The URL can be used to link to this page

5. Contract Award - Water System Vulnerability AssessmentPublic Works Department w v z Post Office Box 1997.. Kalispell, Montana 5990j-1997 - Telephone (406)758-7724, Fax (406)758-7831 REPORT TO: Mayor and City Council FROM: James C. Hansz, P.E., Director of Public Works I City Engineer SUBJECT: Water System Vulnerability Assessment - Consultant Agreement MEETING DATE: December 15, 2003 BACKGROUND: The Federal Government has implemented regulations through the EPA that require public water systems to determine the vulnerability of their facilities to outside threats. The Vulnerability Assessment must be completed by 30 June 2004. Once this is complete, Federal regulations also require an Emergency Response Plan to be prepared by 31 December 2004 that addresses issues raised in the Vulnerability Assessment. In order to meet the deadline for completing the work, Public Works solicited proposals from qualified firms. Three firms submitted proposals by the 31 October 2003 deadline. After reviewing the proposals the team of HDR Engineers / Morrison Maierle, Inc. was determined to be best qualified to perform the work in the time available. A satisfactory detailed scope of work and cost has been negotiated. The work includes preparation of the Vulnerability Assessment by 30 June 2004 and preparation of the Emergency Response Plan by 31 December 2004. There will be City personnel involved in this process. The cost of work has been negotiated to not exceed $59,280.00. The budget for this work is included in the Water Fund and totals $60,000.00. The difference between engineering costs and available budget allows for minor unanticipated and incidental City costs that may arise as work proceeds forward. In addition, the RFQ /RFP announcement also indicated that similar federally mandated work for the City's wastewater facilities is anticipated in the near future. All potential respondents to the RFQ /RFP were made aware of this probability via the announcement. The current work should be considered as phase one of a potential two phases, and further that the City, at its sole discretion for the convenience of the City, may choose to amend this contract to include this potential second phase of work at a separately negotiated cost. Funds for this extra work are included in the Wastewater Fund budget for FY 2004. December 15, 2003, Water system Vulnerability Assement Cantractdac RECOMMENDATION: Staff recommends award of the Water System Vulnerability Assessment and Emergency Response Plan Contract to the team of HDR Engineers / Morrison Maierle. ACTION REQUESTED: AT CITY COUNCIL MEETING OF DECEMBER 15, 2003 - MOTION TO APPROVE AWARD OF TIME WATER SYSTEM VULNERABILITY ASSESSMENT AND EMERGENCY RESPONSE PLAN .ENGINEERING SERVICES AGREEMENT TO IIDR ENGINEERS / MORRISON MAIERLE, INC, FISCAL EFFECTS: Expenditures of up to $59,290.00 from the rater Fund budget. Potential future expenditures from the Sewer and Wastewater Treatment Fund budget, the amount to be negotiated. ALTERNATIVES: As suggested by the City Council J z{ J 66 a s C. Hansz, P.E. is A Kuku ski Director of Public Worms ity Engineer City Manager Report complied December 10, 2003 Attachment: Contract December 15, 2003, water System Vulnerability Assement Contraet.doc AGREEMENT TO FURNISH ENGINEERING SERVICES To the CITY OF KALISPELL for the KALISPELL WATER SYSTEM VULNERABILITY ASSESSMENT AND EMERGENCY RESPONSE PLAN For the consideration hereinafter set forth HDR Engineering, Inc, a Nebraska corporation, with principal offices at 8404 Indian Hills Drive, Omaha, Nebraska, 68114 (hereinafter referred to as the ENGINEER), agrees to provide engineering and related services as described herein to THE CITY OF KALISPELL (hereinafter referred to as the OWNER) for a project generally described as the Kalispell Water System Vulnerability Assessment and Emergency Response Plan. The project will involve preparation of the Kalispell Water System Vulnerability Assessment and Emergency Response Plan as described in Article 1 and Exhibit A. ARTICLE 1. SCOPE OF SERVICES The ENGINEER agrees to provide required vulnerability and emergency response plan related services for the OWNER's Project. The services to be provided, and the compensation for such services, shall be as mutually agreed to in this Agreement, executed by both parties and as described in the Scope of Services (Exhibit A). Unless otherwise indicated, execution of this Agreement by the OWNER shall constitute notice to and authorization for the ENGINEER to proceed with the services enumerated in the Agreement. ARTICLE 2. BASIS OF COMPENSATION s 9"I The budget for the Scope of Services of this Agreement has been agreed upon by the parties to this agreement. The Scope of Services, by this reference, is hereby made a part of this Agreement. B. COMPENSATION As consideration for providing the services described as: Tasks 1 through 