The URL can be used to link to this page

Home My WebLink AboutRESPONSE - RFP - 8359 CYBERSECURITY VULNERABILITY ASSESSMENT775 Main Street E Suite 1B Milton, Ontario Canada L9T 3Z3 P · 905.875.2075 F · 905.875.2062 www.aesi-inc.com 1990 Lakeside Parkway Suite 250 Tucker, Georgia USA 30084 P · 770.870.1630 F · 770.870.1629 CITY OF FORT COLLINS Cybersecurity Vulnerability Assessment RFP# 8359 Date Due September 26, 2016 Submitted by Doug Westlund dougw@aesi-inc.com Cybersecurity Vulnerability Assessment 775 Main Street E, Suite 1B · Milton, Ontario · Canada L9T 3Z3 P · 905.875.2075 F · 905.875.2062 www.aesi-inc.com 1990 Lakeside Pkwy, Suite 250 · Tucker, Georgia · USA 30084 P · 770.870.1630 F · 770.870.1629 aesi@aesi-inc.com CITY OF FORT COLLINS Cybersecurity Vulnerability Assessment RFP # 8359 Author: Date: September 26, 2016 Doug Westlund, P.Eng., MBA Vice President, Strategic Planning and Implementation Services Cybersecurity Vulnerability Assessment 775 Main Street E, Suite 1B · Milton, Ontario · Canada L9T 3Z3 P · 905.875.2075 F · 905.875.2062 www.aesi-inc.com 1990 Lakeside Pkwy, Suite 250 · Tucker, Georgia · USA 30084 P · 770.870.1630 F · 770.870.1629 aesi@aesi-inc.com TABLE OF CONTENTS A. Executive Summary ................................................................................................................. i B. Scope of Proposal .................................................................................................................. 1 1.1. Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) .................................................................................................. 1 1.2. Project 2: Cybersecurity Governance Framework for the Utility.......................................... 8 1.3. Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) .................................................................................................................................... 16 C. Assigned Personnel.............................................................................................................. 22 D. Sustainability/TBL Methodology ........................................................................................... 30 E. Cost and Work Hours ........................................................................................................... 30 F. Firm Capability ..................................................................................................................... 33 G. Additional Information ........................................................................................................... 36 APPENDIX LISTING Appendix A Attachment 1: Proposal Acknowledgement Appendix B Curriculum Vitae Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 i A. EXECUTIVE SUMMARY The Executive Summary should highlight the content of the proposal and features of the program offered, including a general description of the program and any unique aspects or benefits provided by your firm. Any exceptions to the agreement shall be made in the executive summary as well. Indicate your availability to participate in the interviews/demonstrations on the proposed dates as stated in the Schedule section. The City of Fort Collins Utilities (FCU) serves more than 65,000 electric customers with total annual sales of approximately 1,500 gigawatthours. FCU also provides water, wastewater, stormwater and financing services. FCU has requested assistance with three projects that will occur in sequence due to resource constraints: Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) The Customer Information System (CIS) is Fort Collins Utility’s (FCU) and the City of Longmont Utility’s (CLU) core system for managing and billing customer accounts. While security measures are in place, the Utility is aware that unknown vulnerabilities may exist within the system that could be exploited. The purpose of this project is to identify vulnerabilities to the CIS system that can then be remediated in order to maintain confidentiality of customer information, integrity of data stored in CIS, and system availability. Project 2: Cybersecurity Framework and Governance Planning for the Utility FCU has cybersecurity processes in place, but understands that its framework and governance are immature. FCU requests assistance in using the NIST Framework for Improving Critical Infrastructure Cybersecurity to develop a cybersecurity plan and long-term maturation road map to be implemented and maintained by internal resources. The plan and road map should reflect the Utility’s unique environment, aligning cybersecurity activities with its business requirements, risk tolerance, and resources. Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA system (ESCADA) Electricity distribution is one of FCU’s primary services. The continuous operation of the Electric Supervisory Control and Data Acquisition (ESCADA) system is of paramount importance to the Utility’s ability to safely provide reliable service to its customers. While security measures are in place, the Utility is aware that unknown vulnerabilities may exist that could be exploited. The purpose of this project is to identify vulnerabilities of the ESCADA system so they can be remediated in order to maintain safe reliable electricity distribution to Fort Collins residents and businesses. AESI’s Solution Established in 1984, AESI is a privately owned, consulting and engineering firm, with offices in Tucker, Georgia and Milton, Ontario. AESI’s project history covers the full spectrum of energy utilities from generation through to transmission and distribution, and operations—covering all NERC registered entities, unique corporate cultures, different resource allocations and management styles. AESI and our team members have a high level of awareness of NERC Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 ii and NIST requirements and future requirements, as well as advanced knowledge of leading best practices through active involvement with client projects and industry participation. Our Networks and Security team work with clients to understand the challenges, any shortcomings, and develop strategy to proactively address the issues. We have a solid history of helping electric power utilities develop and implement a synergistic cyber security program from the fundamentals of assessing hardware and systems, to foundations of training/educating the people that use those systems on a daily basis, and up through to reporting as an element of risk management. AESI is proposing to deliver the following for three projects: Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) AND Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA system (ESCADA) We will perform these assessments in a manner that is non-intrusive to Fort Collins’ operations and customers, while providing a thorough and accurate cybersecurity posture assessment, i.e., a cybersecurity risk profile. Our comprehensive and easy to read reports will present a detailed description of the methodology and findings effectively illustrated with executive dashboards to highlight key measures/findings. More importantly, we will recommend any required actions to remedy any cybersecurity, corporate and operational issues/risks, and cybersecurity vulnerabilities identified during the assessments. Project 2: Cybersecurity Framework and Governance Planning for the Utility For this project we will work with the City in a highly interactive manner to develop the underlying Risk Assessment and an effective Cybersecurity Plan and Long Term Roadmap. Effectiveness is key, as this requires understanding of the attack vectors and emerging threats to distribution utilities along with their risk profile and capabilities. We will deliver these services in the timeframe request by the City. Our services will align to the NIST Framework for Improving Critical Infrastructure Cybersecurity. This includes development of the cybersecurity program, profiling, the gap analysis, and the implementation plan. The risk assessment portion of the project will be a combination of risk management techniques such as risk profiling and heat mapping. Most importantly, we will use our extensive cybersecurity experience in the utility industry to identify the most important attack vectors and risks. Our in-house, highly knowledgeable professionals have extensive, ‘real’ IT and OT experience that feeds a healthy understanding of true operations, so the fundamentals of what is being protected is thought of beyond the individual cyber asset to the system as a whole. The nature of and importance of the information that must be protected is well-understood by the members of this Team. AESI has served public power for over 20 years, and is very in tune with the cybersecurity requirements and constraints of small, medium and large size public systems. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 iii Also, AESI is well respected for providing NERC CIP and Cybersecurity Services to electrical power facilities across North America; clients include:  City of Vero Beach  Lakeland Electric  Los Alamos County  California Water Service Company  Gainesville Regional Utilities  Greenville Utilities Commission  Town of Danvers  Sugar Creek  Consumers Energy  Coweta-Fayette  ElectriCities  Fort Pierce Utilities Authority  Lower Colorado River Authority  Sikeston Board of Municipal Utilities  Florida Municipal Power Agency  International Transmission Co. Holdings (ITC)  Municipal Electric Authority of Georgia  Oglethorpe Power Corporation  Georgia Transmission Corporation  Georgia System Operations Corporation Any technical questions for this proposal should be directed to Doug Westlund at dougw@aesi- inc.com, or 770.870.1630, ext. 278; commercial questions should be directed to Kellie Elford at kelliee@aesi-inc.com or 770.870.1630, ext. 248. We will be available for interviews as needed. We request one addition to the agreement: “The consultant may maintain a sealed and confidential copy of project documentation to support the consultant’s ability to respond to government or regulatory proceedings or investigations involving the Consultant that are directly related to work outlined by this Agreement. Any Confidential Information retained in accordance with the preceding sentence may be retained for a period of time appropriate to state or provincial jurisdiction where the associated work was done or was applicable to and during such period shall remain subject to all of the provisions of this Agreement.” Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 1 of 37 B. SCOPE OF PROPOSAL 1.1. Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) 1. Provide a detailed narrative of the services proposed if awarded the contract. The narrative should include any options that may be beneficial for Utilities to consider. Scope This cyber vulnerability assessment covers the cyber assets used in FCU’s billing and Customer Service Information System (CIS). AESI will perform a vulnerability assessment of the CIS system, including:  Network architecture and boundary protection  VPN concentrator  Server configuration (application, database, web)  Application security  Endpoint device security  Organizational security policy and processes as they relate directly to the CIS system  The interactive voice response system (IVR)  Data transmission security between the CIS system and approximately 45 3 rd party interfaces  Other direct system interfaces with the CIS, such as network and server devices Methodology We will perform this assessment in a manner that is non-intrusive to Fort Collins’ operations and customers, while providing a thorough and accurate cybersecurity posture assessment, i.e., a cybersecurity risk profile. Our comprehensive and easy to read report will present a detailed description of the methodology and findings effectively illustrated with executive dashboards to highlight key measures/findings. More importantly, we will recommend any required actions to remedy any cybersecurity, corporate and operational issues/risks, and cybersecurity vulnerabilities identified during the assessment. Purpose The purpose of this document is to provide a general overview on the objectives and procedure for conducting a Cyber Vulnerability Assessment (CVA) for Fort Collins. Overview Our proposed methodology for conducting the CVA for Fort Collins leverages and integrates our expertise in performing NERC CIP Compliance Assessments, Cyber Security Assessments, and Cyber Vulnerability Assessments (CVA). The diagram below illustrates our end-to-end process for our VA methodology. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 2 of 37 Figure 1: End-to-end Vulnerability Methodology Further in our proposal, we provide additional details on the scope and range of tests AESI will perform as part of the vulnerability assessment. Stage 1 – Pre-On-Site Activities This stage is focused on the planning and schedule logistics prior to the start of the on-site cyber vulnerability assessment activities. This will include the following activities in collaboration with Fort Collins staff. 1. Kickoff Meeting – Schedule coordination and planning meeting with identified project participants. Obtain agreement on time and execution plans, monitoring requirements and exit plans for scheduled or forced terminations of the VA scanning process. 2. Documentation Review – Obtain and review Fort Collins documentation outlining security management practices, network diagrams and device configurations for the billing and customer information services system (CIS). 3. Personnel Interviews – Obtain a list of key individuals from Fort Collins including 3 rd parties who can provide the insight into the organization’s security processes, technical aspects of network structure and configurations of Fort Collins’s CIS. Stage 2 – On-Site Discovery (Assessment Phase) Stage 2 focuses on evaluating the Fort Collins internal cybersecurity practices and processes pertaining to cybersecurity, and conducting the CVA and to assess any vulnerabilities. Key activities for Stage 2 include the following activities: Conduct interviews and discussions with key staff to assess the governance relating to the practices/processes for the management of the cyber security services. 1. Vulnerability Assessment Planning – We use non-intrusive tools and methods in conducting the CVA scans on operating IT environments. We will also explore options of first conducting CVA scanning on specific assets in a test environment, during a scheduled outage, or maintenance window prior to scanning live/operating environments. 2. AESI will explore these options with Fort Collins technical and operations staff and agree on the approach and methodology. 3. CVA activities will include performing the following tasks/tests:  Network Reconnaissance – This represents a suite of tests designed to develop a clear picture of the organization’s networks and systems. This is done by: Phase II On-site Discovery (Assessment Phase) Phase IV Report, Presentation (Recommendations/ Action Plan) Phase III Gap/Risk Assessment Phase I (Pre-On-site Assessment) Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 3 of 37 i. Network Ranges – Use automated scanners, manual techniques, and network monitoring utilities to intercept traffic and identify the available network ranges. ii. Active Devices – Use automated scanners to identify all active hosts on identified network ranges. This list of active hosts is compared to asset inventory lists or network topology diagrams to identify any unauthorized assets deployed on the networks. iii. Physical Inspection – A physical inspection of the interconnectivity of network hosts and assets is completed and compared to previously provided documentation. Physical security controls are reviewed and assessed for adequacy and effectiveness. Physical inspection helps to ensure that all assets have been properly identified that may have not been discovered during the active network scans. Physical inspection is also used to assist in determining all connections points into the target networks.  Enumeration and Scanning – Network assets services and ports are examined in detail using the following two steps: i. Operating System Identification – Using active and passive Operation System identification automated tools classify each network assets operating system or platform. This process will also attempt to re-enumerate each asset the hardware vendor, physical network address and hostname given to the device. ii. Open Port Identification – Port scanning and port knocking techniques are used to determine enabled ports and services on all identified network hosts. Wherever possible, firewalls, routers and other network appliances are scanned from each connected subnet to identify the services enabled on each network.  Vulnerability Discovery – This component of the vulnerability analysis assess the protections in place for installed components. This is done via the following tasks: i. Security Controls Assessment – Any installed security controls used to detect and alert malicious or unauthorized activities will be assessed for effectiveness and adequacy. ii. Asset Update Status – Automated tools are used to review hardware and software to ensure that the latest applicable updates and releases have been installed, including security patches, service packs, vendor releases, version upgrades anti-virus and integrity monitoring software. iii. Password Controls – Check that appropriate password controls are implemented on system devices include syntax, change rules, encryption and confidentiality. Network assets are also evaluated to ensure that no default passwords exist. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 4 of 37 Stage 3 – Gaps/Risk Assessment Stage 3 will focus on AESI performing the analysis on the results from the vulnerability scanning, the governance aspects of the cybersecurity management, and practices. AESI will also assess security and privacy controls to ensure that Fort Collins has the necessary controls in place to protect their systems and the data contained within. AESI will use NIST 800-53 r4, as well as NIST 800-115, within their auditing approach to determine the risk levels to Fort Collins’s and its customers. Stage 4 – Report and Recommendations Stage 4 will focus on AESI preparing the draft report on the assessment findings and our recommendations on required actions to remedy any vulnerability discovered. The findings will be mapped to the Center for Internet Security’s Critical Security Controls version 6.0. 2. Describe how the project would be managed and who would have primary responsibility for its timely and professional completion. Include a description regarding how the analysis will be performed for the various identified areas identified, the methods and assumptions used, and the limitations of the analysis. Project Lead for Projects 1 and 3, Todd Ponto, CISSP Todd Ponto has a solid background and progressive experience garnered through 25 years of working in different IT/OT environments. Projects and responsibilities include system administration, networks, physical and cybersecurity, and NERC Critical Infrastructure Protection, as well as the design and implementation of Real Time Networks for various SCADA/DCS systems. His Cyber Security expertise includes hands on expertise with Firewalls, VPN, Two-factor authentication, IDS, IPS, and all types of networking devices. Todd was the Team Lead for Networking, Security and NERC CIP Compliance for an electric utility in the NPCC Region, participated as the Security Team Leader for a number of North American Transmission Forum Peer Reviews and served as a Member of the North American Transmission Forum’s Hydra Team. He is currently a member of the GridEx III Working Group contributing as an SME with exercise experience. As Project Manager, Todd is the main point of contact for Fort Collins for this project and will have primary responsibility for the project’s timely and professional completion. Project Lead for Project 2 and Overall Project Sponsor, Doug Westlund, P.Eng., MBA Doug Westlund has 30 years’ experience in technology and cybersecurity in the utility and telecommunications markets. He has been providing cybersecurity guidance for public power utilities for twenty years. To his credit, he has led more than 100 cybersecurity projects for generation, transmission and distribution utilities, developed risk management for an insurer that underwrites electric power distribution utilities. Doug successfully supported 13 Smart Grid Investment Grant recipients with their cybersecurity elements. Today, Doug is actively helping to guide Joint Action Agencies and public power utilities with their cybersecurity programs. Doug actively supports the APPA and its 2,000 distribution utility members with the development of cybersecurity best practices and programs for the APPA and presentations at the APPA E&O and National Conferences. Doug has also provided Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 5 of 37 executive level and Board training, most specifically at the APPA National Conference. Doug was a co-author of the Cyber Security Primer document published by the APPA. Process and Analysis We will apply the outmost diligence when conducting the CVA in order to not affect the operation of the production/live systems. To minimize such potential risks, some of the VA scans may be conducted during off business hours at the request of Fort Collins and the agreement of AESI. Work will be conducted both on-site and off-site to ease the burden of Fort Collins staff requirements and facilitate cost-effective project delivery. Figure 2: AESI’s Active Cyber Vulnerability Assessment Methodology Assessment Phase Step Process Environment Assessment and Planning Information Gathering Collected information about the environment and the Cyber Assets in scope. (Network Diagram, ESP/PSP Diagrams, Access Control and Management procedures, system configurations, authorized ports/services list, password management procedures Tools and Environments Prepared assessment hardware, software, commands, and configurations Execution and Analysis (Onsite) Reconnaissance Reviewed the provided network diagrams, configurations, and inventories Identified of network ranges and access points Identified Active Hosts using  a host discovery scanner  manual inspections where it was not safe to scan Ports and Services Used automated scanners or OS commands Community Strings Enumeration Used network scanners and automated configuration analyzers Account Enumeration Used credentialed scans to enumerate accounts or manual audit where it was not safe to scan Vulnerabilities Discovery Used vulnerability scanner to discovery any vulnerabilities on assets