SAN ANTONIO WATER SYSTEM PURCHASING DEPARTMENT

Transcription

1 SAN ANTONIO WATER SYSTEM PURCHASING DEPARTMENT Issued By: Clifford Gorman Date Issued: July 6, 2015 BID NO.: FORMAL INVITATION FOR BEST VALUE BID (BVB) FOR THE ONE TIME PURCHASE OF SCADA NETWORK SECURITY ASSESSMENT ADDENDUM NO. 2 Sealed bids, one (1) Original and seven (7) copies, addressed to the Purchasing Director, San Antonio Water System, 2800 US Hwy 281 North, Administration Bldg., 5 th Floor, San Antonio, TX will be received until 3:00 p.m., July 14, 2015 and then publicly opened and read aloud for furnishing materials or services as described herein below, The San Antonio Water System Purchasing Department is willing to assist any bidder(s) in the interpretation of bid provisions or explanation of how bid forms are to be completed. Assistance may be received by visiting the Purchasing Office in the SAWS Main Office, 2800 US Hwy 281 North, San Antonio, TX 78212, or by calling (210) This invitation includes the following: Invitation for Best Value Bids Terms and Conditions of Invitation for Bids Specifications and General Requirements Price Schedule The undersigned, by his/her signature, represents that he/she is authorized to bind the Bidder to fully comply with the Specifications and General Requirements for the amount(s) shown on the accompanying bid sheet(s). By signing below, Bidder has read the entire document and agreed to the terms therein. Signer s Name: Firm Name: (Please Print or Type) Address: Signature of Person Authorized to Sign Bid City, State, Zip Code: Address: Telephone No.: Fax No.: Please complete the following: Prompt Payment Discount: % days. (If no discount is offered, Net 30 will apply.) Please check the following blanks which apply to your company: Ownership of firm (51% or more): Non-minority Hispanic African-American Other Minority (specify) Female Owned Handicapped Owned Small Business (less than $1 million annual receipts or 100 employees) Indicate Status: Partnership Corporation Sole Proprietorship Other (specify) To report suspected ethics violations impacting the San Antonio Water System, please call Page 1 of 12

2 This addendum is being issued to provide answers to the questions that were submitted. All terms, conditions and specifications remain unchanged. This addendum does not need to be returned with the bid submittal. Question 1 Section 18 Performance Deposit Is a performance deposit required I did not see a specification within the documentation? If so, What is your criteria for the Performance Deposit? There will be no performance bond required for this contract. Question 2 On Outdoor Wireless Network Vulnerability and Penetration Testing Page 19 of the RFC states that we will be reviewing 20 programmable logic devices (PLCs). Can you please comment on the location on the network and the current function of those PLCs, regarding if they are in production, or in a laboratory environment? Security testing of live industrial control systems presents challenges above and beyond what is typical of Internet facing or internal corporate systems. We want to have more clarity into the impact that our testing could have on business processes dependent on the networks and controlled devices that these PLCs are connected to. The number on page 19 represents a broad sample of our overall environment and are the nodes we want you to evaluate. They are all within a 30 mile radius from SAWS headquarters. Labs are available for 3 of 4 SCADA control systems. No lab is available for the outdoor wireless system. We understand the challenges presented by security testing live industrial control systems and are interested in your methodology. Question 3 On Outdoor Wireless Network Vulnerability and Penetration Testing Page 19 of the RFC states that we will be testing Denial of Service attacks on microwave radios and communications. Can you please comment on the location on the network and current function of those radios, regarding if they are in production, or in a laboratory environment? Security testing of live industrial control systems presents challenges above and beyond what is typical of Internet facing or corporate systems. We want to have more clarity into the impact that our testing could have on business processes dependent on the communications these systems support. No lab is available for the outdoor wireless system. Thoughts are to find an access point with little or no traffic, remove the segment from active use and monitoring and make it available for testing with the understanding that re-attenuation or repair may be necessary after the testing is complete. Page 2 of 12

