The URL can be used to link to this page

Home My WebLink About2003-200 CDM (I 1701 Highway A- 1 -A, Suite 301 Vero Beach , Florida 32963 tel : 772 231 -4301 fax : 772 231 -4332 July 2, 2003 HAND DELIVERED Mr . W. Erik Olson Director of Utility Services Indian River County 1840 25thStreet Vero Beach, FL 32960 Subject: Continuing Consulting Services Work Authorization No . 7 Vulnerability and Security Evaluation Dear Mr. Olson: Transmitted herewith are two copies of Work Authorization No . 7 for professional engineering services to perform a vulnerability and security evaluation of the County' s water supply, treatment, and distribution systems . This authorization is to assist County staff with completion of mandatory risk assessments as required by the United States Environmental Protection Agency and the Bioterrorism Act of 2002. Community water systems serving population size of 50,000 to 99,999 are required to complete vulnerability assessments by December 31 , 2003 . Wastewater systems less than 15 mgd are also required to submit vulnerability assessments; however, are not included in this scope of services . If you have any questions or comments, please contact me . Y you sApproved by : tke, P. E . Alex H. Makled, P. E . , DEE Principal Engineer Vice President Camp Dresser & McKee Inc . Camp Dresser & McKee Inc . File : 0000-AHMNB-MW. AHMIRC cc : Steven Doyle, IRC Terry Southard, IRC Gerald LeBeau, IRC mh1244 consulting • engineering • construction • operations ATTACHMENT A ENGINEERING SERVICES WORK AUTHORIZATION DATE: WORK AUTHORIZATION NO , 7 FOR CONSULTING SERVICES COUNTY NO . CAMP DRESSER & McKEE INC. CDM PROJECT NO. (consultant) I. Project Description CDM to provide professional engineering services to perform a vulnerability and security evaluation of the County' s water supply, treatment, and distribution systems . II. Scope of Services Professional engineering services to perform a vulnerability and security evaluation of the County' s water supply, treatment, and distribution system (See Attachment A) . III. Consulting Engineer Insurance Requirements A . Workers Compensation Insurance in accordance with Florida Statutes . B . Comprehensive and Automotive Liability with a m ; mmum coverage of $1 ,000,000 per occurrence for bodily injury or accidental death. Co Comprehensive General Liability with a minimum limit of $1 ,000, 000 covering bodily injury and property damage . D . Liability for Property Damage, while operating motor vehicle, with 1r rn ; mum limits of $1 ,000,000 per occurrence . E . Contractual Liability including limits established for Items IIIB, C, and D above . IV. Compensation for Services Vulnerability and Security Evaluation $42,575 Upper Limit Compensation is to be paid on a salary cost basis plus other direct costs on an as-needed basis . (See Attachment C) . CDM will submit monthly invoices for services performed. A- 1 mh1244 A . Salary Cost Basis with Upper Limit For the Basic Services performed on a salary cost basis with an upper limit, IRC agrees to pay CDM as follows : For engineering services performed by CDM, the payment will be equal to the salary cost of such services for each employee times 2.35 for overhead and profit plus actual out-of-pocket expense costs. Salary cost is equal to 1 .393 times direct salary costs and is defined as the cost of salaries (including sick leave, vacation, and holiday pay applicable thereto) for time directly chargeable to the project; plus unemployment, excise, and payroll taxes; and contributions for social security, employment compensation insurance, retirement benefits, and medical and other group insurance benefits . Actual out-of-pocket expense costs are all costs other than salary costs that are incurred during the progress of the work . The actual out-of-pocket expense costs include : air fare, automobile rental if required, mileage charges, parking tolls, taxi, meals and lodging, all in accordance with reimbursement rates set forth in Section 112. 061 Florida Statutes (1999), as amended, and telephone, printing and reproduction costs, and other miscellaneous costs incurred specifically for this project. The maximum cost for blueprint sheets is $1 . 10 . The maximum cost for mylar sheet is $11 . 00 and a sepia sheet is $5 . 