Evaluating Account Parameters Used automated network scanners to determine account histories Physical walk down Reviewing physical access control and verify equipment on hand Analytics Firewall Configuration Review Used parsing tools to discover vulnerabilities based on configurations Categorize vulnerabilities based on high, medium, low Account Validation Compare discovered results to approved accounts list and report on Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 6 of 37 Assessment Phase Step Process any unauthorized accounts Ports and Services Validation Compare discovered ports and services to approved ports and services list and report on any unauthorized ports and services CVA result Documentation Findings Used the results of the CVA to produce a final report and produce a remediation plan to fix found vulnerabilities Recommendations Mitigation plan 3. Describe the methods and timeline of communication your firm will use with the City’s Project Manager and other parties. At AESI, our project management relies on solid project management principals, reporting and processes that begin with each team being led by a Project Manager that is an active member of the technical team. We will use this same approach for each Project. This fundamental principal ensures that the project’s scope is actively managed by someone who has hands on experience with the technology and/or services. Active scope management translates into better control of budget and schedule. A technical project manager also feeds into tighter quality control. Our project management methodology follows that endorsed by the Project Management Institute (PMI). Project Initiation: incorporates a kick-off meeting, site visit, key stakeholder identification, risk assessment and a project charter (scope definition, key deliverables, schedule, team identification, communication protocol, and budget) Planning: consists of a work breakdown structure, critical path methodology, risk mitigation, resourcing, project execution plan and a detailed budget Project Execution: incorporates progress meetings, maintaining risk assessment and mitigation plan, and providing project progress reports Continuous communication, involving project status reports and meetings, will be used to maintain effective communication among all AESI team members and FCU. All meetings are initiated with a clear agenda—Notice of Meeting, and result in defined Minutes of Meeting, capturing the discussion, decisions and any resulting actions or change of scope. AESI provides status reports with our invoices. PROJECT CONTROLS AESI takes a multipronged approach to project controls that includes detailed project status reports, inclusive of schedule and cost. Progress is charted against the original approved schedule, while the project’s progress, costs and cost forecasts are reviewed—looking at the amount of effort expended over a specific period of time and the actual output derived from those efforts. Any changes in Scope are captured Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 7 of 37 through our change management process, which is adapted to ensure it meets specific client requirements. Documentation Security and Exchange AESI uses a product called ShareFile for the exchange of confidential documentation. Files are uploaded and downloaded between the end user and the server directly and are protected using the same encryption protocols and algorithms applied by e-commerce services and online banking to guarantee user privacy and protection. All communications and data sharing between ShareFile and the user are encrypted using either Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption protocols and up to AES 256-bit encryption. AESI utilizes customer-managed StorageZones, so all data resides in our own in-house datacenter. We have established internal quality processes and procedures that begin with the development of an efficient and effective team structure and selecting the most appropriate resources for each assignment. Our methodology is mature and proven, and incorporates a detailed checklist that has been refined through lessons learned on previous projects. Documentation practices are methodical and consistent, and ensure stewardship of all documents as per confidential attributes of such documents. We employ project management principals to monitor and deliver projects that adhere to schedules and budgets. The central tie-in is communications—across the whole team. It is the key to early identification of issues or potential issues. If an issue is identified, we work together to quickly identify and implement a suitable resolution. Our ultimate goal—consistency begets quality; quality begets client satisfaction. 4. Include a description of the software and other analysis tools to be used. Tools being utilized:  Rapid7 Nexpose for the vulnerability assessment (configured for use within SCADA environments – configuration based on years of in-house experience)  Network Discovery is done using Nexpose which uses a form of NMap  Titania Nipper Studio for review of firewall and router configurations (done offline with copies of configurations from the devices)  Penetration Testing is done using Kali Linux, Burp Suite Pro, and Immunity Canvas 5. Identify what portion of work, if any, may be subcontracted. AESI has all expertise required in-house, and therefore no work will be subcontracted for this project. 6. Provide a written outline of the consultant’s schedule and milestones for completing tasks. AESI anticipates the Project 1 will take approximately six weeks. The majority of work will be completed off-site. We anticipate an on-site visit of three days. Project dates will be finalized by Fort Collins and AESI. Duration Activity Description Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 8 of 37 One week prior to on-site visit Pre-on-site activities, Kick-off Meeting  Firm up logistics for client resources, site activities 3 Days On-site CVA  Conduct CVA Two weeks after on-site work has been completed Draft CVA Report  Prepare and issue draft report Two weeks Report uploaded to ShareFile for commenting  Fort Collins will be given two weeks to provide comments on the report Two days Final report issued after review of comments provided  Finalize and issue December 23, 2016 All work will be completed by this date. Assumptions and Requirements We have based our estimate on the following assumptions:  Access to FCU’s network and systems as required  Access to FCU’s staff as required  Administrative access to all Networking Equipment or be provided the raw configurations  AESI’s on-site activities will be limited to three consecutive days  Fort Collins will provide feedback to the draft report within two weeks from receipt. After two weeks, the final report will be issued, final invoice issued, and project assumed completed and closed.  Work will be completed by December 23, 2016 1.2. Project 2: Cybersecurity Governance Framework for the Utility 1. Provide a detailed narrative of the services proposed if awarded the contract. The narrative should include any options that may be beneficial for Utilities to consider. AESI is very active in the distribution utility market providing cybersecurity services ranging from technical vulnerability assessments, to development of cybersecurity programs, through to governance including Executive Team and Board training and reporting. We have conducted over 200 security assessments for utilities in North America. Further, we have been very active supporters of the APPA, and have assisted the APPA in developing cybersecurity programs for their members. We will use all our extensive experience and expertise in this project for the City. For this project, we will work with the City in a highly interactive manner to develop an underlying Risk Assessment and an effective Cyber Security Plan and Long Term Roadmap. Effectiveness is key, as this requires understanding of the attack vectors and emerging threats to distribution utilities, along with their risk profile and capabilities. We will deliver these services in the timeframe request by the City. The APPA has recently announced a multi-element cybersecurity program that has been sponsored by the Department of Energy. AESI will ensure that all aspects of the Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 9 of 37 City’s Cyber Security Plan will be consistent with this APPA program and be able to derive the benefits from the APPA program. Our services will align to the NIST Framework for Improving Critical Infrastructure Cyber Security. This includes development of the cybersecurity program, profiling, a gap analysis, and an implementation plan. The risk assessment portion of the project will be a combination of risk management techniques such as risk profiling and heat mapping. Most importantly, we will use our extensive cybersecurity experience in the utility industry to identify the most important attack vectors and risks. Our services will also include other tools that we use with distribution utilities for projects such as this, and further described in our response to Question 4. We will ensure that the appropriate metrics and reporting are defined for the cybersecurity program. And most importantly, line of sight to the City’s cybersecurity posture at any time will be defined, including operational reporting, Executive Team reporting, and Board of Directors dashboarding. As it relates to options, AESI provides the following services to distribution utilities that may be of interest to the City:  Implementation assistance in all aspects of the cybersecurity program. This can include development of the reporting methodologies ranging from operational reporting to Executive Team and Board dashboarding.  Awareness and training programs are integral to the NIST framework and have been proven to be very effective and relatively easy to implement resulting in an improved cybersecurity posture for the utility  Workshops can be very valuable to attain key stakeholder and employee buy-in to the cybersecurity program.  Executive Team and Board of Directors risk management training. It has been proven that support by the utility’s Executive Team and Board is critical for the success of the cybersecurity program.  AESI is very active training and working with Executive Teams and Board of Directors. These options can be further discussed, scoped, and priced. The following visual depicts how the Management Team and Board can be integrated into the use of the NIST Cybersecurity Framework used as a risk management tool. