Specifications include, but are not limited to: Documenting the system Architecture Diagram: The system architecture diagram lists components of the system, defines how they are connected, and captures their physical locations. Network Diagram: The network diagram is a logical representation of the network. It depicts routers, switches, and firewalls. It also identifies how equipment is connected to switch ports. Asset Inventory: IACS assets consist of hardware (computers, IACS equipment, network equipment), software, and virtual hardware platforms. The asset inventory should track a variety of attributes, including device name, asset ID, function, manufacturer, serial number, model, firmware version, responsible organization, operating system, and network address. Vulnerability Assessment Report GAP Analysis (GAP between Current Cyber Security State vs Desirable Cyber-Security State). Desirable Cyber-Security state will be created using industry accepted best practices, industry regulations, applicable standards and recommendations from these following sources: The River Authority Threat Hunting Analysis final report performed by DHS (will be shared once we engage) Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies Industrial Control Systems Cyber Emergency Response Team - September 2016, developed by DHS. (attached document) Passive assessment: This includes discovering network devices using passive means, such as site surveys, network/architecture drawings, system logs and equipment configuration files. Review equipment data against vulnerability databases and any other vulnerability identified by the Manufacturer. Provide a list of each one of the equipment with all the existing vulnerabilities.