7 in Scope of Services (Exhibit A), the OWNER shall pay the ENGINEER a total fee not to exceed $59,280. Pay requests shall be submitted and payment shall be made as described in Article 3. C. CHANGE OF SCOPE OR PERSONNEL The Scope of Services and its related budget for this Agreement shall be limited to the scope and budget so contained herein (Exhibit A). Changes in the indicated Scope of Services shall be subject to renegotiation and shall be implemented by a formal amendment to this Agreement. ENGINEER shall notify OWNER of any changes in key personnel assigned to this project and shall obtain concurrence of OWNER prior to such changes. D. ADDITIONAL SERVICES Additional services not specified in Article 1, but subsequently requested by the OWNER, shall be described and the cost thereof outlined in a fon-nal amendment to this Agreement E. LITIGATION ASSISTANCE The ENGINEER will not be obligated to provide expert witness or other litigation support related to its services, unless expressly agreed in writing. In the event the ENGINEER is required to respond to a subpoena, government inquiry or other legal process related to the services in connection with a proceeding to which it is not a party, the OWNER shall reimburse the ENGINEER for reasonable costs and compensate the ENGINEER at its then standard rates for reasonable time incurred in gathering information and documents and attending depositions, hearings, and the like. .ARTICLE 3. PAYMENT FOR SERVICES Payment to the ENGINEER, as prescribed in Article 2, shall be made as follows: A. REQUEST FOR PAYMENT The ENGINEER shall submit monthly pay requests in a consistent detailed format. The submittal shall include a summary sheet to indicate total Professional Services, Reimbursable Expenses, Subcontracted Services and Total Payment Requested. Additional sheets shall be attached as necessary to describe hours worked and billable rates for each employee, itemized reimbursable expenses and itemized subcontracted services, including hours worked and billable rates for all subcontractors' employees. S. PAYMENT FOR SERVICES For all services described in Article I and subsequent amendments, payment is due within 30 days after the OWNER's receipt of the ENGINEER's pay request. Payment shall be for actual invoiced costs but shall not exceed the total amount shown in Article 2 and Scope of Services (Exhibit A). ARTICLE 4. OBLIGATIONS OF THE ENGINEER A. AUTHORIZATION TO PROCEED 2 The ENGINEER will not begin work on any of the services listed in Article l until the OWNER directs him to proceed. Authorization to proceed on work elements not defined in this Agreement as to scope, cost, and time for completion shall be in the form of a formal amendment as previously described. E. STANDARD OF CARE The ENGINEER will perform the services described in this Agreement and in any work release documents or change orders which are issued under this Agreement and signed by both parties. In performing the services, the ENGINEER. will exercise the degree of care and skill ordinarily exercised by reputable companies performing the same or similar services in the same geographic area. The ENGINEER is obligated to provide only those services which are described in this Agreement, in work release documents signed by the ENGINEER or in change orders signed by the ENGINEER C. CONFIDENTIAL TREATMENT OF DOCUMENTS ENGINEER shall keep and maintain all documents, including all reports, drawings, specifications, computer software or other items furnished by OWNER and/or prepared by ENGINEER pursuant to this Agreement confidential in accordance with ENGfNTEER's Confidential Document Retention Policy. ENGINEER shall be entitled to retain one copy of all such documentation on a confidential basis to enable ENGINEER to continue serving the OWNER's future needs or to respond to any inquiries associated with ENGINEER's services. ARTICLE 5. OBLIGATIONS OF THE OWNER A. AUTHORIZATION TO PROCEED The OWNER shall authorize the ENGINEER to proceed on Tasks 1 through 7 in Scope of Services (Exhibit A) by executing this Agreement. B, OWNER -FURNISHED DATA The OWNER shall provide to the ENGINEER all technical data in the OWNER's possession, as outlined in Exhibit A, and all other information required by the ENGINEER and relating to the ENGINEER's work on the project. Such information shall include, but not be limited to, the OWNER's requirements for the project, any design criteria or constraints, and copies of design and construction details or standards that OWNER requires to be included. The ENGINEER may rely upon the accuracy, timeliness, and completeness of the information provided by the OWNER in performing ENGINEER's services to the OWNER. C. ACCESS TO FACILITIES AND PROPERTY The OWNER shall make its system facilities and properties available and accessible for inspection by the ENGINEER and provide labor and safety equipment as reasonably required