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 10 of 37 As with all of our projects, AESI will provide knowledge transfer to the City to increase the effectiveness of the City’s management and governance of its cybersecurity program for the long term. 2. Describe how the project would be managed and who would have primary responsibility for its timely and professional completion. Include a description regarding how the analysis will be performed for the various identified areas identified, the methods and assumptions used, and the limitations of the analysis. This project will be managed with the rigour of AESI’s project management approach that has been used successfully for over 30 years with utilities. Project Manager, Doug Westlund Doug will be the Project Manager for this project. Doug has 30 years’ experience in utility automation and cybersecurity. Doug is AESI’s lead on the Cybersecurity Framework project for the Ontario Energy Board. This Framework is North America’s first regulatory framework for distribution utilities. This Framework includes the NIST Cybersecurity Framework as a key and integral element. Doug has been a very active supporter of cybersecurity for public power utilities. As part of the APPA webinar series on cyber and physical security, Doug presented a webinar entitled: “Utilizing Dashboards for More Effective Cyber & Physical Security Risk Management for Public Power”. Doug has presented cybersecurity presentations at the APPA National Conference, Engineering & Operations Conference, and Business & Finance Conference. As Project Manager, Doug is the main point of contact for Fort Collins for this project and will have primary responsibility for the project’s timely and professional completion. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 11 of 37 Lead Consultant, Will Smith, CIPM, CCEP, CERM Will is a solution focused reliability assurance practitioner, with expertise in the optimization and integration of governance, risks management, and compliance (GRC) principles across all lines of business. He’s recognized for being both reactive to developments within the regulatory environment and proactive in operational and InfoSec risk awareness. Will has extensive experience implementing risk frameworks with proven success in guiding electric utilities towards increased transparency and operational efficiencies through cost-effective methods. He’s highly adept in identifying operational risk exposures, providing practical application guidance to effectively manage complex risks and evaluating the effectiveness of internal controls. Prior to joining AESI, Will worked for the Midwest Reliability Organization (MRO), first as the Compliance Audit Manager and was promoted to Head of Standards and Program Performance, where he was instrumental in the risk-based paradigm shift of the CMEP. This led to the Reliability Assurance Initiative (RAI), where he partnered with industry stakeholders to mature and strengthen the posture of their internal compliance program. Quality Assurance, Todd Ponto, CISSP Todd Ponto has a solid background and progressive experience garnered through 25 years of working in different IT/OT environments. Projects and responsibilities include system administration, networks, physical and cybersecurity, and NERC Critical Infrastructure Protection, as well as the design and implementation of Real Time Networks for various SCADA/DCS systems. For Project 2, he will review the cybersecurity plan and roadmap to ensure alignment with Projects 1 and 3. We recommend weekly project management reviews. This will include status of key milestones and identification of any items that present risk to the project schedule. In our experience, stakeholder engagement is key. But it typically involves lead times that could challenge the overall schedule. For this reason it will be imperative that the AESI Project Manager and the City’s Project Manager are in regular communication and aligned with the project goals. 3. Describe the methods and timeline of communication your firm will use with the City’s Project Manager and other parties. Please see our response under Project 1, Question 3. Our project management philosophy applies across all three projects. 4. Include a description of the software and other analysis tools to be used. AESI will use a combination of proven tools including an application that we have developed for the gap analysis and action plans related to the NIST Cybersecurity Framework, Heat Maps, and Dashboard reporting tools. The following diagram illustrates typical risks and threats to public power distribution utilities. These risks and threats plus those gathered from the risk assessment will be used to profile the risk for FCU. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 12 of 37 Figure 3: Identification of Attack Surface: The NIST Cybersecurity Framework will be used as a fundamental tool in this project. The gaps assessment will be completed across all functions, categories and subcategories in this Framework. Figure 4: NIST Cybersecurity Gap Analysis Framework Heat maps will be used in the risk assessment portion of the project to identify key areas of risk mapped by impact and likelihood. We will use a highly iterative process with FCU to develop the Heat Maps. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 13 of 37 Figure 5: Heat Maps Dashboarding and reporting will be developed as part of the recommendation set to align reporting at all critical levels: operations, Management, and Board. Figure 6: Dashboarding/Reporting AESI uses the following cyber and physical security blueprint as part of governance projects such as these. The value of this blueprint is that it aligns the key stakeholders and the key security controls. It also depicts the reporting that is necessary for proper governance. AESI uses colour coding to depict the roll-out (typically by year) of the security initiatives. It is a visual depiction of the roadmap for the cybersecurity program. We will develop this in a highly iterative process with FCU. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 14 of 37 Figure 7: Cybersecurity Blueprint 5. Identify what portion of work, if any, may be subcontracted. AESI has all expertise required in-house, and therefore no work will be subcontracted for this project. 6. Provide a written outline of the consultant’s schedule and milestones for completing tasks. The following chart illustrates our proposed schedule. During the kick-off process, this schedule may be refined. Our approach will be highly interactive with the City. We will provide draft documents for review and comments by the City throughout the process. It is our experience that challenges often appear in the implementation phase. For this reason, AESI has offered a status checkpoint approach that we believe will greatly assist the City in implementing the most effective cybersecurity program. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 15 of 37 Task / Milestone Week Project kick-off and onboarding 1 Initial stakeholder engagement & discovery 2 Prioritize the City’s objectives & define scope for cybersecurity program 3 Orient, identifying system assets, stakeholder and business requirements, overall approach to risk management 4 Develop Current NIST Profile 5 Conduct Risk Assessment 6 – 7 Develop draft Risk Assessment Report for the City review and feedback. Create Target NIST Profile 8 Determine gaps to NIST Framework 9 Analyze & Prioritize Gaps 10 Develop Draft Cybersecurity Plan & Roadmap for the City review and feedback 11 - 12 Based on feedback, revise Risk Assessment, Cybersecurity Plan, & Roadmap 13 Presentation to the City. Risk Assessment, Cybersecurity Plan. Roadmap. 14 Based on feedback from presentation finalize Risk Assessment, Cybersecurity Plan, & Roadmap. 15 Project wrap-up and debrief 16 Implementation status checkpoints with opportunity for the City questions and requests for guidance Every quarter for 2 years * * Note: we have proposed a two-year duration for queries and requests for guidance as part of the scope and price. This duration can be changed by mutual agreement. As demonstrated by the milestones, it is our intent to work closely with the City with an iterative approach to maximize knowledge transfer, and buy-in to the process and end product. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 16 of 37 Phase II On-site Discovery (Assessment Phase) Phase IV Report, Presentation (Recommendations/ Action Plan) Phase III Gap/Risk Assessment Phase I (Pre-On-site Assessment) 1.3. Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) 1. Provide a detailed narrative of the services proposed if awarded the contract. The narrative should include any options that may be beneficial for Utilities to consider. Scope of Work This cyber vulnerability assessment covers the cyber assets used in the operations and control of Fort Collins’ Light and Power Systems (ESCADA). AESI will perform a vulnerability assessment of the ESCADA system, including:  ESCADA network architecture and boundary protection  ESCADA servers (application, database)  Application security settings analysis  Endpoint devices  Organizational security policy and processes, as they relate directly to the ESCADA System  900 MHz monitoring and control system ** Option 1 if selected will also include up to 100 field devices. Additional costs will be determined at the time of project award. Methodology We will perform this assessment in a manner that is non-intrusive to Fort Collins’ operations, while providing a thorough and accurate cybersecurity posture assessment, i.e., a cybersecurity risk profile. Our comprehensive and easy to read report will present a detailed description of the methodology and findings effectively illustrated with executive dashboards to highlight key measures/findings. More importantly, we will recommend any required actions to remedy any cybersecurity, corporate and operational issues/risks, and cybersecurity vulnerabilities identified during the assessment. Purpose The purpose of this document is to provide a general overview on the objectives and procedure for conducting a Cyber Vulnerability Assessment (CVA) for Fort Collins. Overview Our proposed methodology for conducting the CVA for Fort Collins leverages and integrates our expertise in performing NERC CIP Compliance Assessments, Cybersecurity Assessments, and Cyber Vulnerability Assessments (CVA). The diagram below illustrates our end to end process for our VA methodology. Figure 8: AESI’s Active Cyber Vulnerability Assessment Methodology Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 17 of 37 Stage 1 – Pre-On-Site Activities This stage is focused on the planning and schedule logistics prior to the start of the on- site cyber vulnerability assessment activities. This will include the following activities in collaboration with Fort Collins staff. 1. Kickoff Meeting – Schedule coordination and planning meeting with identified project participants. Obtain agreement on time and execution plans, monitoring requirements and exit plans for scheduled or forced terminations of the VA scanning process. 2. Documentation Review – Obtain and review Fort Collins documentation outlining security management practices, network diagrams and device configurations for the Light and Power SCADA System (ESCADA). 3. Personnel Interviews – Obtain a list of key individuals from Fort Collins including 3rd parties who can provide the insight into the organization’s security processes, technical aspects of network structure and configurations of Fort Collins’s ESCADA. Stage 2 – On-Site Discovery (Assessment Phase) Stage 2 focuses on evaluating the Fort Collins internal cybersecurity practices and processes pertaining to cybersecurity and conducting the CVA and to assess any vulnerabilities. Key activities for Stage 2 include the following activities: 1. Conduct interviews and discussions with key staff to assess the governance pertaining to the practices/processes for the management of the cybersecurity services. 