3 Question 4 On Outdoor Wireless Network Vulnerability and Penetration Testing Will SAWS provide us the basic communication parameters for each microwave communication to be evaluated (i.e. frequency/exact carrier, modulation, codification, baud rate, etc.) on the proposed frequencies (900MHz, 4.9GHz and 11GHz)? The amount of time assigned to each wireless testing activity is dependent on the answer to this question (If this information is not provided, more time will need to be allocated to discovery. If this information is provided, more time can be allocated to testing activities). SAWS is interested in discovering what potential vulnerabilities exist against outsider threats with no prior knowledge of our systems. Additionally, any vendor responding to this solicitation should have adequate tools to scan the RF environment and detect transmitting frequencies in use. After this black box testing, we can provide additional information to simulate threats from an informed source. Question 5 On all Network Vulnerability and Penetration Testing: Will SAWS provide the technical specifications (brand, model, operating system, etc.) and configurations for the list of devices that will be evaluated, as listed on the tables on Page 19 of the RFC (firewalls, routers, switches, radios, IDSs, UPSs, PLCs, etc.)? Yes to the selected vendor. Question 6 Section I.1.b and I.2.b, Please provide the number of documents requiring review. There are less than 100 pages for review in total. Question 7 Section 3.A Group 1, what is the distance between the five corporate locations identified in section Less than 30 miles. Question 8 A Group One? a. Can you please provide public available geo map for the locations requiring assessment? Yes, to the selected vendor Page 3 of 12

4 Question 9 Section 3.B.5, Will an authorization letter be provided that provides legal authority to conduct the social engineering actions requested? We will further discuss this requirement based on the methodology to be used by the selected vendor. Question 10 The solicitation states that 4 control systems using wired and wireless IP communications are to be assessed. Can you please clarify which specific systems/facilities are to be assessed as part of this solicitation so that an appropriate approach and cost can be developed? This information will be provided to the selected vendor, our belief is the selected vendor will have a methodology which can be applied to any control system. Please provide the control systems you have experience with. Question 11 Can you give an exact number of nodes that we are to evaluate/assess or are we to assume the number given on pg. 19 is precise? The number on page 19 represents a broad sample of our overall environment and are the nodes we want you to evaluate. Question 12 The RFP requestes a "Security Assessment" does this refer to a "Vulnerability Assessment" or a "Risk Assessment Vulnerability assessment and penetration testing should illustrate risks. Question 13 The RFP lists 5 facilites in scope for this assessment. What is the nature of the facilites? Do they include data centers as well as treatment plants? Yes Question 14 Are the 5 sites geographically collocated or remote? Remote Page 4 of 12

5 Question 15 What brands of IC environments that exist in your facility? Question 16 The RFP lists a table of equipement for ICS. Is this per facility or total? Broad sample Question 17 What types(s) brand and version of routers do you have? Question 18 How many routers are in scope for review (typically we would review edge routers)? See page 19 Question 19 How many Windows servers are in scope & what versions? See page 19 Question 20 How many Unix environments are in scope & what versions? None Question 21 What type(s) brand and version of security appliances (IDS, IPS, UTM, Firewall) do you have? Question 22 Number of firewall rule sets (IT and OT if applicable)? Question 23 How many firewalls are in scope for review? Page 5 of 12

6 See page 19 Question 24 Previously infected machine locations and roles, if known None Question 25 Critical assets to be evaluated for any possible compromise See page 19 Question 26 Critical (traffic) network nodes to be evaluated See page 19 Question 27 Vendor specific equipment installed by third party integration team(s) Question 28 Method and means of backup of files/system configurations including paths to primary and intermediate storage Question 29 Current network topology diagrams (logical and physical), which depict connectivity Question 30 Does SAWS have a zones conduits diagram available? Question 31 T1s, SATCOM, cellular, Dial-up, serial lines, etc. Page 6 of 12

7 Question 31 Does SAWS use enterprise architectures or are there EA products available? We have enterprise monitoring tools Question 32 HMI software suite - There are variety of HMI and PLC that may deployed in the ICS environment. Could you provide any details, brand, etc. Are they in scope? Yes, to be disclosed Question 33 Industrial protocols used and ports if known Question 34 Control systems installed, including manufactuer and model if known Question 35 End devices (Vendors and models of PLCs, RTUs, etc.) Question 36 Vendor specific equipment installed by third party integration team(s) Question 37 How does the organization distinguish between IT/ OT are both in scope? Both are in scope Question 38 Identification of direct connections through firewalls/filtering routers/etc. Question 39 Service Level Agreements for third party monitoring (Active or Passive) Page 7 of 12

