cover
TO: Mayor Richard C. Irvin
FROM: Leela Karumuri, Director Cyber and Technology Risk
Michael R. Pegues, Chief Information Officer
Ken Schroth, Director of Public Works
Martin Lyons, Chief Financial Officer/City Treasurer
DATE: March 31, 2021
SUBJECT:
A resolution to amend approved resolution R20-311, dated December 22, 2020, (legistar item 20-0815) from Data Defenders LLC, 111 Jackson Blvd, Suite 1700, Chicago IL 60604 for $1,601,730. Total amount not to exceed $3,202,215 over the five-year contract.
PURPOSE:
The City of Aurora, Information Technology (IT) Division is seeking to expand the scope of managed security services to include the City of Aurora Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) infrastructure.
In addition to IT components, this amendment will cover SCADA, the centralized system that monitors and controls the water treatment and distribution systems (including mains and storage) for the entire area city. This supervisory system gathers data on the process and sends the commands control to the process.
Gartner, the City's technology advisor, defines operational technology (OT) as, “Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in asset-centric enterprises, particularly in production and operations.”
BACKGROUND:
Goal # 1: Implementing a Cybersecurity Program, Operation, and Technical Infrastructure of the City’s OT Infrastructure which will include the following components:
Service Additions:
1. eSentire esNetwork Managed Detection and Response Service.
2. esEndpoint Detection and Response Powered by CrowdStrike Services.
3. Sentinel SEIM Management (includes Security Device Management or 3 devices).
4. Vulnerability Management
Goal# 2: Adding the following Professional Services Tasks:
Service Additions:
1. Risk Assessment
2. Internal/External Penetration Testing.
3. vCISO Professional Services
4. Threat Intelligence Analysis (Incident Response)
Goal # 3: Implementing Okta End-to-End Identity Management Point Solution.
Service Additions:
1. Single Sign on, Multi-Factor Authentication, Lifecycle Management, Universal Directory, API 2. Access Management.
3. Training- Okta Essentials
4. Okta Support-Premier Success Package
5. Design & Integration Services
6. Platform Management.
Benefits:
Data Defenders’ Data Shield managed security service is a comprehensive solution that aligns with all key life-cycle components for a management, cybersecurity operations and cybersecurity/technical infrastructure management. Adding the OT Infrastructure (aka Water Treatment Plant SCADA system) will reduce risk and enhance the security posture of Critical Infrastructure for the City of Aurora residents.
DISCUSSION:
Amended Scope Itemization for OT/SCADA Security:
---------------------------------------------------------
Service #1 Data Shield Managed Security Services (9 Mo. In 2021)
eSentire esNetwork Managed Detection and Response Service 2021 $44,494.00
Service #2 Data Shield Managed Security Services
esEndpoint Detection & Response by CrowdStrike Services 2021 $15,833.00
(9 Mo. In 2021)
Service #3 Price Level: Fixed Price SEIM/Security Device 2021 $14,700.00
Service #4 Price Level: Fixed Price Vulnerability (9 Mo. In 2021) 2021 $11,250.00
Service# 5 Data shield Professional Services
Risk Assessment 2021 $7,500.00
Internal/External Penetration Testing 2021 $7,500.00
Total amount or OT/SCADA Security $101,277.00
Amended Scope Itemization for IT Security:
---------------------------------------------------------
Service#5 Data Shield Professional Services
Annual General hours Allocation 2021 $11,250.00
VCISO 2021 $37,500.00
Threat Intelligence Analysis 2021 $45,000.00
Service#6 Data Shield Point Solutions (Okta Identity Management) 2021 $79,352.00
(Partial 9 Mo. In 2021)
Policy Development (15 different subject matters and 5 potential 2021 $20,250.00
Policies.