by 3 the ENGINEER and as authorized by OWNER. D. ACCESS TO PRIVATE PROPERTY The ENGINEER shall obtain permission for access from individual property owners as necessary to perform required services on private property. E. TIMELY REVIEW The OWNER shall examine all studies, reports, sketches, drawings, specifications, proposals, and other documents presented by the ENGINEER, obtain advice of an. attorney, insurance counselor, accountant, auditor, and other consultants as the OWNER deems appropriate for such examination and render in writing decisions pertaining thereto in a timely manner so as to not delay the services of the ENGINEER. F. PROMPT NOTICE The OWNER shall give prompt written notice to the ENGINEER whenever the OWNER observes or otherwise becomes aware of any development that affects the scope or timing of the ENGINEER's services or any defect in the work- of the ENGINEER or Contractors. ARTICLE 6. GENERAL LEGAL PROVISIONS A. FORCE MAJEURE The OWNER shall not be responsible for any delay or failure of person-nance caused by fire or other casualty, labor dispute, government or military action, transportation delay, inclement weather, Act of God, act or omission of OWNER or its contractors, failure of OWNER or any government authority to timely review or to approve the services or to grant permits or approvals, or any other cause beyond the OWNER'S reasonable control. B. INDEMNIFICATION Indemnification by OWNER: The OWNER agrees to indemnify, hold harmless and defend the ENGINEER from and against any and all liabilities, demands, claims, causes of actions and judgments (including costs and reasonable attorneys fees) which the ENGINEER may incur, become responsible for or pay out as a result of death or bodily injury or threat thereof to any person, destruction of or damage to any property, contamination of or adverse effect on natural resources or the environment, any violation of local, state, or federal laws, regulations or orders, or any other damages claimed by third parties, including without limitation any arising out of or related to hazardous materials or substances and including costs of response or remediation arising out of the application of common law or laws imposing strict liability, to the extent arising from the negligent acts or omissions or willful misconduct of the OWNER, its employees, agents and subcontractors. 4 OWNER acknowledges that it is neither practical nor possible to identify and prevent all possible nacans of vulnerability breaches. OWNER hereby agrees to bring no claims and to Void ENGINEER harmless from any claim arising out of the intentional, willful, malicious, criminal, or negligent acts of third -parties including, but not limited to, terrorist attacks. Indemnification by ENGINEER: The ENGINEER agrees to indemnify, hold harmless and defend the OWNER from and against any and all liabilities, demands, claims, causes of actions and judgments (including costs and reasonable attorneys fees) which the OWNER may incur, become responsible for or pay out as a result of death or bodily injury or threat thereof to any person, destruction of or damage to any property, contamination of or adverse effect on natural resources or the environment, any violation of local, state, or federal laws, regulations or orders, or any other damages claimed by third parties, including without limitation any arising out of or related to hazardous materials or substances and including costs of response or remed.iation arising out of the application of common law or laws imposing strict liability, to the extent arising from the negligent acts or omissions or willful misconduct of the ENGINEER, its employees, agents and subcontractors. C. INSURANCE The ENGINEER shall acquire and maintain statutory workmen's compensation insurance coverage. ENGINEER shall acquire and maintain bodily injury and property damage insurance coverage in an amount not less than seven hundred fifty thousand ($750,000) dollars for each claim and one and one- half million ($1,500,000) dollars per occurrence. The ENGINEER shall acquire and maintain bodily injury liability automobile insurance coverage in an amount not less than seven hundred fifty thousand ($750,000) dollars for each claim and one and one- half million ($1,500,000) dollars per occurrence and property damage liability automobile insurance coverage in the amount of fifty thousand ($50,000) dollars for each occurrence. The ENGINEER shall acquire and maintain catastrophe or excess insurance coverage in the amount of one million (1,000,000) dollars for each occurrence and one million (1,000,000) dollars for each aggregate with ten thousand ($10,000) dollars deductible amount. The ENGINEER shall acquire and maintain professional liability insurance coverage in the amount of one million ($1,000,000) dollars with a one hundred thousand ($100,000) dollar deductible amount. D. TERMINATION This Agreement may be