SAN ANTONIO WATER SYSTEM PURCHASING DEPARTMENT

Transcription

1 SAN ANTONIO WATER SYSTEM PURCHASING DEPARTMENT Issued By: Angeline C. Peralez Date Issued: July 24, 2014 BID NO.: FORMAL INVITATION FOR BEST VALUE BID (BVB) FOR THE ONE TIME PURCHASE OF NETWORK SECURITY ASSESSMENT SERVICES ADDENDUM 1 Sealed bids, one (1) Original and seven (7) copies, addressed to the Purchasing Director, San Antonio Water System, 2800 US Hwy 281 North, Administration Bldg., 5 th Floor, San Antonio, TX will be received until 3:00 p.m., July 30, 2014 and then publicly opened and read aloud for furnishing materials or services as described herein below, The San Antonio Water System Purchasing Department is willing to assist any bidder(s) in the interpretation of bid provisions or explanation of how bid forms are to be completed. Assistance may be received by visiting the Purchasing Office in the SAWS Main Office, 2800 US Hwy 281 North, San Antonio, TX 78212, or by calling (210) This invitation includes the following: Invitation for Best Value Bids Terms and Conditions of Invitation for Bids Specifications and General Requirements Price Schedule The undersigned, by his/her signature, represents that he/she is authorized to bind the Bidder to fully comply with the Specifications and General Requirements for the amount(s) shown on the accompanying bid sheet(s). By signing below, Bidder has read the entire document and agreed to the terms therein. Signer s Name: Firm Name: (Please Print or Type) Address: Signature of Person Authorized to Sign Bid City, State, Zip Code: Address: Telephone No.: Fax No.: Please complete the following: Prompt Payment Discount: % days. (If no discount is offered, Net 30 will apply.) Please check the following blanks which apply to your company: Ownership of firm (51% or more): Non-minority Hispanic African-American Other Minority (specify) Female Owned Handicapped Owned Small Business (less than $1 million annual receipts or 100 employees) Indicate Status: Partnership Corporation Sole Proprietorship Other (specify) Tax Identification Number: To report suspected ethics violations impacting the San Antonio Water System, please call Page 1 of 6

2 ***** This Addendum 1 is issued to answer the following questions related to the bid sent to you on July 9, All other terms and conditions of the original bid document remain unchanged. *********************************************************************************************************** Question 1: What is the primary business driver behind your desire for an assessment? Answer: SAWS would like to discover and mitigate against any potential security vulnerabilities. This assessment will be used to help re-enforce security policies and may be used to determine what security projects are critical to sustain our business. Question 2: Are there particular questions you are trying to answer by way of having an assessment performed? Answer: SAWS is interested in learning what applications and network infrastructure could be vulnerable from an internal or external attack. This includes the corporate infrastructure as well as closed-loop SCADA network. Question 3: How many externally-facing IP addresses or targets should we expect to encounter or that you would like to include in the scope of the assessment? Are any of these hosted or managed by a third-party? Answer: Expect to see responses from around 85 external and DMZ IP address all of which are hosted and managed by SAWS. Question 4: How many servers do you operate on your internal network? Answer: Approximately 550 Question 5: Can you estimate the number of users you support internally? Answer: Approximately 2000 Question 6: Who is the intended audience for the results of the assessment? Answer: SAWS Information Systems: Network Engineering, System Admins, and Management, Internal Audit, Operations Question 7: If there are there multiple geographic sites, is there one from which the others are accessible across the network? Answer: There are multiple locations around the City of San Antonio; however they are all accessible from the HQ location. Question 8: Are there systems on the network that do not belong to you? Answer: Yes, there may be Kiosk or other network endpoints that we do not own. Question 9: How many sites will need to be visited for the wireless assessment? What are these sites like and where are they? Answer: SAWS has a variety of wireless infrastructure that we would like to be assessed. This includes Cisco wireless APs, Cambium PtMP radios, Redline PtMP radios, and Trio IP radios. Three site visits would be needed to assess all platforms. Question 10: Is your policy documentation organized around a particular framework? (e.g., NIST, COBIT, ISO, etc.) Answer: No although we use NIST and others as our reference model. Question 11: Roughly how many documents and pages constitute your information security policy compendium? Answer: Four documents, 23 pages. Question 12: For the review of the security controls and mechanisms, is your desire to have a detailed review of specific device configurations? If so, how many devices will be included in the scope and can you categorize them? Answer: Yes, we would like a detailed review of a representative sample. For example; 2 ASA firewalls, 3 Catalyst switches, 3 Cisco border routers, and so on. Page 2 of 6

