HomeMy WebLinkAbout473824 N-DIMENSION SOLUTIONS INC - CONTRACT - AGREEMENT MISC - 7139 SECURITY VENDOR - SMARTGRIDPROFESSIONAL SERVICES AGREEMENT
THIS AGREEMENT made and entered into the day and year set forth below, by and
between THE CITY OF FORT COLLINS, COLORADO, a Municipal Corporation, hereinafter
referred to as the "City" and N-Dimension Solutions, Inc., hereinafter referred to as "Professional".
WITNESSETH:
In consideration of the mutual covenants and obligations herein expressed, it is agreed by
and between the parties hereto as follows:
1. Scope of Services. The Professional agrees to provide services in accordance with
the scope of services attached hereto as Exhibit "A", consisting of nineteen (19) pages, and
incorporated herein by this reference.
2. Contract Period. The services to be performed pursuant to this Agreement
shall be initiated within five (5) days following execution of this Agreement. The object of this scope
of work, the Cyber Security Plan, must be completed within 30 days following the signing of the
Smart Grid Implementation Grant agreement by officials of the City and the Department of Energy.
It is expected that the DOE will ask for clarifications or rework of some elements of the Cyber
Security Plan. Such follow-up is included in the current scope of work and will be required to be
completed and returned within 15 days after notification of additional requirements by the DOE.
Once the DOE accepts the Cyber Security Plan as final, the Professional Services Agreement can
be considered complete. Time is of the essence. Any extensions of the time limit set forth above
must be agreed upon in writing by the parties hereto.
Early Termination by City. Notwithstanding the time periods contained herein, the City may
terminate this Agreement at any time without cause by providing written notice of termination to the
Professional. Such notice shall be delivered at least fifteen (15) days prior to the termination date
contained in said notice unless otherwise agreed in writing by the parties.
Standard Professional Services Agreement- rev03/10
Smart Grid Cyber Security Proposal for The City of Fort Collins
ft-dimension
solutions
develop lifecycle cyber security practices. We would be pleased to assist the City of Fort
Collins in this regard.
Hometown Connections, as a subsidiary of the APPA,. has selected N-Dimension as the cyber
security solutions partner for public power utilities. As a result, APPA members benefit from.
the comprehensive cyber security solution package available for public power that has been
selected by Hometown Connections at a discounted price.
The following is a quote from Hometown's CEO Tim Blodgett:
"As stated by the Federal Energy Regulatory Commission, cyber attacks can damage
generation and distribution facilities in ways that cause widespread disruption of electric
service and undermine our government, economy, and the health and safety of millions of
citizens. We selected N-Dimension Solutions Inc. as the official cyber security partner of
Hometown Connections because the firm offers a deep knowledge of cyber security, a proven
methodology, and a commitment to addressing the unique requirements of public power
systems of all sizes."
In this proposal N-Dimension outlines both a cyber security plan and a current state
assessment, but they are proposed separately for convenience for Fort Collins.
N-Dimension can also design and implement a solution to deploy cyber security controls at
Fort Collins as applicable to fulfill the Plan, address the risks identified in the current state
assessment, and to protect the utility. A separate proposal will be prepared for this additional
item if requested by Fort Collins.
The Appendix in this document outlines the security assessment methodology and the
defensive strategy, products, and lifecycle approach used by N-Dimension to build cyber
security solutions for utilities.
2 Proposal to Develop a Cyber Security Plan
This proposal outlines our recommended approach to develop a Cyber Security Plan for Fort
Collins to meet DoE requirements for the SGIG and to ultimately safeguard the operation of
Fort Collins' operating environment.
Using our lifecycle approach, we will work with Fort Collins to develop a Plan that follows
DoE's recommended programmatic approach (which will also form the Table of Contents for
the Plan) that includes:
• Introduction
• Roles and responsibilities
• Cyber Risk management and assessment
ft-dimension
Smarr Grid Cyber Security Proposal for The City of Fort Collins solutions
• Defensive strategy
• Security controls
• Incident response and recovery
• Development lifecycle
• Policies and procedures
• Training
We will use DoE and FERC guidelines and our industry knowledge to capture all of the
elements required by DoE for a strong cyber security program. NIST, NERC CIP and AMI-
SEC standards will be referenced throughout the Plan.
Given that Fort Collins may have not yet selected all of its smart grid technologies at this time,
we will develop a Plan that is flexible and that can be applied to technologies that are
ultimately selected. Further, this Plan can be used as input into Fort Collins' Smart Grid
technology RFPs.
The following steps will be taken by N-Dimension to build and finalize this Plan in an iterative
process with Fort Collins:
Information exchange
a. Network maps
b. Corporate / operational cyber security plan documents
C. Corporate / operational cyber security policies and procedures
d. Applicable sections of the Fort Collins' DoE proposal (required so that the
resulting plan will align to the proposal)
e. Comments from DoE on the Fort Collins' Cyber Security proposal
On -site visit to Fort Collins for visual inspection and review of systems
3. Detailed review of information
a. Q & A with Fort Collins
4. Build draft Plan
a.
Internal N-Dimension review ,
b.
Updates and refinement to Plan
C.
Fort Collins review
d.
Updates and refinement to Plan
5. Complete
final Plan
a.
Internal N-Dimension review
b.
Updates and refinement to Plan
C.
Fort Collins review
d.
Updates and refinement to Plan
6. Submission of Plan to DoE by Fort Collins
4
ft-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins sou ions
N-Dimension will complete this project within the 30 day DoE timeframe requirement on the
assumption that up-to-date documentation is available and Fort Collins key stakeholders are
responsive in providing information and completing reviews of the Plan.