Design & Integration Services (One-Time Costs) 2021 $30,000.00
Training - Okta-Essentials (One-Time Costs) 2021 $ 3,149.00
Total amount for IT Security $218,750.00
Total Data Shield MSS Cost Annually for both IT and OT/SCADA 2021 $327,778.00
Contract Amendment Summary:
---------------------------------------------------------
Budget Year Amount
--------------------------------------
2021 $327,778.00
2022 $318,488.00
2023 $318,488.00
Optional Years
2024 $318,488.00
2025 $318,488.00
.
The IT budget has sufficient funds to cover the first year of this contract as Cyber spending was budgeted in 101-1383-419.32-80 at $757,600.00. While the total expenses associated with the Water Fund total to $101,277.00, there is not sufficient funds budgeted in the Water fund to cover this expense. Water Fund account # 510-1380-511.32-20 Contracted Services had $80,000 budgeted in 2020 but this was cut in 2021 as a part of the 5% decrement requirement. Account 510-1380-511.64-10 Software Applications has a budget in 2021 of $52,000 of which $31,040 will be allocated to this Cyber SCADA service cost. Taking this into account:
1. Partial funding available in IT account # 101-1383-419.32-80 Professional Fees/Consulting Fees $296,738
2. Partial funding available in Water Fund account # 510-1380-511.64-10 Software Applications $31,040.00.
Water Fund expenses will need to be increased beginning in 2022 to cover this new expense, however this could also result in a decrease to the General Fund portion of the Cyber contract costs by same amount, reducing that budget by an equal amount in the IT budget. The Budget Team and Public Works/Water team (with IT input in those areas) will be reviewing the total support provided by the Water Fund to the General Fund for all administration, IT, and other services in the 2022 budget process as this new expense represents a significant enough increase to re-examine that interfund relationship.
While this total expense appears to be a major increase to IT expenses, the current IT budget is above $10 million when all departments are considered and as such, this expense equates to 6% of total IT expenses over 5 years. This investment is prudent to reduce risk, maintain operational and business continuity in the cyber domain
IMPACT STATEMENT:
Cyber protection is a necessity and the City will face increasing insurance costs without the above protective measures. Furthermore, the potential cost of a substantial breach could be many times this 5-year $3.2 million investment in protecting the City.
RECOMMENDATIONS:
Request the amended resolution be adopted.
cc: Infrastructure and Technology Committee
CITY OF AURORA, ILLINOIS
RESOLUTION NO. _________
DATE OF PASSAGE ________________
title
A Resolution to amend approved resolution R20-311, dated December 22, 2020, from Data Defenders LLC, 111 Jackson Blvd, Suite 1700, Chicago IL 60604 for $1,601,730.00. Total amount not to exceed $3,202,215.00 over a five-year contract.
body
WHEREAS, the City of Aurora has a population of more than 25,000 persons and is, therefore, a home rule unit under subsection (a) of Section 6 of Article VII of the Illinois Constitution of 1970; and
WHEREAS, subject to said Section, a home rule unit may exercise any power and perform any function pertaining to its government and affairs for the protection of the public health, safety, morals, and welfare; and
WHEREAS, this is an appended Managed Security Service to provide protection to city owned assets related to information and operational technology.
WHEREAS, the goal is to implement solutions focused on reducing cybersecurity risks, protect city system and assets, and safeguard the City's reputation and financial wellbeing from bad actors; and
WHEREAS, Cyber protection is a necessity and the City will face increasing insurance costs without the above protective measures. Furthermore, the potential cost of a substantial breach could be many times this 5 year $3 million investment in protecting the City.
NOW, THEREFORE, BE IT RESOLVED by the City Council of the City of Aurora, Illinois, as follows: A resolution to amend approved resolution R20-311, dated December 22, 2020, from Data Defenders LLC, 111 Jackson Blvd, Suite 1700, Chicago IL 60604 for $1,601,730.00. The Director of Purchasing is authorized to execute a revised agreement with Data Defenders in a total amount not to exceed $3,202,215.00 over five-year contract.