2. Vulnerability Assessment Planning – We use a non-intrusive tools and methods in conducting the CVA scans on operating IT environments. We will also explore options on first conducting CVA scanning on some assets in a test environment or during a scheduled outage or maintenance window prior to scanning live/operating environments. 3. AESI will explore these options with Fort Collins technical and operations staff and agree on the approach and methodology. 4. CVA activities will include performing the following tasks/tests:  Network Reconnaissance – This represents a suite of tests designed to develop a clear picture of the organization’s networks and systems. This is done by: i. Network Ranges – Use automated scanners, manual techniques, and network monitoring utilities to intercept traffic and identify the available network ranges. ii. Active Devices – Use automated scanners to identify all active hosts on identified network ranges. This list of active hosts is compared to asset inventory lists or network topology diagrams to identify any unauthorized assets deployed on the networks. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 18 of 37 iii. Physical Inspection – A physical inspection of the interconnectivity of network hosts and assets is completed and compared to previously provided documentation. Physical security controls are reviewed and assessed for adequacy and effectiveness. Physical inspection helps to ensure that all assets have been properly identified that may have not been discovered during the active network scans. Physical inspection is also used to assist in determining all connections points into the target networks.  Enumeration and Scanning – Network assets services and ports are examined in detail using the following two steps: i. Operating System Identification – Using active and passive Operation System identification automated tools classify each network assets operating system or platform. This process will also attempt to re-enumerate each asset the hardware vendor, physical network address and hostname given to the device. ii. Open Port Identification – Port scanning and port knocking techniques are used to determine enabled ports and services on all identified network hosts. Wherever possible, firewalls, routers and other network appliances are scanned from each connected subnet to identify the services enabled on each network.  Vulnerability Discovery – This component of the vulnerability analysis assess the protections in place for installed components. This is done via the following tasks: i. Security Controls Assessment – Any installed security controls used to detect and alert malicious or unauthorized activities will be assessed for effectiveness and adequacy. ii. Asset Update Status – Automated tools are used to review hardware and software to ensure that the latest applicable updates and releases have been installed, including security patches, service packs, vendor releases, version upgrades anti-virus and integrity monitoring software. iii. Password Controls – Check that appropriate password controls are implemented on system devices include syntax, change rules, encryption and confidentiality. Network assets are also evaluated to ensure that no default passwords exist. Stage 3 – Gaps/Risk Assessment Stage 3 will focus on AESI performing the analysis on the results from the Vulnerability scanning, the governance aspects of the cybersecurity management and practices. AESI will also on security and privacy controls assessment to ensure that Fort Collins has in place the necessary controls to protect their systems and the data contained within. AESI will use NIST 800-53 r4 as well as NIST 800-115 within their auditing approach to determine the risk levels to Fort Collins. Stage 4 – Report and Recommendations Stage 4 will focus on AESI preparing the draft report on the assessment findings and our recommendations on required actions to remedy any vulnerability discovered. The Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 19 of 37 findings will be mapped to the Center for Internet Security’s Critical Security Controls version 6.0. 2. Describe how the project would be managed and who would have primary responsibility for its timely and professional completion. Include a description regarding how the analysis will be performed for the various identified areas identified, the methods and assumptions used, and the limitations of the analysis. Project Manager, Todd Ponto, CISSP Todd Ponto has a solid background and progressive experience garnered through 25 years of working in different IT/OT environments. Projects and responsibilities include system administration, networks, physical and cybersecurity, and NERC Critical Infrastructure Protection, as well as the design and implementation of Real Time Networks for various SCADA/DCS systems. His Cybersecurity expertise includes hands on expertise with Firewalls, VPN, Two-factor authentication, IDS, IPS, and all types of networking devices. Todd was the Team Lead for Networking, Security and NERC CIP Compliance for an electric utility in the NPCC Region, participated as the Security Team Leader for a number of North American Transmission Forum Peer Reviews and served as a Member of the North American Transmission Forum’s Hydra Team. He is currently a member of the GridEx III Working Group contributing as an SME with exercise experience. Quality Control, Doug Westlund, P.Eng., MBA Doug Westlund has 30 years’ experience in technology and cybersecurity in the utility and telecommunications markets. He has been providing cybersecurity guidance for public power utilities for twenty years. To his credit, he has led more than 100 cybersecurity projects for generation, transmission and distribution utilities, developed risk management for an insurer that underwrites electric power distribution utilities. Doug is actively helping to guide Joint Action Agencies and public power utilities with their cybersecurity programs. Doug actively supports the APPA and its 2,000 distribution utility members with the development of cybersecurity best practices and programs for the APPA and presentations at the APPA E&O and National Conferences. Doug has also provided executive level and Board training, most specifically at the APPA National Conference. Doug was a co-author of the Cyber Security Primer document published by the APPA. Process and Analysis We will apply the outmost diligence when conducting the CVA in order to not affect the operation of the production/live systems. To minimize such potential risks, some of the VA scans may be conducted during off business hours at the request of Fort Collins and the agreement of AESI. Work will be conducted both on-site and off-site to ease the burden of Fort Collins staff requirements and facilitate cost-effective project delivery. AESI’s end to end process for conducting an active CVA is illustrated in the following diagram. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 20 of 37 Figure 9: AESI’s Active Cyber Vulnerability Assessment Methodology Assessment Phase Step Process Environment Assessment and Planning Information Gathering Collected information about the environment and the Cyber Assets in scope. (Network Diagram, ESP/PSP Diagrams, Access Control and Management procedures, system configurations, authorized ports/services list, password management procedures Tools and Environments Prepared assessment hardware, software, commands, and configurations Execution and Analysis (Onsite) Reconnaissance Reviewed the provided network diagrams, configurations, and inventories Identified of network ranges and access points Identified Active Hosts using  a host discovery scanner  manual inspections where it was not safe to scan Ports and Services Used automated scanners or OS commands Community Strings Enumeration Used network scanners and automated configuration analyzers Account Enumeration Used credentialed scans to enumerate accounts or manual audit where it was not safe to scan Vulnerabilities Discovery Used vulnerability scanner to discovery any vulnerabilities on assets Evaluating Account Parameters Used automated network scanners to determine account histories Physical walk down Reviewing physical access control and verify equipment on hand Analytics Firewall Configuration Review Used parsing tools to discover vulnerabilities based on configurations Categorize vulnerabilities based on high, medium, low Account Validation Compare discovered results to approved accounts list and report on any unauthorized accounts Ports and Services Validation Compare discovered ports and services to approved ports and services list and report on any unauthorized ports and services CVA result Documentation Findings Used the results of the CVA to produce a final report and produce a remediation plan to fix found vulnerabilities Recommendations Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 21 of 37 Assessment Phase Step Process Mitigation plan 3. Describe the methods and timeline of communication your firm will use with the City’s Project Manager and other parties. Please see our response under Project 1, Question 3. Our project management philosophy applies across all three projects. 4. Include a description of the software and other analysis tools to be used. Tools being utilized:  Rapid7 Nexpose for the vulnerability assessment (configured for use within SCADA environments – configuration based on years of in-house experience)  Network Discovery is done using Nexpose which uses a form of NMap  Titania Nipper Studio for review of firewall and router configurations (done offline with copies of configurations from the devices)  Penetration Testing is done using Kali Linux, Burp Suite Pro, and Immunity Canvas 5. Identify what portion of work, if any, may be subcontracted. AESI has all expertise required in house, and therefore no work will be subcontracted for this Project. 6. Provide a written outline of the consultant’s schedule and milestones for completing tasks. AESI anticipates the Project 3 will take approximately eight weeks. The majority of work will be completed off-site. We anticipate an on-site visit of three days for the standard CVA and two additional days if you take the option to include field devices. Project start dates will be finalized by Fort Collins and AESI. Duration Activity Description One week prior to on-site visit Pre-on-site activities, Kick-off Meeting  Firm up logistics for client resources, site activities 3 Days On-site CVA  Conduct CVA 2 Days Option 1 CVA to include field devices  Conduct CVA on field devices Three weeks after on-site work has been completed Draft CVA Report  Prepare and issue draft report Two weeks Report uploaded to ShareFile  Fort Collins will be given two weeks to Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 22 of 37 for commenting provide comments on the report Two days Final report issued after review of comments provided  Finalize and issue Assumptions and Requirements We have based our estimate on the following assumptions:  Access to Fort Collins Utilities’ network and systems as required  Access to Fort Collins Utilities’ staff as required  Administrative access to all Networking Equipment or be provided the raw configurations  AESI’s on-site activities will be limited to three consecutive days unless option to include field devices which will add two more additional days to the on-site work.  If field devices selected to be included it will be less than 100 at located at sites that do not require extensive travel to reach. Sites would be located within an hour of the control center.  