3 Current State Assessment Proposal
This proposal outlines our recommended approach to perform a current state Cyber Security
Assessment for Fort Collins to identify cyber security risks associated with its current operating
environment and potential risks with planned deployments of new technologies as part of the
SGIG.
The assessment will include:
1. Review Fort Collins existing cyber security policy and procedures.
2. Review and assess current cyber security posture for AMI and Grid Automation and
other operational systems as appropriate based on cyber security best practices. This
will include analysis of the system architecture and network topology for the following:
a. SCADA Center
b. Distribution system
C. Planned AM[ system deployments
Note: Enterprise (or corporate) systems and networks are not in scope.
3. Review router and firewall configurations for operational systems. Enterprise (or
corporate) routers and firewalls are not in scope.
4. Review Physical Security Operations including security servers and access controls.
5. Site visits to the control center and substations as applicable.
6. Analyze findings and formulate cyber security improvement recommendations for the
Operational environment consistent with NIST, NERC CIP, and AMI-SEC standards.
7. Design and propose high level cyber security solutions for the Operational environment.
8. Review and assess, from a cyber security perspective, planned deployments of new
technologies that Fort Collins is planning under the SGIG. Such assessments may be
limited in depth depending on availability of information from participating vendors.
Note: Application level security and database security are outside the scope of the project.
5
fV-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins 5° ur °"5
The deliverables from the assessment will be a detailed report and presentation to
management that includes. -
Summary on Utility Industry regulations and best practices;
• Overview of risks and vulnerabilities using cyber security best practices for the Smart
Grid operational environment;
• Security risk analysis of planned new deployments;
• Recommend Action Plan for each operating area;
• Proposed high-level solution for Operational environment security.
Using this approach Fort Collins will better understand their cyber security posture and risks.
This survey and analysis of Fort Collins' environments will help in prioritizing initiatives to
protect the operating environments, and in planning future projects with an understanding of
the scope and cost of the required solutions.
4 Pricing
The following assumptions have been used to develop this proposal:
The plan and assessment will be developed with the integral input of Fort Collins. Fort
Collins will own the plan and assessment once developed.
A prime interface will be established with Fort Collins for information exchange and
Q&A.
Fort Collins personnel will provide timely information, answers and feedback.
The scope of work is for a Smart Grid Cyber Security Plan and a current state Cyber
Security Assessment, with focus on the operational aspects of Fort Collins' Smart Grid
environment, which is the DoE requirement. A corporate / enterprise Cyber Security
Plan or assessment are not in scope. If Fort Collins has an enterprise Cyber Security
Plan then the Smart Grid Cyber Security Plan will link to it.
11
fb-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins sa uYons
5 Confidentiality
N-Dimension Solutions recognize the sensitive nature of this work, and will adhere to all
aspects of confidentiality. We are prepared to execute a confidentiality agreement should the
Fort Collins so desire.
fir -dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
Limitations of Liability
N-Dimension will not be liable for any indirect, incidental, consequential, punitive, reliance or
special damages, including without limitation, damages for lost profits, advantage, savings or
revenues of any kind or increased cost of operations.
Security assessments and security technologies are an uncertain process, based upon past
experiences, currently available information, and known threats. It should be understood that
all information systems, which by their nature are dependent on people, and are vulnerable to
some degree. N-Dimension's security assessments are a preliminary assessment to highlight
the common and major security situation of Fort Collins. There can be no assurance that any
exercise of this nature will identify all possible vulnerabilities or propose exhaustive and
operationally viable recommendations to mitigate every exposure_ In addition, the assessment
is based on the technologies and known threats as of the date of the assessment. As
technologies and risks change over time, the vulnerabilities associated with the operation of
Fort Collins environment, as well as the security controls necessary to reduce the exposure to
such vulnerabilities will also change_
DUNS and CCR
N-Dimension's DUNS number is 253701437 and we are registered in CCR.
VA
!b-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
Appendix A - N-Dimension's Cyber Security Subject Matter
Expertise
N-Dimension Solutions Inc. is solely focused on cyber security solutions for the power &
energy sector. N-Dimension works with leading Critical Infrastructure organizations such as
Power & Energy groups, where they contribute to projects involving network design,
requirement specifications, procurement, and implementation. Guided by Best Practices for
Cyber Security, N-Dimension also assists Critical Infrastructure organizations by providing
them with Cyber Security Solutions that address today's increasingly sophisticated attacks by
computer hackers plus DoE Smart Grid requirements and NERC CIP compliance. N-
Dimension's Cyber Security Solutions include the versatile and powerful n-Platform product
lines which provide cyber security protection and NERC CIP compliance.
N-Dimension and its business partners, which include HD Supply Utilities, Billion Electric,
Siemens Power Generation, Hewlett-Packard, Survalent Technologies and AESI Inc., are
active across North America in designing and deploying cyber security solutions for Smart Grid
deployments.
HD Supply Utilities is N-Dimension's prime distribution partner in North America. HD Supply
uses its distribution, logistics, and service capabilities to add value to the N-Dimension solution
set. Further, HD Supply provides the managed cyber security ASP service to the market
using N-Dimension's products and services.
Billion Electric is a leading communications and security provider for telcos and for the Smart
Grid market. N-Dimension deploys Billion's advanced communications equipment to fulfill the
infrastructure solution for utilities.
HP has over 30 years of experience delivering solutions in the Utility market. Currently 65% of
the real-time EMS/SCADA applications in production around the world run on HP platforms. In
addition, HP is the technology provider for the majority of monitoring systems controlling
Nuclear Power plants around the world.
Survalent Technology has selected N-Dimension as its cyber security partner, and together we
have developed the industry's first integrated SCADA — Cyber Security platform.