00. The charges for in-house computer program and word processor usage will be at CDM' s regular rates . For outside computer services, charges will be made at invoiced cost to CDM. For the basic services performed on a salary cost basis with an upper limit, IRC agrees to provide a written request before work is started by CDM. SUBMITTED BY: APPROVED BY: CAMP DRESSER & McKEE INC. INDIAN RIVER COUNTY (Consultant) BOARD OF OUNTY COMT ONERS By By ex H. Makled, P. E ., DEE enneth R. Macht Vice President Chairman Date J 01 2 , Date August 12 , 2003 Jeffery K. Barton Clerk of the Court, By APPROVED , Deputy lerk C my Administrator APPROVED AS TO FORM AN LEGAL SUFFICIE Y B A IAN E . FELL A-2 ASSISTANT COUNTY ATTORNEYMh1244 ATTACHMENT B SCOPE OF WORK INDIAN RIVER COUNTY VULNERABILITY AND SECURITY EVALUATION WATER SUPPLY, TREATMENT, AND DISTRIBUTION INTRODUCTION On June 12, 2002, President Bush signed into law the Public Health Security and Bioterrorism Preparedness and Response Act of 2002. Although water system security has always been important, this new legislation requires that each community water system serving a population greater than 3,300 to conduct a vulnerability assessment and submit it to the United States Environmental Protection Agency (USEPA) . Authorized by this legislation, the USEPA requires vulnerability assessments to include a review of pipes and constructed conveyances, physical barriers, water collection, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems utilized by the public water system, the use, storage, or handling of various chemicals and the operation and maintenance of the water system. SCOPE OF WORK This proposal provides for a systematic security vulnerability assessment, using an EPA- approved methodology, to determine the utility' s mission, identify threats to the system, define consequences for potential breaches in security, evaluate current equipment and procedures, recommend improvements to the physical protection systems, and provide associated budget- level costs for recommended upgrades . In order to complete this evaluation, CDM (CONSULTANT) will assign a senior, experienced water professional versed in all aspects of the water system design and operations as well as security procedures and public relations. The senior professional will be supported by the full CONSULTANT staff with specialized knowledge in key areas (instrumentation, structural, toxicology, etc.) TASK 1. 0 -KICKOFF WORKSHOP 1 . 1 Kickoff Workshop . CONSULTANT will conduct a workshop session with Indian River County Utilities Department (IRCUD) staff to : 1 ) present an overview of the RAM-WsM methodology, 2) review/ develop the water utility' s mission statement, and 3) prioritize the goals and objectives of the vulnerability assessment. Additionally, CONSULTANT will work with key IRCUD' s upper management employees to review the utility' s mission statement. CONSULTANT will also develop between 3 to 5 specific goals for the mission statement objectives and prioritize those goals using pair-wise comparisons . Those weighted goals will be used to rank each of the water system' s major components . B- 1 mh1244 TASK 2. 0 - CRITICAL FACILITIES IDENTIFICATION AND EVALUATION 2. 1 Facility Identification. CONSULTANT will work with IRCUD staff to identify the utility' s critical facilities. The facilities will include, but may not be limited to, the following: All Existing Wells Water Treatment Plants Ground and Elevated Storage Tanks Distribution System SCADA System Computer Networks 2 . 2 Prioritization of Facilities . CONSULTANT will evaluate and prioritize the facilities utilizing the pair-wise comparison methodology in accordance with RAM- WsM The pair- wise comparison will then be evaluated based on the goals established by CONSULTANT (Task 1 ) to develop a weighted score for each facility. Using this information, CONSULTANT will develop a table of ranked critical facilities . TASK 3. 0 - THREAT IDENTIFICATION AND ASSESSMENT 3 . 1 Threat Identification. CONSULTANT will conduct a threat workshop to consider three categories of threats - insider, outsider, and cyber. Threat levels will be established for insider, outsider, and cyber threats . This will determine the Design Basis Threat for the remainder of the analysis . 3 .2 Threat Assessment. The information produced in Task 3 . 