Fort Collins will provide feedback to the draft report within two weeks from receipt. After two weeks, the final report will be issued, final invoice issued, and project assumed completed and closed.  Work will be completed by December 30, 2017 C. ASSIGNED PERSONNEL The Consultant should provide the following information: 1. Primary contact information for the company including contact name(s) and title(s), mailing address(s), phone number(s), and email address(s). Complete Exhibit A, Proposal Acknowledgement. Describe the Company’s business and background, including the size, location, capacity, type of firm, details about ownership and year established. Describe the company’s structure, including an organizational chart, which illustrates leadership and roles. Any technical questions for this proposal should be directed to Doug Westlund at dougw@aesi-inc.com, or 770.870.1630, ext. 278; commercial questions should be directed to Kellie Elford at kelliee@aesi-inc.com or 770.870.1630, ext. 248. Exhibit A: Proposal Acknowledgement is located in Appendix A. Established in 1984, AESI is a privately owned, consulting and engineering firm, with offices in Tucker, Georgia and Milton, Ontario. AESI’s project history covers the full spectrum of energy utilities from generation through to transmission and distribution, and operations—covering all NERC registered entities, unique corporate cultures, different resource allocations and management styles. AESI and our team members have a high level of awareness of NERC requirements and future requirements, as well as advanced knowledge of leading best practices through active involvement with client projects and industry participation. In order to bring our best to our clients, we bring our ‘whole’ knowledge accumulated from each and every project. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 23 of 37 Building on the bench strength of direct utility experience and practical consulting background, we have established a solid reputation servicing the electrical power industry. Our talented team, of approximately 35 permanent staff and several more occasional staff, is a unique, non-traditional blend of engineers and technical staff. Their history and our demonstrated experience allow AESI to offer a strong team with proven credentials. CVAs are an extension of AESI’s portfolio of services for NERC CIP Compliance and cyber security risk assessments. Our team has attended extensive training and accreditation in performing Vulnerability Assessments and Penetration tests from multiple leading organizations in North America such as:  The International Information Systems Security Certification Consortium Inc.  The Certified Internet Web Professional program  The SANS (SysAdmin, Audit, Network, Security) Institute  Invited Participants in US Department of Energy National SCADA Test Bed (NSTB)  Advanced Training Workshops at the Control Systems Analysis Center at the Idaho National Laboratory in Idaho Falls, Idaho Our in-house, highly knowledgeable professionals have extensive, ‘real’ IT and OT experience that feeds a healthy understanding of true operations, so the fundamentals of what is being protected is thought of beyond the individual cyber asset to the system as a whole. The nature of and importance of the information that must be protected is well-understood by the members of this Team. AESI has served public power for over 20 years, and is very in tune with the cybersecurity requirements and constraints of small, medium and large size public systems. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 24 of 37 Figure 10: Organizational Chart 2. List of Project Personnel: This list should include the identification of the contact person with primary responsibility for this Agreement, the personnel proposed for this Agreement, and any supervisory personnel, including partners and/or sub consultants, and their individual areas of responsibility. Project 1 List of Project Personnel: - Todd Ponto, CISSP (Project Manager) - Ivan Wong, CCNA - Doug Westlund, P.Eng., MBA Project 2 List of Project Personnel: - Doug Westlund, P.Eng., MBA (Project Manager) - Will Smith, CIPM, CCEP, CERM - Todd Ponto, CISSP Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 25 of 37 Project 3 List of Project Personnel: - Todd Ponto, CISSP (Project Manager) - Ivan Wong, CCNA - Doug Westlund, P.Eng., MBA 3. A resume for each professional and technical person assigned to the Agreement, including partners and/or sub consultants, shall be submitted. The résumés shall include at least three individual references from previous assignments. Please limit resumes to one page. AESI has provided CVs in Appendix B. 4. Some functions of this project may require the use of sub-consultants. If you intend to utilize sub-consultants you must list each and provide resumes for their key personnel. Provide examples of at least two projects where you’ve worked with your sub- consultants. List the sub-consultant firm(s) for this Agreement, their area(s) of expertise, and include all other applicable information herein requested for each subconsultant. Identify what portion of work, if any, may be sub-contracted. AESI will not use any subcontractors for any of the projects under this RFP. 5. A list of qualifications for your firm and qualifications and experience of the specific staff members proposed to perform the consulting services described above. To keep up with the perpetual changes in cybersecurity, AESI is committed to research and staff training—specifically regarding how it relates to the utility industry and is reflected back in existing and proposed industry standards. Our in-house, highly knowledgeable professionals have extensive, ‘real’ IT and OT experience that feeds a healthy understanding of true operations, so the fundamentals of what is being protected is thought of beyond the individual cyber asset to the system as a whole. The nature of and importance of the information that must be protected is well-understood by the members of this Team. Name, Designation Yrs. Exp. Relevant Experience Todd Ponto, CISSP, MSIS >24 - Performed CIP Mock Audits and Gap Analysis for electric utilities in various regions to include: Ontario IESO, Dominion Power, Omaha Public Power District (OPPD), Lincoln Electric System (LES), VT Electric Company (VELCO), Texas Municipal Power Agency (TMPA) - Extensive experience with Cybersecurity includes Firewalls, VPN, Two-factor authentication, IDS, IPS, and all types of networking devices - Team Lead for Networking, Security and NERC CIP Compliance for an electric utility in the NPCC Region - Participated as the Security Team Leader for a number of North American Transmission Forum Peer Reviews and served as a Member of the North American Transmission Forum’s Hydra Team - Worked with electric utilities to develop their CIP Compliance Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 26 of 37 Name, Designation Yrs. Exp. Relevant Experience Program and their transition plan from CIP v3 to v5 - Conducted cyber vulnerability assessments and provided to clients recommendations to resolve their deficiencies Will Smith, CIPM, CCEP, CERM 15 - Former MRO auditor - Conducted mock audits for multiple energy clients - Developed polices, guidelines and procedures and helped identify required evidence to demonstrate compliance and independent reviews thereof - Conducted gap analysis on ICP - Documented internal controls for risk management program; support management through risk identification, define KPI/KRI, test controls, and mitigation planning Doug Westlund, MBA., P.Eng. 30 - Communications and cybersecurity in the utility and telecommunications markets - Recognized and respected industry leader in cybersecurity - His focus is on the ‘big picture’ and ‘long term’ strategies that support holistic and technology-based solutions - Cybersecurity Assessment and Strategy Planning projects include: cybersecurity services for over 50 LDCs, Hydro One, OPG, numerous US co-op and municipal distribution utilities Ivan Wong, CCNA 7 - Conducted multiple cybersecurity vulnerability assessments for power utilities, water treatment plants, and corporate environments meeting NERC CIP v3 and v5 requirements - Completes multiple regular interval CIP tasks that support NERC compliance, i.e., patch management, log reviews, etc. - Conducts architectural reviews of IT and OT environments to strengthen cybersecurity positioning - Designs and implements firewalls, and other cybersecurity safeguards - Completes remediation of identified cybersecurity vulnerabilities - Conducted multiple asset inventory projects at control centers, power plants, and substations by categorizing cyber assets to meet NERC CIP v5 requirements. - Participated in developing clear concise and effective NERC CIP Compliance Program policies, procedures and compliance gathering process and templates and other aids 6. Describe the availability of project personnel to participate in this project in the context of the consultant firm’s other commitments. All proposed resources are committed resources and substitution will only be contemplated if absolutely necessary. Appropriate replacements will be identified and offered to Fort Collins. Only upon the expressed written approval would there be any staff changes. AESI staffing resources and project management resources are Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 27 of 37 competent staff are available and have access to all information necessary for a smooth and seamless transition. 7. Provide a list of similar projects completed in the last five (5) years by the key members of the proposed team. AESI has performed several Vulnerability Assessments for transmission, generation, operations and distribution clients. AESI has served public power for more than 20 years, and is very aware of the cybersecurity requirements and constraints of small, medium and large size public systems as well as having developed and/or implemented Risk Based Compliance Monitoring and Enforcement Programs. This knowledge ensures that AESI’s recommendations are actionable, effective, and within the budget of public power utilities. Some of the more relevant and repeat clients include:  Gainesville Regional Utilities  Coweta-Fayette EMC (Primary and backup Control Centers)  Georgia System Operations Control Centre (two Control Centers – Transmission and Generation Control Centers both Primary and Backup)  Georgia Transmission Corporation (Transmission Sub-Stations)  Greenville Utilities Commission  Lakeland Electric (City of Lakeland)  Oglethorpe Power Corporation – seven power plants  PIC Group, Inc. – Sowega & Baconton  Town of Danvers  Liberty Utilities  Midwest Reliability Organization (MRO)  Indianapolis Power & Light Company  Tri-State 8. References (current contact name, current telephone number and email address) from at least three similar projects with similar requirements that have been completed within the past five (5) years and that have involved the staff proposed to work on this project. Provide a description of the work performed. References for Projects 1 and 3 for Todd Ponto and Ivan Wong Town of Danvers 2010 – 2015 AESI has undertaken several projects to improve the utility’s cybersecurity presence and communications:  Modernization of the Town’s Electrical Distribution System through the