N-Dimension shares its subject matter expertise and domain knowledge by participating in
industry groups such as. -
a) North American Electric Reliability Corporation:
N-Dimension is a member of NERC and NERC's Demand Side Management Task Force.
%AwN.nerc.com
b) Independent Electricity System Operator (Ontario):
N-Dimension is a member of the IESO's Reliability Standards Standing Committee which
provides input to NERC on new standards and revisions to current standards. N-Dimension
participates as cyber security subject matter experts. www.ieso.ca
ft-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
c) Process Control Systems Private — Public Stakeholders Group:
This new group has been formed in 2007 and is led by Public Safety Canada / RCMP with the
mandate to improve cyber security protection in the critical infrastructure of Canada. Based on
their work in the industry, N-Dimension has been specifically asked to participate in this group.
d) IEEE working group P1711:
N-Dimension's CTO Andrew Wright was the key architect of the AGA-12 serial SCADA
encryption protocol and is currently participating as Vice Chair in IEEE working group P1711 to
standardize AGA-12 as an IEEE standard. http://scadasafe.sourceforge.net
e) University of Illinois:
N-Dimension participates as an Advisory Board member on the University of Illinois Trusted
Computing Infrastructure for Power. This is one of the leading research initiatives in cyber
security for critical infrastructure segments. www.iti.uiuc.edu/press-releases/08-07-09-
summerschool.html
f) ISA's SP99 Working Group 4:
This Working Group is focused on secure control system requirements.
www.isa.org/MSTemplate.cfm?Microsite[D=988&CommitteelD=682l
g) UCA's AMI-SEC Security Working Group:
This Working Group is tasked to develop new security standards for automated metering
infrastructure. http://osgug.ucaiug.org/utilisec/amisec/default.aspx
N-Dimension is a leader in NERC CIP Assessment Projects and cyber security solutions for
Power Generation, Transmission and Distribution companies in North America.
h) NIST's Cyber Security Coordination Task Group
N-Dimension's CTO Andrew Wright is participating in NIST's Cyber Security Coordination Task
Group that is developing security standards for the emerging smart grid. Andrew co -leads the
bottom -up subgroup of CSCTG that is investigating cyber security problems and solutions in
the smart grid from a bottom -up philosophy.
i) DOE Lemnos Interoperable Security
N-Dimension has been involved in the Lemnos Interoperable Security Program as a
participating vendor since June 2008. As a participating vendor, N-Dimension is testing
interoperability of the n-Platform, using IPSec and Syslog protocols, with project partners
and other participating vendors.
The Lemnos Interoperable Security Program is a two year Department of Energy National
SCADA Test Bed effort, with project partners Tennessee Valley Authority, Sandia National
Labs, Schweitzer Engineering Labs, and EnerNex Corporation. The goal of the effort is to
research, develop, test, and ultimately foster the commercialization and acceptance of
energy community standards for security interoperability.
fV-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins so utlons
Appendix B: N-Dimension's Approach to Cyber Security
1. Cyber Security Lifecycle
In order to properly address security throughout the entire operational lifecycle of a smart grid
system, cyber security must receive a holistic treatment throughout the entire lifecycle of the
system it protects. The following is an overview of cyber security best practices and an outline
of the steps that will be undertaken to achieve the appropriate security posture for the Utilities.
1.1. Holistic Approach to Cyber Security Best Practices
Information security concerns can generally be classified into 3 distinct elements: physical,
human. and IT/Technical.
Security Best Practices — The Holistic,Approich
Physical
Security Plan \
Security Policies
Reinforcement �
Measurement
Back -Up
Corrective Action
IT Human
The Physical Element includes elements such as security features around access to buildings
and other 'facilities, and protection from other physical factors such as flood, fire, and other
disasters. These physical security controls must include solid protection of critical cyber
assets against any type of physical intrusions, and also detailed logging of any access to these
facilities. Some of these security controls could consist of security cameras taping 24x7, alarm
systems, fingerprint or other biometric access systems, and security personnel providing
access with logging and accompanying staff members and visitors pending proof of
requirement.
The Human Element is generally recognized as any organization's weakest link. One of the
key vulnerabilities in an organization is an attack by a member within that organization, known
as an insider attack. Even non -malicious actions such as downloading music files can expose
company systems to viruses and other forms of malware. The risks exposed may include
opening security holes for hackers, and damaging the company's credibility and reputation.
Therefore, some of the important measures in this aspect include security clearance
verifications, and strict compliance with. corporate policies. The corporation must ensure that
10
tt-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins so utions
there is continuous cyber security training and awareness sections, and have plan of actions
for managing and controlling staff access level lists.
The IT/Technical Element must include solutions that would block all back -entry to the IT
infrastructure, as well as prevent any malicious software or attacks against it. The protection
mechanisms that enhance this aspect are patching and security software updates, vulnerability
assessment, port scanning, implementing anti -virus and other anti-malware solutions, disabling
all the unnecessary ports and services, and disabling unused or unnecessary or default
accounts. A combination of different protection mechanisms must be used to achieve strong
defense in depth. Other required actions may include thorough cyber asset classification,
testing, backup/restore, and disaster recovery plans.
The holistic approach necessitates that, for all three building-block elements:
1. a security plan be drawn with clear security policies,
?. all corporate policies reinforce these directives,
3. security metrics be developed and monitored,
4. reliable back-up systems be put in place,
5. corrective actions are taken to address any deviations.
The above approach will be taken for the Utilities.
1.2. Lifecycle Steps for Effective Cyber Security
As shown in Figure 3, there are three major
steps to achieving best cyber security
practices throughout the entire Lifecycle. The
fundamental starting point is the Preparation
stage in which policies are evaluated and a
risk assessment is conducted. The
Prevention stage includes implementing a
security change management practice and
monitoring the network for security violations.