1 will be assembled, and an assessment of the likelihood of that threat will be assessed . A table will be developed for each type of threat that provides historical information, motivation, tactics, numbers, equipment, weapons intelligence, technical skills, financial resources, and any other critical information concerning a potential threat. The assessment will include working with local law enforcement, state law enforcement, and federal agencies (if necessary) to evaluate: The history of threats to the facilities Capabilities of those involved Methods of attack Access to critical assets TASK 4.0 - FAULT TREE ANALYSIS OF CRITICAL ASSETS 4. 1 Fault Tree Analysis . CONSULTANT will conduct a fault tree analysis on IRCUD' s critical facilities, identified in Task 2, to determine the critical assets. The consequences of the undesirable events will be identified and CONSULTANT will develop a table of those consequences, ranked according to their impact on the mission statement objectives . The preliminary fault tree analysis will be reviewed with IRCUD in a one-day meeting to gain consensus on the most critical assets that need to be protected and numerical values in the consequence table. B-2 mh1244 4 . 2 Consequences and Protection of Critical Assets . Based on the Fault Tree Analysis and the Consequences Table, a list of the most critical assets that must be protected will be developed by CONSULTANT. TASK 5. 0 - EVALUATION OF SECURITY SYSTEMS/PROCEDURES 5 . 1 Site Visits . CONSULTANT will visit the sites of the three most critical facilities within IRCUD' s water system and catalogue the detection devices, delay devices, and response .procedures used for each of the items identified as critical assets . The types of security systems to be evaluated will include, but not be limited to : Detection Systems: 1 . Cameras 2. Infrared Detectors 3 . Intruder Alarms 4, Administrative Procedures Delay Devices. 1 . Fences 2. Doors 3 . Gate 4 . Locks Response Systems: 1 . Employee Response 2. In-House Security Response 3 . Police, Law Enforcement Response 5 . 2 Evaluation of Security Systems . CONSULTANT will evaluate the security systems in place at each facility based on the Design Basis Threat scenarios developed in Task 3 . 0 . TASK 6.0 - RISK ASSESSMENT/RISK REDUCTION 6 . 1 Risk Assessment. CONSULTANT will use the RAM-WsM risk equation to determine the vulnerability of the water system to the Design Basis Threat. 6 . 2 Risk Reduction. CONSULTANT will evaluate options for reducing IRCUD' s risk to the Design Basis Threat and develop a list of improvements needed to reduce that risk. The CONSULTANT will review the current conditions and proposed future conditions during and after the demolition/ conversion of the East WTP to a remote booster pumping facility. All improvements will be evaluated based on capital costs . A prioritized list of recommended improvements will then be provided to IRCUD along with an implementation plan and costs . B-3 mh1244 1 TASK 7.0 - VULNERABILITY ASSESSMENT REPORT 7. 1 Draft Report. Documentation of the six previous tasks will be described in the Draft Vulnerability Assessment Report. This Draft Report will incorporate the memoranda developed within the first six tasks and will document all assumptions and decisions used for the risk assessment. The Draft Report will be submitted to IRCUD for review. 7. 2 Review Meeting. Following sufficient review time by IRCUD, a review meeting will be held with CONSULTANT and IRCUD. 7.3 Final Report. CONSULTANT will incorporate all applicable comments in to the Final Vulnerability Assessment Report and deliver it to IRCUD. TASK 8.0 - PROJECT AND QUALITY MANAGEMENT The project/ quality management task is comprised of the following elements : 8 . 1 Quality Control (QC) Technical Review. CONSULTANT maintains a won all of its projects . Technical Review Committee meetings will be scheduled a ,rer the project duration in which the project team will be required to present their efforts . 