3 Question 13: Is your IT department centralized? How many people are in IT? Answer: Yes, approximately 40 people in the IT department. Question 14: Is there a deadline for completing the work? Answer: By the end of Question 15: Are there business cycles or time windows we ll need to work around? Answer: Yes, any intrusive work that may be disruptive should be scheduled for a window outside of business hours. Question 16: On Activity 1 - External Vulnerability and Penetration Testing, how many live hosts are estimated to be within these ranges? Can testing be performed 24 hours a day or are there testing windows that must be adhered to? Answer: Approximately 45. Any testing that may be service disrupting should be performed after hours. Question 17: Can we print page 23, add our company information to the Remarks and affix that page to the sealed envelope to cover the RFP labeling requirements? Answer: Yes. Just please make sure that all information are included as per bid requirements and instruction. Question 18: Under, VI. Scope of Services, C. Requirements Outline, list p where in the Best Value Bid Submission Requirements outline do we include this information in our response? Some of these items pertain to the specific services, some (in particular #4, 5 and 7) appear to be additional information requested outside of the specific services. Answer: Best Value Bid Submission Requirements are listed on the bid pages These are the different sections needed to be submitted in responding on this RFP. Pages 28 onward also provides each section s requirements. Question 19: Under Attachment I, J and K at the bottom reads Please check if pricing response is included on a separate enclosed envelope. Should they all read Please check if response is included as a separate document. instead like the other non-pricing attachments? Answer: Yes. These are typographical errors. Please change it to Please check if response is included as a separate document. Question 20: On page 3 of 44, you request samples. Report formats may be provided upon release of the clients. Federal, State and local governmental analysis are under non-disclosure for security reasons. Answer: We are open to examples of work products which demonstrate an understanding of the requirements but do not provide sensitive client information. Question 21: On page 38 of 44, you state the small business must submit non audited financial reports. What safeguards are ensured by your agency that our sensitive financial information will not be subjected to the general public via Freedom of Information Act? Answer: SAWS is a public utility entity and is subject to Texas Public Information Act and Open Records. All bid documents submitted may be subject to open records when requested. Question 22: Will bank and CPA written documents / comments exhibiting financial stability without financial statement disclosure be acceptable? Answer: No. This is part of the required documents to be submitted. The requirement is part of the evaluation criteria. Question 23: The RFP indicates in Section I, under items a, b, and c (External and Internal, SCADA, and Wireless) that our proposal should include services to Review Security Architecture, Policies and Procedures, and Technical Security controls. To what level of detail would you expect us to review these areas? Are you asking for a gap assessment against industry best practices, or a more high-level review? Is this considered part of the reconnaissance for the vulnerability and penetration testing process, or an independent assessment? Should we review the architecture and Page 3 of 6