Following this, the Response phase involves
modifying the existing processes and
technology to adapt to lessons learned. This
t. Preparadon
• Createlrevlry policy statements
1. Preparation
• Conduct a risk analysis
• Establish/review security team structure
2. Prevention
2.,Prevention
Approve security changes
• Monitor security posture
3. Response
3..Response
Respond to security viotatrons
• Restoration
• Review
cycle is then repeated to achieve a continuous
evaluation and improvement of security posture.
The following are the lifecycle steps that will be undertaken on a continuous basis for the
Utilities:
1.2.1. Preparation:
Prior to implementing a security policy, there are three (3) steps of preparation:
a. Create usage policy statements
b. Conduct a risk analysis
c. Establish a security team structure
11
ft-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
These are described as follow:
a. Create usage policy statements
A general policy that covers all network systems and data within company is defined as a start-
up point. This general policy should provide the general user community with an
understanding of the security policy, its purpose, guidelines for improving their security
practices, and definitions of their security responsibilities. If there are specific actions that
could result in punitive or disciplinary actions against an employee, these actions and how to
avoid them should be clearly stated in this policy.
The next step is to create a partner acceptable use statement to provide partners with an
understanding of the information that is available to them, the expected disposition of that
information, as well as the conduct of the employees of the Utilities. The statement should
clearly explain any specific acts that have been identified as security attacks and the punitive
actions that will be taken should a security attack be detected.
Lastly, create an administrator acceptable use statement to explain the procedures for user
account administration, policy enforcement, and privilege review. If there are any specific
policies concerning user passwords or subsequent handling of data, clearly present those
policies as well. Check the policy against the partner acceptable use and the user acceptable
use policy statements to ensure uniformity. Make sure that administrator requirements listed in
the acceptable use policy are reflected in training plans and performance evaluations.
b. Conduct a risk analysis
A risk analysis should identify the risks to the network, network resources, and data. This does
not mean every possible entry point to the network or every possible means of attack must be
identified. The intent of a risk analysis is to identify portions of the network, assign a threat
rating to each portion, and apply an appropriate level of security. This helps maintain a
workable balance between security and required network access.
Assign each network resource one of the following three (3) risk levels:
• Low Risk - Systems or data that if compromised (data viewed by unauthorized person-
nel, data corrupted, or data lost) would not disrupt the business or cause legal or finan-
cial ramifications. The targeted system or data can be easily restored and does not per-
mit further access of other systems.
• Medium Risk - Systems or data that if compromised (data viewed by unauthorized per-
sonnel, data corrupted, or data lost) would cause a moderate disruption in the business,
minor legal or financial ramifications, or provide further access to other systems. The
targeted system or data requires a moderate effort to restore or the restoration process
is disruptive to the system.
• High Risk - Systems or data that if compromised (data viewed by unauthorized person-
nel, data corrupted, or data lost) would cause an extreme disruption in the business,
cause major legal or financial ramifications, or threaten the health and safety of a per-
son. The targeted system or data requires significant effort to restore or the restoration
process is disruptive to the business or other systems.
12
All notices provided under this Agreement shall be effective when mailed, postage prepaid and sent
to the following addresses:
Professional:
City:
With Copy to:
N-Dimension Solutions, Inc.
City of Fort Collins
City of Fort Collins, Purchasing
Attn: Mr. Peter Vickery
Attn: Quentin Antrim
PO Box 580
9030 Leslie Street, Suite 300
PO Box 580
Fort Collins, CO 80522
Richmond Hill, ON L4B1G2
Fort Collins, CO 80522
In the event of any such early termination by the City, the Professional shall be paid for services
rendered prior to the date of termination, subject only to the satisfactory performance of the
Professional's obligations under this Agreement. Such payment shall be the Professional's sole
right and remedy for such termination.
3. Design, Project Indemnitv and Insurance Responsibility. The Professional shall be
responsible for the professional quality, technical accuracy, timely completion and the coordination
of all services rendered by the Professional, including but not limited to designs, plans, reports,
specifications, and drawings and shall, without additional compensation, promptly remedy and
correct any errors, omissions, or other deficiencies. The Professional shall indemnify, save and
hold harmless the City, its officers and employees in accordance with Colorado law, from all
damages whatsoever claimed by third parties against the City; and for the City's costs and
reasonable attorneys fees, arising directly or indirectly out of the Professional's negligent
performance of any of the services furnished under this Agreement. The Professional shall
maintain commercial general liability insurance in the amount of $500,000 combined single limits.
4. Compensation. In consideration of the services to be performed pursuant to this
Agreement, the City agrees to pay Professional on a time and reimbursable direct cost basis
according to the following the fee schedule attached hereto as Exhibit "B", consisting of one (1)
page, and incorporated herein by this reference, with maximum compensation (for both
Professional's time and reimbursable direct costs) not to exceed Twenty One Thousand Dollars
($21,000.00). Monthly partial payments based upon the Professional's billings and itemized
Standard Professional Services Agreement- rev03/10
2
ft-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
Network equipment such as switches, routers, DNS servers, and DHCP servers can allow
further access into the network, and are therefore either medium or high risk devices. It is also
possible that corruption of this equipment could cause the network itself to collapse. Such a
failure can be extremely disruptive to the business.
Once a risk level has been assigned to each network resource, it is necessary to identify the
types of users of that system. The five most common types of users are:
• Administrators - Internal users responsible for network resources.
• Privileged - Internal users with a need for greater access.
• Users - Internal users with general access.
• Partners - External users with a need to access some resources.
• Others - External users or customers.
