The URL can be used to link to this page

Home My WebLink About9 Upgrade for Network Firewallsenda Item # To: Board of Directors From: Ian Fitzgerald Date: July 18, 2018 Subject: Consideration of Approving Contracts with Fortinet and Infobond to Upgrade Network Firewalls 1. WHY THIS MATTER IS BEFORE THE BOARD Board authorization is required for procurements in excess of $15,000. 2. HISTORY The District has been investing in Information Technology (IT) for many years. This includes in 2011, when the Board approved the installation of new network infrastructure that would sufficiently meet the needs of mission -critical applications including customer information systems, GIS and SCADA. The infrastructure upgrade at that time included core switches, routers and firewall appliances; forming a new backbone which integrated District systems for increased efficiency, security, and high reliability. Since this time, the District has already replaced the core switch and server technology. Network technology, as a general rule, continues to evolve quickly. District staff, in ordIce r to better plan and implement IT programs, created the 2017 Information Technology Master Plan (IT Master Plan) which was adopted by the Board in November, 2017, The IT Master Plan, amongst other things, addresses network security and firewalls. 3. NEW INFORMATION Since the implementation of the firewalls in 2012, there have been significant changes in the cyber=security arena. Staff have been able to maintain an acceptable level of security, but the current firewall is becoming obsolete. Three main factors in this arena will cause significant risk to the District, if action is not taken. The first factor is that Google recently announced that beginning August 2018, it's web browsing application `Chrome" will begin to explicitly warn users if a site is not using SSL certificates (HTTPS). This will begin to have a significant impact on the web, as others will follow, and within a short time a majority of websites will encrypt their traffic with HTTPS. Our current firewall technology does not have the ability to decrypt HTTPS traffic, and thus without upgrading to newer technology all of this type of traffic (up to 90%) will be unable to be inspected for malware or attacks. The end result would leave the District highly susceptible to attacks. The second factor is that the District is required to secure the District's network to Payment Card Industry (PC[) standards. Our most recent PCI vulnerability scan has identified that our firewall is using Virtual Private Network (VPN) technology that is no longer considered secure. VPN is a must -have technology here at the District, with multiple vendors and most professional staff using this technology to access the District network at remote locations. Finally, the security used to keep Industrial Control Systems (ICS) and other systems separate currently exists on the District's core switches. To gain better visibility and simpler control of network segmentation, the plan is to move this security to the firewall environment. Having a powerful enough firewall appliance to inspect these and future HTTPS traffic requires significant bandwidth and computing power. Staff has evaluated industry leading firewalls, and consulted with industry professionals. It is the recommendation that the firewall with the best cost/value ratio is the Fortinet firewall appliance. The State of California has competitively bid equipment from Fortinet and other vendors as part of the California Multiple Award Schedule (CMAS) and Western States Contracting Alliance (WSCA) programs. CMAS is administered by the California Department of General Services and offers a wide -variety of commodities, nondT services, and IT products and services at prices which have been assessed to be fair, reasonable, and competitive. The District is eligible to take advantage of State bids through CMAS and WSCA, by way of District code 3,08.060 Joint Purchasing with the State of California and Other Public Agencies. This section states, in part, that "The District may purchase materials, equipment, supplies, information technology products and services through the State of California procurement program...". The computer networking equipment quote from Fortinet, which includes items required to upgrade our network, along with a quote for professional services to help implement and configure the firewall to best practices is summarized below: Vendor Contract Description Amount Fortinet CMAS Firewall $126,302 Fortinet CMAS Firewall Optics $ 12,816 Infobond CMAS Professional Services $ 16,600 Total $1559718 4. FISCAL IMPACT Sufficient funds exist in the Electric Utility's adopted FY18 budget for this procurement. 5. RECOMMENDATION 1) Authorize the General Manager to execute a contract with Fortinet for firewall hardware, software licenses, in an amount of $139,118 plus a 10% change order authorization for a total not to exceed contract amount of $153,030; and 2) Authorize the General Manager to execute a contract with Infobond for professional services in an amount of $16,600 plus a 10% change order authorization for a total not to exceed contract amount of $18,260. Ian Fitzgerald Information Technology Director / CIO Michael D. Holley General Manager