Upgrade/Replacement of SCADA Master  Conducted vulnerability assessments and penetration testing on the Electrical and Water Controls Systems  Cybersecurity Hardening, Cyber Security Regulatory Compliance  Telecom/WAN infrastructure and Firewall upgrades for the Town  Cybersecurity program as per the Department of Energy Standards pertaining to NIST and NERC CIP Standards  Developed framework and implemented the Cybersecurity Program  Implemented technical solutions for the Cybersecurity compliance Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 28 of 37  Designed the Town of Danvers WAN for its Grid Operations and corporate/town users  Configured the Firewalls and cyber security aspects of these  Supporting the installation, commissioning and cut over of the various systems James Gomes, Systems Engineer, 978- 774-0005, ext. 642, jgomes@mail.danvers-ma.org Resources on Project: Todd Ponto and Ivan Wong. Gainesville Regional Utilities 2015 – 2016 Gainesville Regional Utilities (GRU) is a municipally operated electric utility in Florida, registered as a BA, DP, GO, GOP, IA, LSE, PA, RP, TO, TOP and TP. AESI has undertaken several projects to improve the utility’s NERC Compliance and cybersecurity posture:  CIP v5 Gap Assessment  Cyber Vulnerability Assessment  An assessment of in-scope NERC cyber assets within their control centers, and creation the baseline documents  Development of CIP-005 and CIP-007 RSAWs  Monthly Patch Assessment Services David Owens, Electric Reliability Compliance Officer, 352-393-1284, OwensDE@gru.com Resources on Project: Todd Ponto and Ivan Wong. Coweta-Fayette EMC (Primary and Backup Control Centers) 2012 – 2014 Under CIP v3, Coweta-Fayette EMC was not been required to conduct CVAs for compliance. The utility has done so as a matter of due diligence and good cybersecurity practices for such an important BES asset. AESI has conducted cyber vulnerability assessments and Penetration Testing on the utility’s SCADA system, with specific focus on vulnerabilities accessible via the corporate IT network, the distribution automation system that communicates to the SCADA system via a MDS radio and the devices that communicate through the wireless modems back to the SCADA system using DNPNet protocol. John Moore, Manager of Engineering, 678-423-6806, jmoore@utility.org Resources on Project: Todd Ponto and Ivan Wong. References for Project 2: Doug Westlund Ontario Energy Board 2016 The OEB regulates transmitters and local electricity distributors that operate Ontario's transmission and electricity distribution networks. Ontario's electricity transmitters and local distributors represent significant capital investments supplying electricity to large industrial, commercial and millions of consumers throughout the province, with total assets in the tens of billions. Doug is the Project Manager leading the team to develop Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 29 of 37 a regulatory Cybersecurity "Framework" for the protection of consumer privacy and the Electricity System Infrastructure. This project will provide recommendations for countermeasures need to develop in terms of regulatory frameworks and policies, licensing requirements, potential changes to legislation, industry awareness and training, and assessments/auditing procedures. Stuart Wright, Regulations & Liaison, 416.440.7683, stuart.wright@ontarioenergyboard.ca Burlington Hydro 2016 Burlington Hydro requested AESI’s assistance in the development of a dashboard to be used for managing and evaluating the state/health of BHI’s security program. The dashboard will be based on the NIST Cybersecurity Framework as the authoritative standard, and the dashboard will include a flexible reporting mechanism for BHI’s executive team and Board. Dan Lowry, former CIO, (905) 541-2584, lowryd1956@gmail.com Orillia Power 2013 Doug worked with Orillia Power on a variety of cyber & physical security governance projects. One of the key projects was developing Board level orientation and planning for cybersecurity programs that used the cyber security blueprint as the foundation for measuring progress. Tom Hussey, Board member, (705) 345-5230, hussey8427@rogers.com References for Project 2: Will Smith Midwest Reliability Organization (MRO) 2013/2014 MRO worked with NERC and the Regional Entities to develop and test a number of improvements to the Compliance Monitoring and Enforcement Program (CMEP) implementation under the Reliability Assurance Initiative (RAI). The result of these efforts moves the ERO away from a zero-tolerance regulatory approach to one that is forward-looking and focuses on areas that pose higher risk to reliability. As part of the project team, Will Smith:  Developed and delivered training to education industry stakeholders on the framework and principles of risk management and internal controls  Assisted in the development strategic framework for the RB-CMEP, to include risk concepts, criteria, and the process for evaluating risks.  Assisted industry in the developing the methodology for establish, and evaluating and testing internal controls  Established risk and control matrix: a tool used for the identification, evaluation, impact and prioritization, and mitigation of reliability-related; included the levels of accountabilities and implementation, along with the specific control objectives types, monitoring activities and frequency. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 30 of 37 Ken Goldsmith, 319-786-416, kengoldsmith@alliantenergy.com or Joe DePoorter, 608-252-1599, jdepoorter@mge.com Indianapolis Power & Light Company (BA/DP/GO/GOP/ LSE/PSE/RP/TO/TOP/TP) 2015 AESI conducted a mock audit on a subset of the standards applicable to their functions. AESI completed an off-site review of RSAWs/evidence and conducted an on-site Mock Audit, working with IPL SMEs to identify any gaps in IPL’s ability to demonstrate compliance with the NERC Standards. Knowing the movement to CMEP, AESI incorporated a risk-based review throughout the assessment process. AESI provided guidance to correct gaps, and reviewed IPL’s implementation of the guidance, as well as informally evaluated various internal controls. AESI returned to provide SME coaching and RSAW review. David Hodges, 703-682-6447, david.hodges@aes.com TriState (GO/GOP/TO/TOP/ TSP/TP/RP/LSE/PSE) 2014 For the full suite of applicable NERC Standards, AESI performed an on-site review and assessment of the Reliability Compliance program (1), provided recommendations for the development and implementation for internal controls, written policies, programs and procedures (2), assisted in development and implementation of items identified in the recommendations where approved (3), and assisted in the identification of a suitable software tool that could be used to help collect, produce, manage, and report on NERC CIP and Non-CIP compliance activities (4). Knowing the movement to CMEP, AESI incorporated a risk-based review throughout the assessment process. Alice Ireland, 303-254-3120, AIreland@tristategt.org D. SUSTAINABILITY/TBL METHODOLOGY In no more than two (2) pages please describe how your organization strives to be Sustainable in the use of materials, equipment, vehicles, fuel, recycling, office practices, etc.. Address how your firm incorporates Triple Bottom Line (TBL) into the workplace, see below in Section IV: Review and Assessment for additional information. AESI looks after itself and its community in a pragmatic and sustainable manner that is much akin with our Core Values: Integrity, Loyalty, Quality, Dependable, Professional and Family. Corporately and individually, we support to Habitat for Humanity, local community sports teams for the underprivileged, sponsoring multiple fundraising events for a variety of healthcare initiatives, and many more groups and associations that our staff generously give their time too. We’ve altered many of our operational practices to decrease our environmental footprint, and our hiring practice is based upon skills and capabilities, recognizing equality in all talent. We don’t do this because it’s the right thing to do, we do it because it makes sense—the 3 P’s—People, Planet, Profit. E. COST AND WORK HOURS Reasonable expenses will be reimbursable as per the attached Exhibit E Fort Collins Expense guidelines. Consultant will be required to provide original receipts to the City for all reimbursable expenses. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 31 of 37 In your response to this proposal, please provide the following: 1. Estimated Hours by Task: Provide estimated hours for each proposed task by job title and employee name, including the time required for meetings, conference calls, etc. Project Task Hours Resources Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) Project Mobilization 5 Todd Ponto, Ivan Wong On-site CVA 46 Ivan Wong Reporting 48 Todd Ponto, Ivan Wong, Doug Westlund Project 1 Total Hours 99 Project 2: Cybersecurity Governance Framework for the Utility Project Mobilization 75 Doug Westlund, Will Smith Cyber Program Assessment 110 Doug Westlund, Will Smith, Cybersecurity Plan, Roadman and Reporting 250 Doug Westlund, Will Smith, Todd Ponto Project 2 Total Hours 435 Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) Project Mobilization 5 Todd Ponto, Ivan Wong On-site CVA 62 Ivan Wong Reporting 64 Todd Ponto, Ivan Wong Project 3 Total Hours 131 Total Hours (Project 1 + Project 2 + Project 3) 665 2. Cost by Task: Provide the cost of each task identified in the Scope of Proposal section. Provide a total not to exceed figure for the Scope of Proposal. Price all additional services/deliverables separately. Our total proposed fee for all three Projects is $144,700, and is presented on a Not-to-Exceed basis. AESI will bill all work performed on a time and expense basis, up to the Not to Exceed limit. Our quote does not include any applicable taxes. We estimate expenses to be $11,500. Expenses for travel and accommodations are presented on a best effort estimates. Expenses will be charged as actual costs on a flow through basis with no administrative markups. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 32 of 37 Project Task Cost Project 1: Cybersecurity Vulnerability Assessment of the Utility’s Billing and Customer Service Information System (CIS) Labour $16,600 Expenses $2,100 Project 1 Cost $18,700 Project 2: Cybersecurity Governance Framework for the Utility Labour $109,600 Expenses $7,000 Project 2 Cost $116,600 Project 3: Cybersecurity Vulnerability Assessment of the Light & Power SCADA System (ESCADA) Labour $18,500 Expenses $2,400 Project 3 Cost $20,900 Total Cost (Project 1 + Project 2 + Project 3) $156,200 Billing will occur on a monthly basis for all work completed in the preceding month. Payment is net 30 days with any late payments charged interest at a rate of 1% per month (12.86% per annum) on outstanding balances. 3. Schedule of Rates: Provide a schedule of billing rates by category of employee and job title to be used during the term of the Agreement. This fee schedule will be firm for at least one (1) year from the date of the Agreement. The fee schedule will be used as a basis for determining fees should additional services be necessary. Include a per meeting rate in the event additional meetings are needed. A fee schedule for sub- consultants, if used, including mark-up if applicable shall be included. Additional services, beyond the identified scope of work will be based on our hourly rates, and expenses incurred at cost. Category and Job Title Hourly Rate * Senior Executive Consultant $270 Executive Consultant $235 Consultant $175 Senior Administrative Support $93 * AESI adjusts its rates annually effective January 1 and will hold this rate for 2017 for these three projects. If additional meetings are required, AESI’s hourly rates will be used those in attendance. 