The identification of the risk level and the type of access required of each network system
forms the basis of a security matrix. The security matrix should provide a quick reference for
each system and a starting point for further security measures, such as creating an appropriate
strategy for restricting access to network resources.
c. Establish a security team structure
Create a cross —functional security team led by a security manager with participants from each
of the Utilities' operational areas. The representatives on the team should be aware of the
security policy and the technical aspects of security design and implementation. Often, this
requires additional training for the team members. The security team has three (3) areas of
responsibilities: policy development, practice, and response.
Policy Development: is focused on establishing and reviewing security policies for the
company. At a minimum, review both the risk analysis and the security policy on an annual
basis.
Practice: involves that the security team conducts the risk analysis, the approval of security
change requests, reviews security alerts, and turns plain language security policy requirements
into specific technical implementations.
Response: while network monitoring often identifies a security violation, it is the security team
members who do the actual troubleshooting and fixing of such a violation. Each security team
member should know in detail the security features provided by the equipment in his or her
operational area and know how to respond and fix the problems that may arise.
1.2.2. Prevention
Once the preparation has been done and verified, the prevention process involves two (2)
steps of procedure:
a. Approving security changes
Security changes are changes to network equipment that have a possible impact on the overall
security of the network. It is recommended that the security team reviews the following types
of changes:
• Any change to the firewall configuration
13
ft-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
• Any change to access control lists (ACL)
• Any change to Simple Network Management Protocol (SNMP) configuration
• Any change or update in software that differs from the approved software revision level
list
• Change passwords to network devices on a routine basis
• Restrict access to network devices to an approved list of personnel
• Ensure that the current software revision levels of network equipment and server envi-
ronments are in compliance with the security configuration requirements
In addition to these approval guidelines, have a representative from the security team sit on
the change management approval board, in order to monitor all changes that the board
reviews. The security team representative can deny any change that is considered a security
change until it has been approved by the security team.
b. Monitoring security of the network
Security monitoring is similar to network monitoring, except it focuses on detecting changes in
the network that indicate a security violation. The starting point for security monitoring is to
determine what a violation is. Based on the threat to the system defined in the section of
"Conduct a Risk Analysis" in the Preparation step, the level of monitoring required may be
identified. Specific threats to the network were also identified in the section of 'Approving
Security Changes" in the Prevention step. By looking at both of these parameters, a clear
picture may be developed of what needs to be monitored and how often.
The following is a recommendation on monitoring frequencies:
Type.ofEquipment based on.
Risk
`Monitocing_Frequencies,
Low -Risk
Weekly
Medium -Risk
Dail
High -Risk
Continuous
If more rapid detection is required, the monitor should be configured on a shorter time frame
Lastly, the security policy should address how to notify the security team of security violations.
Often, the network monitoring device such as IDS is the first tool to detect the violation. Once
violation is detected, the alarm should be activated in the operations center, which in turn
should notify the security team, using email and pager if necessary.
1.2.3. Response
Response can be broken into three (3) sections and are explained as follow:
a. Security violations
Response time is critical to any type of violation detected. When a violation is detected, the
ability to protect network equipment, determine the extent of the intrusion, and recover normal
operations depends on quick decisions. Having these decisions made ahead of time makes
14
ft-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins so uNons
responding to an intrusion much more efficient and prompt. In addition, the response to the
violation may become more manageable with less frustration.
The first action following the detection of an intrusion is the notification of the security team.
Without a procedure in place, there will be considerable delay in getting the correct people to
apply the correct response.
Define a procedure in the security policy that is available 24 hours a day, 7 days a week.
Next the level of authority given to the security team to make changes should be defined, and
in what order the changes should be made. Possible corrective actions are:
• Implementing changes to prevent further access to the violation
• Isolating the violated systems
• Contacting the carrier or ISP in an attempt to trace the attack
• Using recording devices to gather evidence
• Disconnecting violated systems or the source of the violation
• Contacting the police, or other government agencies
• Shutting down violated systems
• Restoring systems according to a prioritized list
• Notifying internal managerial and legal personnel
Be sure to detail any changes that can be conducted without management approval in the
security policy.
Lastly, there are two (2) reasons for collecting and maintaining information during a security
attack:
1. To determine the extent to which systems have been compromised by a security attack:
2. To prosecute external violations.
In order to determine the extent of the violation, the following shall be performed:
• Record the event by obtaining sniffer traces of the network, copies of log files, active
user accounts, and network connections.
• Limit further compromise by disabling accounts, disconnecting network equipment from
the network, and disconnecting from the Internet.
• Backup the compromised system to aid in a detailed analysis of the damage and
method of attack. Look for other signs of compromise. Often when a system is com-
promised, there are other systems or accounts involved.
• Maintain and review security device log files and network monitoring log files, as they
often provide clues to the method of attack.
If taking legal action is considered, have the legal department review the procedures for
gathering evidence and involvement of the authorities. Such a review increases the
effectiveness of the evidence in legal proceedings. If the violation was internal in nature,
contact the Human Resources department, or as suggested in the Security Policy.
15
!b-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
b. Restoration
Restoration of normal network operations is the main goal of any security violation response.
Define in the security policy how normal backups are being conducted, secured, and made
available. As each system has its own means and procedures for backing up, the security
policy should have details for each system the security conditions that require restoration from
backup.If approval is required before restoration can be done, include the process for
obtaining approval as well.
c. Review
The review process is the final effort in creating and maintaining a security policy. There are
three (3) areas to be reviewed: policy, posture, and practice.
The security policy should be a living document that adapts to an ever -changing environment.
Reviewing the existing policy against known Best Practices keeps the network up to date.
Current network standing should be compared against the desired security network standing.