terminated by the OWNER for its convenience by giving 30 days written notice to the ENGINEER. This Agreement may be terminated by either party upon 30 days written notice should the other party fail substantially to perform in accordance with this Agreement through no fault of the other or if the project is stopped by conditions beyond the control of the OWNER. Ira the event of termination, the ENGINEER shall be paid in full for all work previously 5 authorized and performed up to the termination date, plus termination expenses if termination is not caused by failure of the ENGINEER to perform. If no termination is implemented, relationships and obligations created by this Agreement shall terminate upon completion of all applicable requirements of this Agreement. E. SUSPENSION, DELAY, OR INTERRUPTION OF WORK The OWNER may suspend, delay, or interrupt the work of the ENGINEER on the project for the convenience of the OWNER or for reasons beyond the control of the OWNER or ENGINEER. In the event of such suspension, delay, or interruption, an adjustment in compensation due the ENGINEER shall be made for all increases in cost of the ENGINEER`s performance under this Agreement, including personnel relocation and/or replacement costs, and all ether identifiable labor and expense costs. F. ASSIGNMENT This Agreement is to be binding on the heirs, successors, and assigns of the parties hereto and is not to he assigned by either party without first obtaining the written consent of the other. No assignment of this Agreement shall be effective until the Assignee assumes in writing the obligations of the assigning party, and delivers such written assumption to the other original party to this Agreement. Use of subconsultants by the ENGINEER for technical or professional services shall not be considered an assignment of a portion of this Agreement. Nothing herein shall be construed to give any rights or benefits hereunder to anyone other than OWNER and ENGINEER. G. LITIGATION In the event either party to this Agreement shall be required to bring an action against the other party to enforce this Agreement, or any portion thereof, the prevailing party shall be entitled to reasonable attorney fees and costs therefore in addition to any damages that may be awarded. ft. VENUE In the event of litigation concerning this Agreement, venue shall be in the Eleventh Judicial District in and for the County of Flathead, Montana, and this Agreement shall be governed by the laws of the State of Montana both as to interpretation and performance. ARTICLE 7. GENERAL PROVISIONS A. ACCESS TO DOCUMENTS 6 The ENGINEER shall provide access to any of the documents relating to this project to the OWNER, the City of Kalispell, or authorized representative of the above during normal working hours. B. RECORDS The ENGINEER shall maintain project and financial records for this project for at least three years after final payment and closure of the project. C. REPRODUCIBLE COPIES Reproducible copies of vulnerability assessment and emergency response plan documents shall be made available to the OWNER upon request. D. COVENANT AGAINST CONTINGENT FEES The ENGINEER warrants that he has not employed or retained any company or person, other than a bona fide employee working solely for the ENGINEER, to solicit or secure this Agreement, and that he has not paid or agreed to pay any company or persons, other than a bona fide employee working solely for the ENGINEER, any fee, commission, percentage, brokerage fee, gifts, or any other consideration, contingent upon or resulting from the award or making of this Agreement. For breach or violation of this warranty, the OWNER shall have the right to annul this Agreement without liability, or in its discretion to deduct from the contract price or consideration, or otherwise recover, the full amount of such fee, commission, percentage, brokerage fee, gift, or contingent fee. E. SCHEDULE The final Kalispell Water System Vulnerability Assessment shall be submitted to the OWNER and EPA on or before June 30, 2004. The final Emergency Response Plan shall be submitted to OWNER on or before December 31, 2004 7 ARTICLE 8. ATTACHMENTS, -SCHEDULES AND SIGNATURES A. AGREEMENT DESCRIPTION This Agreement (consisting of pages 1 through 8, inclusive) and attached Scope of Services (Exhibit A) constitute the entire Agreement between the OWNER and the ENGINEER and supersedes all prior written or oral understandings. This Agreement may only be amended, supplemented, modified, or canceled by a duly executed written addendum. DATED this day of 52003. CITY OF KALISPELL as Chris Kukulski, City Manager HDR ENGINEERING, INC. "ENGINEER" Name: Mara Foley Title: Vice President Address: 418 S. 91h St., Suite 301 Boise, Idaho 83702 8 Task I.O. Definition of Water System Security Objectives, Background Data Collection, and .Prioritization of Adverse Events The purpose of this task is to define