cover
TO: Mayor Richard C. Irvin
FROM: Ted Beck, Chief Information Security Officer
Dave Schumacher, Superintendent Water Production Division
DATE: 7-5-2018
SUBJECT:
A resolution authorizing the contracting of PAS Global LLC, 16055 Space Center Blvd # 600, Houston, TX 77062 to perform a network vulnerability assessment on the City of Aurora's critical infrastructure SCADA (supervisory control and data acquisition) system at the Water Treatment Plant for a cost not to exceed $48,000.
PURPOSE:
The SCADA system allows for the operation, management and monitoring of the City's water production resources for the Water Production Department. This system allows the different components of this system to be managed remotely without the need to travel to all sites to make any changes or gather data. The controls provided by this system protect a critical infrastructure for the City of Aurora.
BACKGROUND:
The City has received three informal bids for professional services to include:
1) Sentinel Technologies Inc., 2550 Warrenville Rd, Downers Grove, IL 60515 for $54,890.
2) PAS Global LLC, 16055 Space Center Blvd # 600, Houston, TX 77062 for $48,000.
3) Crowe LLP, 225 West Wacker Drive, Suite 2600, Chicago, IL 60606 for $40,000.
After a thorough due diligence process Information Technology Division considers option # 2 - PAS Global LLC as the preferred option for the following reasons:
Both Sentinel and PAS offer specialized consultants with industrial control and automation experience within their proposals. The SCADA network encompasses a unique combination of industrial controls, automation systems and traditional networking components.
Although the proposal from Sentinel was well composed there were two fundamental concerns:
1) Higher Cost
2) Resource Availability for Industrial Control Systems Expertise
On the other hand while we value Crowe's experience and partnership we would like to ensure vendor diversity for our security audits. Crowe successfully performed the last penetration test on the City of Aurora network infrastructure in July 2017. For this reason when a vendor is aware of your posture on a continuous basis and has insights into the whole remediation journey from the previous assessments this leaves room for negative effects. On the negative side, keeping with the same vendor limits the creativity of findings, leaves room for areas to be overlooked based on strong biases, produces predictable reporting, and using a singular vendor doesn’t keep pace with threat actors.
DISCUSSION:
The SCADA system and the network devices are mission critical for providing Water Production Department operations at the City of Aurora. Performing a vulnerability assessment is a risk management process used to identify, quantify and rank possible vulnerabilities to threats in a given system for remediation to increase our security posture.
Funds for this assessment are available within the 2018 Water Department budget account 510-4058-511-32-07
PAS does not have any outstanding debt with the City of Aurora.
Recommend to City Council that the proposal from PAS reflects the most value, experienced and capable firm for the scope of work. Two alternative proposals from other firms have also been attached for due diligence and transparency.
IMPACT STATEMENT:
By continuously and proactively monitoring all network access points, a vulnerability assessment dramatically reduces time researching, scanning and fixing network exposures and will enable the City of Aurora to eliminate network vulnerabilities before they can be exploited.
RECOMMENDATIONS:
Approve authorizing the contracting of PAS Global LLC, 16055 Space Center Blvd # 600, Houston, TX 77062 to perform a network vulnerability assessment on the City of Aurora's critical infrastructure SCADA system for Water Treatment Plant.
CITY OF AURORA, ILLINOIS
RESOLUTION NO. _________
DATE OF PASSAGE ________________
title
A Resolution Authorizing the PAS Global LLC, 16055 Space Center Blvd # 600, Houston, TX 77062 to perform a network vulnerability assessment for the City of Aurora's SCADA (supervisory control and data acquisition) system at the Water Treatment Plant for a cost not to exceed $48,000.
body
WHEREAS, the City of Aurora has a population of more than 25,000 persons and is, therefore, a home rule unit under subsection (a) of Section 6 of Article VII of the Illinois Constitution of 1970; and
WHEREAS, subject to said Section, a home rule unit may exercise any power and perform any function pertaining to its government and affairs for the protection of the public health, safety, morals, and welfare; and
WHEREAS, PAS's proposal provides a value proposition that is aligned to the City of Aurora's requirements for a comprehensive vulnerability assessment for the SCADA system and network, and
WHEREAS, the SCADA system and networks provides for support for critical infrastructure and operations of the Water Treatment Plant. The data collected by SCADA provides insight and reporting that is necessary to make informed decisions on a daily basis, and
WHEREAS, funds are available within the 2018 Water Department budget in account 510-4058-511-32-07)
NOW, THEREFORE, BE IT RESOLVED by the City Council of the City of Aurora, Illinois, as follows: Authorizing the PAS Global LLC, 16055 Space Center Blvd # 600, Houston, TX 77062 to perform a network vulnerability assessment for the City of Aurora's SCADA (supervisory control and data acquisition) system at the Water Treatment Plant for a cost not to exceed $48,000