An outside firm that specializes in security can perform vulnerability tests that include ethical
hacking with an attempt to penetrate the network, and test not only the posture of the network,
but the security response of the organization as well. For critical networks, it is strongly
recommended to conduct such test annually.
Finally, practice is required in order to ensure that the support staffs have a clear
understanding of what to do during a security violation. In some cases, this practice session is
unannounced by management in order to test support staffs' ability and knowledge level, and
done in conjunction with the network posture test. This review identifies gaps in procedures
and training of personnel so that corrective action can be taken in case of real incident.
The above procedures should be treated as an ongoing process in order to ensure best
practices are enforced continuously and the cyber security posture is maintained and improved
at all times.
16
ft-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
2. Defense -in -Depth Solutions
True defense in depth requires a holistic approach to cyber security that touches on many
aspects of an organization's operation. Focusing on network and computing infrastructure,
defense in depth cyber security requires security capabilities at many points in the network.
The following figure illustrates typical placement of cyber security solutions (e.g. N-Dimension
Solutions' n-Platform, n-Central,. and n-Client components) in securing a typical utility network.
Utility
Enterprise Network
mCewm BIIIIn9 11;J Enq
DMZ
iso
itrol Network
''
AMI
vw
OMs
SCADA GISA_.
v
o.Canva
�„i n.CWxn
(,_ 65tation (4
17
ft-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
As indicated from bottom to top by the yellow ovals in the following overlay, these systems
provide (1) communications and field systems protection. (2) interior control center network
protection, (3) enterprise / control network segregation and perimeter protection, and (4)
centralized monitoring.
N-Dimension Solutions products support securing critical operational networks with a defense -
in -depth approach. Defense -in-depth involves deploying multiple security capabilities to
implement perimeter protection at network edges, multiple security capabilities to implement
interior protection within segregated networks, and multiple security capabilities to monitor
networks for unexpected behavior. N-Dimension n-Platform Unified Threat Management
systems provide over a dozen security capabilities on a single, easy -to -manage appliance that
can implement in-depth perimeter protection, in-depth interior protection, and in-depth
monitoring. The N-Dimension n-Central Cyber Security Management system provides
centralized real-time collection, monitoring, analysis, and report generation for cyber security
events and logs from the n-Platforms, server systems, and networking equipment in a utility's
network. It is designed specifically for utilities to centrally manage cyber security solutions in
local and remote areas.
N-Dimension's products are designed to enable interoperability with enterprise systems and
between various utility systems. Capabilities such as LDAP and Active Directory integration,
PPTP and IPSEC VPN tunnel support, and monitoring via SNMP and SYSLOG address
integration with enterprise systems. Capabilities such as IDS with SCADA signatures, serial
SCADA VPN via IEEE P1711, and SCADA HMI integration address integration with existing
utility infrastructure, including .legacy serial communications systems. N-Dimension is
participating in the Department of Energy's Lemnos Interoperable Security program.
18
9U-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
N-Dimension's product suite enables compliance and interoperability with the initial draft set of
NIST smart grid standards. Various capabilities of the N-Dimension product suite directly
support those standards in the initial set of standards relevant to cyber security. These
include:
• AMI-SEC
• DNP3
• IEC 60870-6 / TASE.2 / ICCP
• IEC 62351
• NERC CIP 002-009
• NIST SP 800-53
• NIST SP 800-82
19
EXHIBIT B
FEE SCHEDULE
!b-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
The pricing. for the project will be on a per diem basis and invoiced monthly. These rates are
the discounted rates for APPA members as a result of Hometown Connections' partnership
agreement with N-Dimension. These rates vary by resource used, and are as follows:
Professional Category
Per Diem Rate (in USD)
Discounted APPA /
Hometown Connections Rates
Principal Security Consultant
$1,710
Senior Security Consultant
$1,425
Intermediate Security Consultant
$1,140
Pricing for Cyber Security Plan: per diem rates per above with total not to exceed
$21,000 USD.
Pricing for Current State Assessment: per diem rates per above with total not to exceed
$41,000 USD.
Note: Overall cost savings can be recoeni ed if the Ciry of Fort Collins approves both_
the Cvber Secnrin, Plan and the Current State AssessmentProiects to be worked on_
con eurren t l v.
NOTE: One on -site trip is assumed and costed in the Cyber Security Plan and two on -site
trips are assumed and costed into the Current State Assessment project. If additional travel
is required, then expenses including accommodation and travel incurred .in providing the
services plus taxes are additional and will be invoiced at cost. Mileage will be charged @
$0.85 per mile. Travel time during office hours will be charged at standard rate, while outside
will be charged at 50% of the standard rate. Additional travel will be pre -approved by the Fort
Collins.
The scope of work and pricing in this proposal are valid for 60 days.
EXHIBIT "C"
CONFIDENTIALITY
IN CONNECTION WITH SERVICES provided to the City of Fort Collins (the "City") pursuant to this
Agreement (the "Agreement"), the Contractor hereby acknowledges that it has been informed that
the City has established policies and procedures with regard to the handling of confidential
information and other sensitive materials.
In consideration of access to certain information, data and material (hereinafter individually and
collectively, regardless of nature, referred to as "information") that are the property of and/or relate
to the City or its employees, customers or suppliers, which access is related to the performance of
services that the Contractor has agreed to perform, the Contractor hereby acknowledges and
agrees as follows:
That information that has or will come into its possession or knowledge in connection with the
performance of services for the City may be confidential and/or proprietary. The Contractor agrees
to treat as confidential (a) all information that is owned by the City, or that relates to the business of
the City , or that is used by the City in carrying on business, and (b) all information that is
proprietary to a third party (including but not limited to customers and suppliers of the City) . The
Contractor shall not disclose any such information to any person not having a legitimate need -to -
know for purposes authorized by the City. Further, the Contractor shall not use such information to
obtain any economic or other benefit for itself, or any third party, except as specifically authorized
by the City.