8 .2 Preparation of Status Reports . The project manager will prepare monthly written progress reports summarizing activities completed, work remaining, and identifying any problems which have occurred or anticipated needs . Defects in the work or variance from the specifications or applicable regulations shall be reported immediately. DATA AND ASSISTANCE TO BE PROVIDED BY IRCUD A . IRCUD will establish contacts with local law enforcement, emergency management services, local Federal Bureau of Investigation, and other pertinent departments and agencies for the purposes of soliciting their cooperation with and participation in this vulnerability assessment, particularly Task 3 - Threat Identification and Assessment. B . IRCUD will provide copies of current policies and procedures, selected facility and distribution system blueprints, and selected Information Technology (IT) system documents such as may be needed to complete this scope of work. TIME OF COMPLETION Work shall commence upon receipt of written authorization to proceed from IRCUD . Three copies of the Vulnerability Assessment Draft Report shall be submitted to IRCUD within 120 days from Notice to Proceed . Three copies of the Final Vulnerability Assessment Report shall be submitted to IRCUD within 30 days of receipt of IRCUD' s comments on the draft report. B -4 mh1244 PAYMENT AND COMPENSATION CONSULTANT is to be compensated on a salary cost basis plus other direct costs on an as- needed basis (See Attachment C) . CONSULTANT will submit monthly invoices for services performed. B-5 mh1244 ATTACHMENT B-1 INDIAN RIVER COUNTY VULNERABILITY ASSESSMENT TASK LIST Scope I D Event Activities included Duration 1 . 1 Kickoff Workshop ■ Project Overview 1 day workshop ■ Establish Mission 2 day prep ■ I . D . Mission Objectives ■ Prioritize Mission Ob'ectives 2 . 1 Facility Identification ■ Identify facilities 2 weeks ■ Collect Facility Data ■ Collect Policies and Procedures 2 . 2 Prioritization of Facilities ■ Workshop — Prioritize w/ Pair-wise 1 day Cmrioason 3 . 1 Threat Identification ■ Workshop for 3 . 1 and 3 .2: 1 day workshop ■ Identify Threat 1 day prep ■ Assess Threat 3 . 2 Threat Assessment ■ Interview IRC staff, law enforcement, 2 weeks FBI , collect intelligence on threat. ■ Establish Design Basis Threat ■ Prepare threat memorandum 4 . 1 Fault Tree Analysis ■ Workshop — Water Fault Tree 1 day workshop ■ Compile findings of Fault Tree 4 days Compile findings 4. 2 Consequences and ■ Workshop — Review findings of Fault 1 day workshop Protection of Assets Tree , present and discuss adversary 2 week prepare adversary scenarios scenarios 5 . 1 Site Visits ■ Visit sites andphoto-document 2 days 5 . 2 Security System ■ Evaluate securing system and develop 3 weeks Evaluation proposed improvements 6 . 1 Risk Assessment ■ Perform risk assessment of existing and 1 week proposed upgrades 6 . 2 Risk Reduction ■ Establish proposed options for rsik 1 week reduction 7 . 1 Draft Report ■ Prepare and deliver draft report 2 weeks 7 .2 Review Meetina ■ Present draft re ort 1 da 7 . 3 Final Report ■ Prepare and deliver final re ort 1 week 8 . 1 Quality Control/ Technical ■ Internal reviews 1 week Review 8 . 2 Prepare Status Re ort ■ Bi-weeklyAs re wired 4 B-6 mh1244 ATTACHMENT B-2 . ESTIMATED PROJECT LABOR DISAGGREGATION VULNERABILITY AND SECURITY EVALUATION WATER SUPPLY, TREATMENT, AND DISTRIBUTION SYSTEMS or Task Officer Principal/ Senior Professional Professional Project Total Associate Professional II 1 Administration Hours Task 1 — Workshop 4 8 0 0 8 0 20 Task 2 — Critical Facilities I . D . and Evaluation 0 16 0 0 8 0 24 Task 3 — Threat Identification and Assessment 0 8 24 0 8 4 44 Task 4 — Fault Tree Analysis of Critical Assets 0 16 0 8 8 4 36 Task 5 — Evaluation of Security Systems/ Procedures 0 16 0 8 8 4 36 Task 6 — Risk Assessment/ Reduction 4 16 0 8 10 4 42 Task 7 — Vulnerability Assessment Report 4 16 0 2 16 28 66 Task 8 — Project and Quality Management 4 16 0 0 0 4 24 TOTALS ask 1 -8 16 112 24 26 66 48 292 B-7 mh1244 • sF I ATTACHMENT C PROJECT BUDGET PROJECT DESCRIPTION: Vulnerability and Security Evaluation Water Supply, Treatment, and Distribution Systems CateSp1y Hours Total Officer Principal/ Associate 16 Senior Professional 11224 Professional II 26 Professional I Project Admin66 istration 46 292 SALARY COST $34,575 OUTSIDE PROFESSIONAL NWTC 5,000 $5,000 OTHER DIRECT COST Travel Expenses 1500 Communication and Printing 11000 Computer Services 500 TOTAL OTHER DIRECT COSTS $3, 000 TOTAL ESTIMATED COSTS - UPPER LIMIT $42,575 TOTAL ESTIMATED ENGINEERING FEE (UPPER LIMIT) $41575 4