8 None Question 40 Have the systems been categorized as reference in NIST rev 4? If so is this all documented? No Question 41 Can SAWS personnel collect and send system configurations? If required to the selected vendor Question 42 Can Data be sent and stored on secure media outside of SAWS? If required to the selected vendor Question 43 Are Pictures permitted to be taken inside facilities? Yes Question 44 Can vendor machines attach to SAWS network? Only thru a secure connection Question 45 Can SAWS clarify if they want active penetration testing on control networks? Both active on specific segments and passive on sensitive segments Question 46 Will SAWS interviews with personnel be conducted via VTC/teleconference or in person? Can be via Webex Question 47 First assessment or others been done? Will vendor have access to those previous assessments? Page 8 of 12

9 First assessment of this kind Question 48 Have internal sites been decided or is that part of the scope to determine? See page 19 Question 49 Will vendor have access to 3rd parties including maintenance and integrators contractors? Yes, if necessary Question 50 Will vendor be required to perform Physical penetration testing for network or communications devices? To be discussed with the selected vendor, but generally a passive approach to physical penetration (a review) would be acceptable. Question 51 Group 2 assets (page 19). What are the two misc assets? Possible additions based on initial results of the selected vendor s review Question 52 "p. 3 - Section 2. Preparation of Bids, (a) ""The bidder shall print or type name and manually sign the schedule.""is DocuSign signature acceptable? No, original signatures are required Question 53 "P.24 - VIII. Important Mailing Instructions Do you require the opening date and time on the envelope label, or just the bid name and number? See page 4 Question 54 What is the Remarks field for?" Page 9 of 12

10 Question 55 "P Tab 3, Attachment B, Pricing Schedule - Do you want 1 original and 7 copies of the pricing in a separate envelope, or just 1 original?" Just 1 original of the pricing Question 56 "P Tabs all have ""Please check if pricing response is included on a separate enclosed envelope."" at the bottom. Confirming that should read ""Please check if response is included as a separate document."" like previous attachments, correct?" That is correct. Tabs 9 11 should read Please check if response is included as a separate document. Question 57 General Question Compliance Should the proposals be spiral bound or placed in a three (3) ring binder? Either option is fine Question 58 General Question Compliance Are there any requirements for font, margins and page limit? There are no requirements as to font, margins or page limit Question 59 Scope Does SAWS have the appropriate lab or test equipment that can be made available to the Vendor in order to reduce risk of impacting the production system during vulnerability assessment/penetration testing? We do have SCADA labs for 3 of the 4 control systems that can be made available. We do not have an outdoor wireless lab available. Question 60 Spcecifically, Vendor would like: PLCs with a similar make/model as those considered in scope Packed based radio devices with a similar make/model as those under test Test instance of critical application servers The SCADA labs for 3 of the 4 control systems have production PLCs available. There is no lab environment available for outdoor wireless. The critical applications servers are available in the lab for 3 of the 4 control systems. Page 10 of 12

11 Question 61 Scope of Services Section 3.A Requires that penetration testing be performed from different points in the network at five (5) different facilities. Are these facilities greater than one (1) hour travel time distance from the primary location No Question 62 Would these facilities be considered industrial work environments, normal office settings or a mixture of both? Mixed Question 63 Have these points been selected by SAWS? If so, please elaborate on the reason for selection. We have selected the points and they represent a broad sample of our overall environment. Question 64 Remote Facility Clarity Is the object of the penetration test to evaluate the security of the remote facility, or some other network that the remote facility communicates with (such as a control center) or both? Both. Question 65 Definition Penetration Test What is SAWS definition of a penetration test? Will SAWS consider a blended penetration and vulnerability assessment methodology? Yes Question 66 What is SAWS risk tolerance to penetration testing in general on production industrial systems? Low risk tolerance Question 67 What level of access should be assumed for the penetration test: Complete outsider from the internet? Insider from the office network? Insider from automation vendor? Insider on the control network? Page 11 of 12

12 All of the above. Question 68 Review Security Policies, Procedures and Practices: How many documents? What is the average number of pages per document? There are less than 100 pages for review in total. This addendum does not need to be returned with the bid submittal. Page 12 of 12