The foregoing to the contrary notwithstanding, the Contractor understands that it shall have no
obligation under this Agreement with respect to information and material that (a) becomes generally
known to the public by publication or some means other than a breach of duty of this Agreement, or
(b) is required by law, regulation or court order to be disclosed, provided that the request for such
disclosure is proper and the disclosure does not exceed that which is required. In the event of any
disclosure under (b) above, the Contractor shall furnish a, copy of this Agreement to anyone to
whom it is required to make such disclosure and shall promptly advise the City in writing of each
such disclosure.
In the event that the Contractor ceases to perform services for the City, or the City so requests for
any reason, the Contractor shall promptly return to the City any and all information described
hereinabove, including all copies, notes and/or summaries (handwritten or mechanically produced)
thereof, in its possession or control or as to which it otherwise has access.
The Contractor understands and agrees that the City's remedies at law for a breach of the
Contractor's obligations under this Confidentiality Agreement may be inadequate and that the City
shall, in the event of any such breach, be entitled to seek equitable relief (including without
limitation preliminary and permanent injunctive relief and specific performance) in addition to all
other remedies provided hereunder or available at law.
Standard Professional Services Agreement- rev03/10
statements of reimbursable direct costs are permissible. The amounts of all such partial payments
shall be based upon the Professional's City -verified progress in completing the services to be
performed pursuant hereto and upon the City's approval of the Professional's reimbursable direct
costs. Final payment shall be made following acceptance of the work by the City. Upon final
payment, all designs, plans, reports, specifications, drawings and other services rendered by the
Professional shall become the sole property of the City.
5. City Representative. The City will designate, prior to commencement of work, its
project representative who shall make, within the scope of his or her authority, all necessary and
proper decisions with reference to the project. All requests for contract interpretations, change
orders, and other clarification or instruction shall be directed to the City Representative.
6. Proiect Drawings. Upon conclusion of the project and before final payment, the
Professional shall provide the City with reproducible drawings of the project containing accurate
information on the project as constructed. Drawings shall be of archival, prepared on stable Mylar
base material using a non -fading process to provide for long storage and high quality reproduction.
"CD" disc of the as -built drawings shall also be submitted to the City in an AutoCAD version no
older then the established city standard.
7. Monthly Report. Commencing thirty (30) days after the date of execution of this
Agreement and every thirty (30) days thereafter, Professional is required to provide the City
Representative with a written report of the status of the work with respect to the Scope of Services,
Work Schedule, and other material information. Failure to provide any required monthly report may,
at the option of the City, suspend the processing of any partial payment request.
8. Independent Contractor. The services to be performed by Professional are those of
an independent contractor and not of an employee of the City of Fort Collins. The City shall not be
responsible for withholding any portion of Professional's compensation hereunder for the payment
of FICA, Workers' Compensation, other taxes or benefits or for any other purpose.
Standard Professional Services Agreement- rev03/10
3
9. Personal Services. It is understood that the City enters into this Agreement based
on the special abilities of the Professional and that this Agreement shall be considered as an
agreement for personal services. Accordingly, the Professional shall neither assign any
responsibilities nor delegate any duties arising under this Agreement without the prior written
consent of the City.
10. Acceptance Not Waiver. The City's approval of drawings, designs, plans,
specifications, reports, and incidental work or materials furnished hereunder shall not in any way
relieve the Professional of responsibility for the quality or technical accuracy of the work. The City's
approval or acceptance of, or payment for, any of the services shall not be construed to operate as
a waiver of any rights or benefits provided to the City under this Agreement.
11. Default. Each and every term and condition hereof shall be deemed to be a material
element of this Agreement. In the event either party should fail or refuse to perform according to.
the terms of this agreement, such party may, be declared in default.
12. Remedies. In the event a party has been declared in default, such defaulting party
shall be allowed a period often (10) days within which to cure said default. In the event the default
remains uncorrected, the party declaring default may elect to (a) terminate the Agreement and seek
damages; (b) treat the Agreement as continuing and require specific performance; or (c) avail
himself of any other remedy at law or equity. If the non -defaulting party commences legal or
equitable actions against the defaulting party, the defaulting party shall be liable to the
non -defaulting party for the non -defaulting party's reasonable attorney fees and costs incurred
because of the default.
13. Binding Effect. This writing, together with the exhibits hereto, constitutes the entire
agreement between the parties and shall be binding upon said parties, their officers, employees,
agents and assigns and shall inure to the benefit of the respective survivors, heirs, personal
representatives, successors and assigns of said parties.
Standard Professional Services Agreement- rev03/10
4
14. Law/Severability. The laws of the State of Colorado shall govern the construction,
interpretation, execution and enforcement of this Agreement. In the event any provision of this
Agreement shall be held invalid or unenforceable by any court of competent jurisdiction, such
holding shall not invalidate or render unenforceable any other provision of this Agreement.
16. Prohibition Against Employing Illegal Aliens. Pursuant to Section 8-17.5-101,
C.R.S., et. seq., Professional represents and agrees that:
a. As of the date of this Agreement:
Professional does not knowingly employ or.contract with an illegal alien
who will perform work under this Agreement; and
2. Professional will participate in either the e-Verify program created in
Public Law 208, 104th Congress, as amended, and expanded in Public Law 156,
108th Congress, as amended, administered by the United States Department of
Homeland Security (the "e-Verify Program") or the Department Program (the
"Department Program"), an employment verification program, established
pursuant to Section 8-17.5-102(5)(c) C.R.S. in order to confirm the employment
eligibility of all newly hired employees to perform work under this Agreement.
b. Professional shall not knowingly employ or contract with an illegal alien to
perform work under this Agreement or knowingly enter into a contract with a
subcontractor that knowingly employs or contracts with an illegal alien to perform work
under this Agreement.
