,
  • Risk Level,
  • Suggested counter measure with specific technical steps/ configuration to fix the issue.
  • How it was discovered,
  • Conditions under which the exploit / vulnerability may materialize.
  • Tool used,
  • j. Evidence (like screen capture / configuration, logs, file, Report etc.); Estimated Effort required for fixing the issue.
  • Consequences of not fixing the issue.
  • One Cyber security awareness session (Presentation): Upon the completion of the engagement and based on the findings to produce/deliver awareness presentation addresses each of the concernedaffected areas.
  • Vendor to make presentation of the findings to relevant people and provide explanations and evidences for the findings & suggested controls.

General Conditions

  • Assessment should be conducted according to National cyber security (NCA) requirements
  • Vendor will be required to identify exploitable vulnerabilities and, if authorized, will perform the exploitation and leave an evidence as will be agreed. Vendor include details of exploitations done along with impact.
  • Persons working on site should be the persons who are proposed in the RFP response
  • Entire project to be completed within 30 working days of commencing the project including reports submission and awareness presentation
  • As a part of this project, the selected vendor will be required to sign Non-Disclosure Agreement (NDA).
  • Quote the price separately for each Phase. The company reserves the right to go for any of the phases or all phases, either with same vendor or with different vendors.
  • Vendor will provide a clear timeline & project schedule duly considering VISA stamping requirements etc., in case consultants are coming from abroad.
  • The Vendor must state what dependencies exist, if any.
  • Persons conducting penetration should have one or more of the following certification. Mention the certifications possessed by the person.
  • CPTC – Certified Penetration Testing Consultant

ii. CPTE – Certified Penetration Testing Engineer

iii. GPEN – GIAC Certified Penetration Tester

iv. OSCP – Offensive Security Certified Professional

  • CEH – Certified Ethical Hacker

vi. CEPT – Certified Expert Penetration Test

  • Selected Vendor must prove strong experience of Penetration Testing in industrial control systems environment: Please share reference letters from previous clients of PT (any operational disruption etc)

Skills: it/ ot,cybersecurity vulnerability,revalidation test,network penetration test,cybersecurity assessment,application penetration,vulnerability,cybersecurity,penetration testing

More Info

Job Type:
Permanent Job
Industry:
Other
Function:
It Ot Cybersecurity
Employment Type:
Full time

Job ID: 147537061

Jobs by Skill - IT
Jobs by Skill - Non IT
International Jobs
Last Updated: 16-05-2026 04:02:53 AM
Homejobs in United Arab EmiratesIT/OT Cybersecurity Assessment - Dubai, UAE