4. All direct costs (i.e., travel, printing, postage, etc.) specifically attributed to the project and not included in the billing rates must be identified. Travel expenses will be reimbursable as per the attached Fort Collins Expense Guidelines. Consultant will be required to provide original receipts to the City for all travel expenses. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 33 of 37 We estimate expenses to be $11,500. Expenses for travel and accommodations are presented on a best effort estimates. Expenses will be charged as actual costs on a flow through basis with no administrative markups. F. FIRM CAPABILITY Provide relevant information regarding previous experience related to this or similar Projects, to include the following: 1. Brief Company History including number of years in business. Established in 1984, AESI is a privately owned, consulting and engineering firm, with offices in Tucker, Georgia and Milton, Ontario. AESI’s project history covers the full spectrum of energy utilities from generation through to transmission and distribution, and operations—covering all NERC registered entities, unique corporate cultures, different resource allocations and management styles. AESI and our team members have a high level of awareness of NERC requirements and future requirements, as well as advanced knowledge of leading best practices through active involvement with client projects and industry participation. Building on the bench strength of direct utility experience and practical consulting background, we have established a solid reputation servicing the electrical power industry. Our talented team, of approximately 35 permanent staff and several more occasional staff, is a unique, non-traditional blend of engineers and technical staff. Their history and our demonstrated experience allow AESI to offer a strong team with proven credentials. CVAs are an extension of AESI’s portfolio of services for NERC CIP Compliance and cybersecurity risk assessments. Our team has attended extensive training and accreditation in performing Vulnerability Assessments and Penetration tests from multiple leading organizations in North America such as:  The International Information Systems Security Certification Consortium Inc.  The Certified Internet Web Professional program  The SANS (SysAdmin, Audit, Network, Security) Institute  Invited Participants in US Department of Energy National SCADA Test Bed (NSTB)  Advanced Training Workshops at the Control Systems Analysis Center at the Idaho National Laboratory in Idaho Falls, Idaho Our in-house, highly knowledgeable professionals have extensive, ‘real’ IT and OT experience that feeds a healthy understanding of true operations, so the fundamentals of what is being protected is thought of beyond the individual cyber asset to the system as a whole. The nature of and importance of the information that must be protected is well-understood by the members of this Team. In order to bring our best to our clients, we bring our ‘whole’ knowledge accumulated from each and every project. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 34 of 37 AESI has served public power for over 20 years, and is very in tune with the cybersecurity requirements and constraints of small, medium and large size public systems. 2. Detail information regarding a minimum of five years of experience in providing similar services. AESI has served public power for over 20 years, and is very in tune with the cybersecurity requirements and constraints of small, medium and large size public systems. AESI is well respected for providing NERC CIP and Cyber Security Services to electrical power facilities across North America; clients include:  City of Vero Beach  Lakeland Electric  Los Alamos County  California Water Service Company  Gainesville Regional Utilities  Greenville Utilities Commission  Town of Danvers  Sugar Creek  Consumers Energy  Coweta-Fayette  ElectriCities  Fort Pierce Utilities Authority  Lower Colorado River Authority  Sikeston Board of Municipal Utilities  Florida Municipal Power Agency  International Transmission Co. Holdings (ITC)  Municipal Electric Authority of Georgia  Oglethorpe Power Corporation  Georgia Transmission Corporation  Georgia System Operations Corporation 3. Describe the Company’s business and background, including the size, location, capacity, type of firm, details about ownership and year established. Established in 1984, AESI is a privately owned corporation with limited shareholders, consulting and engineering firm, with offices in Tucker, Georgia and Milton, Ontario. AESI’s project history covers the full spectrum of energy utilities from generation through to transmission and distribution, and operations—covering all NERC registered entities, unique corporate cultures, different resource allocations and management styles. AESI and our team members have a high level of awareness of NERC requirements and future requirements, as well as advanced knowledge of leading best practices through active involvement with client projects and industry participation. 4. Provide an Organization Chart/Proposed Project Team: An organization chart Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 35 of 37 5. Provide a minimum of three similar projects with governmental utilities in the last 5 years that have involved the staff proposed to work on this project. Include the owner’s name, title of project, beginning price, ending price, contact name, email and phone number, sub-consultants on the team and a brief description of the work and any change orders. Please see our project references in Section C. Assigned Personnel, Question 7. In addition to those references, we have provided three corporate references below: Brookfield Renewable Energy Group Since 2009 AESI’s relationship has developed over time and a number of projects that surround NERC Compliance, and many of those were for CIP (cyber security) compliance. Throughout these projects, AESI has come to an understanding of Brookfield’s operations philosophy, staff and facilities. AESI was instrumental in the initiation of Brookfield’s CIP program with the development of Policies, Procedures required for every Standard (002-009), conducted several Cyber Vulnerability Assessments, training, CIP sustainment services, and audit prep support. All CIP work has focused on helping Brookfield develop a fortified cybersecurity environment. Analytical work (CVAs) identified gaps or weaknesses, recommendations and action plans for remediation. Remediation/technical solutions include cybersecurity Electronic Security Perimeters (ESPs), cyber security intrusion detection, alerting, logging and preventions. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 36 of 37 Tracy Brason, General Manager, Canadian SCC Operation, 819 561 8945, tracy.brason@brookfieldrenewable.com Oglethorpe Power Corporation (GO/GOP/LSE) SERC Largest electricity supplier in Georgia State with coal, natural gas, nuclear and hydroelectric power—combined capacity of 5,790 megawatts (2009) AESI has completed a number of projects for OPC, NERC related and otherwise. OPC is registered as GO/GOP/PSE. The NERC related projects include: Internal Compliance Program Development (CIP v5 & Non-CIP), Compliance Action plan, documentation development, Mock Audit/Readiness Assessment, Vulnerability Assessments, RSAW Training, CIP remediation work, Compliance monitoring and oversight processes, Regulatory self-certification and reporting processes, NERC Sustainment Services, etc. Jim Messersmith, Senior VP Operations Plant Operations, 770-270-7210, jim.messersmith@opc.com Municipal Electric Authority of Georgia (MEAG) SERC AESI conducted an assessment of MEAG’s cybersecurity maturity using ES-C2M2— US Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model. AESI prepared a Gap Analysis report of MEAG’s maturity level, based on generated reports from the ES-C2M2 self-evaluation survey. The ES-C2M2 methodology assessed MEAG’s Engineering Technical Services, Corporate IS, and Generation. Beyond identifying gaps, the process was also used to determine areas of duplication and where support can be leveraged from other departments. After the assessment was completed, AESI identified a strategy and recommendations for program enhancements required to implement a NERC CIP v5 program. Mike Stanley, Manager of Engineering Technical Services (ETS), 770-563-0518, mstanley@meagpower.org G. ADDITIONAL INFORMATION Provide any information that distinguishes Consultant from its competition and any additional information applicable to this RFP that might be valuable in assessing Consultant’s proposal. Explain any concerns Consultant may have in maintaining objectivity in recommending the best solution for Utilities. All potential conflicts of interest must be disclosed. When you compare the lifecycle of electricity to cybersecurity, cybersecurity is at the ‘teenager’ stage—reckless and impetuous. But it goes far beyond that when you consider the associated risks and liability, and how the ramifications of exposed vulnerabilities can impact operations and the bottom line. In the developing arena of cybersecurity, AESI boasts a mature program that combines a systematic approach, innovative techniques, and modern tools. To keep up with the perpetual changes in cybersecurity, AESI is committed to research and staff training—specifically regarding how it relates to the utility industry and is reflected back in existing and proposed industry standards. Cybersecurity Vulnerability Assessment City of Fort Collins, RFP# 8359 September 26, 2016 Page 37 of 37 Our in-house, highly knowledgeable professionals have extensive, ‘real’ IT and OT experience that feeds a healthy understanding of true operations, so the fundamentals of what is being protected is thought of beyond the individual cyber asset to the system as a whole. The nature of and importance of the information that must be protected is well-understood by the members of this Team. Beyond the services proposed for the FCU’s three Projects, AESI can help you with the cyber security process through:  Cybersecurity Strategy both IT and OT  Security (Electronic and Physical) Risk Assessment  Cybersecurity Program Development and Implementation Support  Training  Technical Services such as Patching, Implementation of Security Controls, etc.  Development and Implementation of Reporting for Operations, Executives and Board  Forensics and Remediation AESI does not have any real or potential conflicts of interest with Fort Collins or the proposed projects. Cybersecurity Vulnerability Assessment Appendix A ATTACHMENT 1: PROPOSAL ACKNOWLEDGEMENT Cybersecurity Vulnerability Assessment Appendix B CV’S containing the names of all key personnel and sub consultants with titles and their specific task assignment for this Agreement shall be provided in this section. strategically planned to incorporate overlap, such that should a substitution be required,