C. Professional is prohibited from using the e-Verify Program or Department
Program procedures to undertake pre -employment screening of job applicants while this
Agreement is being performed.
d. If Professional obtains actual knowledge that a subcontractor performing work
under this Agreement knowingly employs or contracts with an illegal alien, Professional
shall:
1. Notify such subcontractor and the City within three days that Professional
has actual knowledge that the subcontractor is employing or contracting with an
illegal alien; and
2. Terminate the subcontract with the subcontractor if within three days of
receiving the notice required pursuant to this section the subcontractor does not
Standard Professional Services Agreement- rev03/10
5
cease employing or contracting with the illegal alien; except that Professional
shall not terminate the contract with the subcontractor if during such three days
the subcontractor provides information to establish that the subcontractor has not
knowingly employed or contracted with an illegal alien.
e. Professional shall comply with any reasonable request by the Colorado
Department of Labor and Employment (the "Department") made in the course of an
investigation that the Department undertakes or is undertaking pursuant to the authority
established in Subsection 8-17.5-102 (5), C.R.S.
f. If Professional violates.any provision of this Agreement pertaining to the duties
imposed by Subsection 8-17.5-102, C.R.S. the City may terminate this Agreement. If this
Agreement is so terminated, Professional shall be liable for actual and consequential
damages to the City arising out of Professional's violation of Subsection 8-17.5-102,
C.R.S.
g. The City will notify the Office of the Secretary of State if Professional violates this
provision of this Agreement and the City terminates the Agreement for such breach.
17. Conflicts. In the event of conflict between the City and the Professional, the City's
contract terms and conditions shall supersede any and all other documents.
18. Red Flags. Service Provider must implement reasonable policies and
procedures to detect, prevent and mitigate the risk of identity theft in compliance with. the
Identity Theft Red Flags, Rules found at 16, Code of Federal Regulations part 681. Further,
Service Provider must take appropriate steps to mitigate identity theft if it occurs with one or
more of the City's covered accounts.
19. Special Provisions. Special provisions or conditions relating to the services to be
performed pursuant to this Agreement are set forth in Exhibit "C - Confidentiality", consisting of one
(1) page, attached hereto and incorporated herein by this reference.
Standard Professional Services Agreement- rev03/10
6
THE CITY OF FORT COLLINS, COLORADO
By: 6--X-- "1.
9J mes B. O'Neill II, CPPO, FNIGP
Direct of Purchasing & Risk Management
DATE: D
N-Dimens' Solutions, Inc.
/( Jam. y, G2.,�•�
By: -bO�.t('
Title: C C-0
CORPORATE PRESIDENT OR VICE PRESIDENT
Date: AA tA-ti 2 ( 10
ATTEST:
(Corporate Seal)
Corporate Secretary
Standard Professional Services Agreement- rev03/10
EXHIBIT A
SCOPE OF SERVICES
Proposal for
Development of a Smart Grid Cyber Security Plan
and a Cyber Security Assessment of Operational
Infrastructure
for
The City of Fort Collins
In Support Of
Smart Grid Investment Grant Program DE-FOA-0000058
Prepared by:
Peter Vickery, EVP
N-Dimension Solutions Inc.
March 22, 2010
ft-dimension
solutions
Cyber Security for the Smart Gridrm
!b-dimension
Smart Grid Cyber Security Proposal for The City of Fort Collins solutions
1 Introduction
N-Dimension Solutions Inc. (N-Dimension) is pleased to provide this proposal to develop a
Cyber Security Plan and to perform a current state Cyber Security Assessment for the smart
grid initiative planned by the City of Fort Collins (Fort Collins) as part of the Smart Grid
Investment Grant (SGIG) Program DE-FOA-0000058.
In January, the Department of Energy (DoE) detailed comprehensive guidance on the form of
cyber security program that SGIG recipients are expected to deploy in a webinar and at
www.arrasmartaridcyber.net
Furthermore, SGIG recipients are required to respond with a Cyber Security Plan (Plan) within
30 days of acceptance of their awards. According to the original award requirements, this Plan
must include:
• a summary of the cyber security risks and how they will be mitigated at each stage of
the lifecycle (focusing on vulnerabilities and impact);
• a summary of the cyber security criteria utilized for vendor and device selection;
• a summary of the relevant cyber security standards and/or best practices that will be
followed;
• a summary of how the project will support emerging smart grid cyber security standards.
Further guidance issued in January by DoE indicates that a strong cyber security plan:
• provides commitments to cyber security assessments, evaluations, threat analyses;
• provides assurance that projects will create a defensive strategy, select appropriate
security controls., and implement mitigation methodologies based on risk -informed
processes;
• documents that systems are installed, tested, and operated with appropriate and diligent
cyber security.
In addition, assessments are a critical part of the DoE cyber security program for stimulus
winners. Best practices state that a current state assessment be done to consider the impact
of the new smart grid technologies to be installed. Then a regular (annual) assessment is
required to stay current with changes in technology and the utility's security posture. DoE
looks favorably upon a utility that adopts a cyber security program with the above approach to
risk assessments.
N-Dimension's approach to cyber security aligns perfectly to this guidance. We are active with
SGIG selectees, and we have performed dozens of cyber security assessments of utility
operational networks. We are intimately familiar with cyber security risks to utility operational
systems and best practices to counter them. Our products provide the majority of the
defensive technical controls needed, and we have extensive experience in assisting clients to