4 P&Ps in the context of the external testing, or evaluate them on their own against an external standard or industry best practices? Answer: SAWS would like a gap assessment against industry best practices. The focus should be concentrated on the specific items being tested (External, Internal, SCADA, Wireless). Question 24: What portions of this work will need to be completed at SAWS facilities? We anticipate onsite work for Wireless and also potentially for the Internal Network testing. What portions of the overall project can be done remotely (external testing?) How many sites should we plan to visit to complete this work, and where are those sites located please? Answer: SAWS has a variety of wireless infrastructure we would like to be assessed. This includes Cisco Wireless APs, Cambium PtMP radios, Redline PtMP radios, and Trio IP radios. Three site visits would be needed to assess all platforms. Additionally, any work performed to assess the SCADA and internal network would need to be performed onsite. All facilities within the scope of this project are within the greater San Antonio area. Question 25: Section IV subpoint C Requirements Outline, indicates three external network ranges to be tested (/22, /21, /23). In order to properly help scope this work, can you provide the number of live hosts within each network range? Or if the total number of live hosts is not available, can you give us a sense of how full those ranges are (10% of addresses used, 25% of addresses used?) Answer: SAWS estimates that the number of live hosts on the external network is 45. Question 26: Section IV subpoint C Requirements Outline lists 2 Misc devices for Wireless testing. Can you tell us anything more about these devices? Are they a type of switch? An endpoint device (radio base station)? Answer: SAWS would like to determine if there are elements on the network that could be compromised and cause a service disruption. Those elements could include; automatic transfer switches, UPS devices, power deliver units (PDU), and generators. Question 27: For Item 3.5, Provide follow up procedure after the assessment can you please provide more clarification? Would you like us to conduct another technical evaluation of the entire environment? Or to conduct targeted retesting of specific vulnerabilities? Should this work be scheduled after SAWS has completed remediation of the identified vulnerabilities? Approximately how long after the initial testing will SAWS require before the environment is ready for follow up procedures? Is the follow up procedure limited to technical re-testing only? Answer: SAWS would like the follow up procedure to include a detailed technical discussion of findings and suggested remediation to correct any deficiencies discovered during the assessment. Question 28: Section VI Point 4 includes Social Engineering as a testing technique. What types of SE would be acceptable? Phishing s? Phone calls to users or to SAWS service desk? Physical intrusion into office or plant facilities, to try and gain unauthorized access? Can you please provide more detail about the potential goals and methodologies that would be allowed? Do we need to pre-approve SE contexts or specific targets with SAWS project POCs before testing? Are any targets (employees, systems, processes) excluded from the SE procedures? Answer: SAWS would like to understand the security risk as it relates to social engineering. What impact is there to the network, control system applications, and mission critical infrastructure if a social engineering attack was successful? How informed and educated are employees when it comes to social engineering? SAWS shall pre-approve any SE contexts and targets before beginning the assessment. Question 29: Section VI Point 4 includes Information Security Education and Training should be included in the proposal. What types of training are you looking for? Should we include any classroom training for management? Computerbased training for all employees? Targeted training based on the results of our assessment and the weaknesses identified? Should we plan to deliver specific training for high-risk groups including IT administration, application administration, and senior management? What is the approximate number of users to be trained? Answer: SAWS would like the training and education to be focused on any deficiencies found during the assessment. Training would help IT staff gain knowledge needed to rectify and secure the infrastructure. An estimated number of employees that may require training are 15. Additionally, SAWS has developed an all employee Information Security training class and we would like feedback on the composition and content of that training class. Page 4 of 6

5 Question 30: Which regulators are specifically relevant for this assessment? We anticipate TAC 202, NERC-CIP, and compliance with industry best practices including NIST and ISO27001/ Are there any other regulatory frameworks that should be considered? Answer: The NIST , revision 4 set of guidelines is the most relevant set of guidelines for this assessment. Question 31: For the Penetration Testing components of this assessment, should we perform Covert or Overt testing? Covert testing (Black Box) is designed to measure the organization s detection and response capability in a real world scenario, and means more silent and passive tools will be used. This type of testing simulates a more sophisticated attacker, however the testing is also more expensive because tools must be run at slower speeds to try and evade detection. Overt testing (Grey/White Box) means that the organization s IT and incident response staff is informed about testing, and the testers will not make specific attempts to evade detection. This simulates a less sophisticated attacker but the testing is more cost-effective because the testers can be informed about the target environment, and therefore testing takes less time to identify vulnerabilities. Answer: Penetration testing shall be overt. Note for SCADA - non-intrusive testing should be used to assess the security controls along with detailed device configuration audits. Question 32: For the Penetration Testing, should we attempt to manually validate vulnerabilities or to actually penetrate systems and obtain sensitive artifacts? Manual validation means that we will determine if vulnerabilities are exploitable, without actually stealing information. As an example, if a tester obtained root access on a Unix system, then the tester would document that fact and conclude the test on the basis that root access will allow other more dangerous forms of attack. Penetrating systems means that a tester would break in and try to obtain sensitive artifacts (admin credentials, databases, and other artifacts). As an example, if a tester obtained root access on a Unix system, then the tester would continue exploiting the network or systems until another artifact (admin password, other) is obtained. Which type of testing would you like us to conduct? Our recommendation would be to conduct manual validation, which presents similar results with much less risk to the client s environment. Answer: Manual validation is sufficient. Question 33: For the Penetration Testing, should we attempt denial of service? DoS exploits could knock systems or services offline, and may require remediation by the client IT to restore services. Group 3 (Outdoor Wireless) indicates that DoS exploits are included in that phase. Should we plan to conduct DoS type testing or exploits for External, Internal, or Control System testing? Our recommendation would be to attempt DoS on Outdoor Wireless only, as the risk to other operational systems could be significant. If SAWS would like to conduct DoS testing on External, Internal, and Control System networks then Denim Group can support that requirement with additional coordination and monitoring by SAWS IT and security personnel Answer: DoS attacks should only be performed on group 3 (Outdoor Wireless). Question 34: Section IV subpoint C Requirements Outline lists the SAWS.org applications and secure.saws.org as the two applications to be tested. For these applications, please provide the following information: What platform(s) are the applications built on? Java? C++, C#?.NET? Other? Answer: Cold Fusion Does SAWS.org handle sensitive data? What types? (Credit Card, PII, HIPAA, Financial, other) Answer: No Does Secure.SAWS.org handle sensitive data? What types? (Credit Card, PII, HIPAA, Financial, other) Answer: Transfers credit card info to PayPal and does not store Should we conduct static testing? (Source Code Analysis)? Answer: No Should we conduct dynamic testing? (Application Security Scanning Tools)? Answer: No, SAWS does this. Should we conduct manual testing (Targeted manual testing based on the results of static and automated testing)? Answer: No Question 35: Have any previous security assessments been conducted on these two applications? Could we review the results? Page 5 of 6

6 Answer: Yes quarterly PCI compliance results can be provided. Question 36: Section IV subpoint C Requirements Outline lists 325 application servers for Internal testing. Do these servers support SAWS.org and Secure.SAWS.org? Do they support other applications? Would you like us to perform penetration testing against any other applications within the environment? Answer: Not at this time. Question 37: Section IV subpoint C Requirements Outline lists 9 application servers for Control Systems testing. What applications are running on these servers? Would you like us to perform penetration testing against any other applications within the Control System environment? Answer: Three SCADA Top End Systems and not at this time for any other applications. Question 38: Work examples invariably include sensitive client information that would enable knowledgeable person to identify the client. Would SAWS be amenable to example deliverables? Answer: We are open to examples of work products which demonstrate an understanding of the requirements but do not provide sensitive client information. Question 39: What is the anticipated threat for SAWS outside radios (e.g., microwave radio relay)? Answer: SAWS would like to understand what vulnerabilities exist in the outdoor wireless infrastructure and if they could be compromised allowing an attacker access to the network. Question 40: Can we conduct manual web application testing for and the payment gateway (maybe value add service?) Answer: Not at this time Question 41: Do you have CIPS compliance requirements? Answer: SAWS is not governed by NERC or FERC. Question 42: Are you primarily concerned about threat modeling and security development lifecycle in your SCADA environment or is your vision to have an active penetration test performed on your SCADA network? Answer: SAWS would like to discover and mitigate against any potential security vulnerabilities that may exist in the SCADA environment. Non-intrusive testing should be used to assess the security controls along with detailed device configuration audits. Question 43: How many CCAs (Critical Cyber Assets) and EADs (Electronic Access Devices) make up your SCADA environment? Answer: SAWS has 3 control systems that are deemed CCAs along with all the respective servers, networks, and firewalls used to secure them. We also have the end points (PLCs) at our pumps, valves, lift stations, facilities which the control systems operate/monitor. Question 44: Do you have a SCADA lab or test environment? Answer: SAWS has a SCADA test environment. Question 45: Please provide the personnel names, social security numbers, federal security clearance documentation and need to know explanation. Answer: SAWS does not provide this. * * * * * * All other terms and conditions of the original bid document remain unchanged. Page 6 of 6