water system security objectives, establish the security planning; team and gather background information on the City of Kalispell's water infrastructure systems. HDR and the City will then prioritize facilities based on criticality. The following subtasks detail these activities. Subtask I.I. Establish Security Planning Team HDR and City staff to develop project team consisting of HDR and City staff members. Subtask 1.2. Collect and Review Background Information The City will assist MDR in collecting; background information to be used in the vulnerability assessment analysis. HDR will use this information as a reference. This information includes: • Facility site plans. • System and design capacities. • System performance reports. • Regulatory permits. • Sources and quantities of normal water supply. • Interconnects to other municipalities or water providers. • Operational procedures and policies. • Security policies and procedures. • Visitors policies and procedures. • Contractor policies and procedures. • Existing emergency response plan. • Reports or records of previous security - related incidents. • Staff organization and employee job descriptions. • Communications system description. • Public access constraints or public relations requirements. 0 Public information protocols. • Facility long- and short -teen expansion plans. • Neighboring area landscaping or architectural requirements. • Types, quantities and characteristics of all hazardous substances stored at each site or facility. • Interdepartrnental agreements with emergency services (fire, emergency response, public health, fire, and law enforcement). • Inter -agency agreements with other municipalities or owners of alternative water supply. • Location map of water distribution System. • System design performance. • Applicable zoning codes and ordinances. • Existing Intrusion Detection systems. • .Alternative or emergency water supply Subtask 1.3. Define Mission Objective Criteria and Critical Facilities HDR will review facilities and threat analysis goals, establish and refine the mission objective criteria, and establish goals for the prevention of a potential loss. Criticality can be measured in terms such as duration of service outage, cost of service outage, and character of service zones. In a workshop session using the RAM-W ranking worksheets, HDR and City staff will rank mission objectives and facilities using the pairwise comparison technique. Subtask 1.4. Prioritization of Adverse Events Affecting the Water System and End Users Using the RAM-W ranking worksheets, City staff will rank facilities using weighted evaluation criteria and pairwise comparison. Deliverables HDR: One copy of all ranking worksheets City: Background Information Contact information for Security Planning Team Review comments on ranking worksheets Task 2.0. Evaluate Possible Methodologies of Malevolent Acts and Assessment of the Likelihood of Malevolent Acts HDR to contact local law enforcement, FBI, as well as operations superintendents at each facility and review reported crime data. In a workshop session, HDR and City staff to develop the design basis threat(s) (insider or outside) appropriate for each facility. HDR and City Staff to develop a list of the most likely threat potentials. These threats may include vandalism, theft, disgruntled customer (outsider), disgruntled employee (insider), and terrorism. HDR to generally evaluate threats that could be system -wide or occur at random locations (such as verbal threats and/or contamination at random access points to system). Risk analysis of these will be limited to general observations/recommendations for response. HDR will summarize Design Basis Threat assessment for review and comment by City Staff. HDR will perform a consequence assessment for each critical facility. Consequence assessments will estimate consequences including economic loss, business disruption, repair and/or cleanup, and public confidence. The consequence assessments will be based upon the design basis threat. The Consequence Assessments will include: Developed measures of consequence. Developed consequences for each facility. Ranking of critical assets. Deliverables HDR: Copy of crime data findings to HDR RAM.-W threat analysis worksheets Draft consequence Assessments City: Written comments on threat analysis worksheets and Consequence Assessments. Task 3.0. Threat Analysis By reviewing background information and the site assessment, HDR will determine the interdependence on the critical infrastructure, such as electrical power, SCADA, piping systems, as well as the operating functions of the water system. In addition a vulnerability assessment of the control systems, and an assessment of Security Policies and Procedures will be performed to support the Risk Evaluation task. Subtask 3.L Site Characterization Based on background information previously collected by HDR, HDR will develop a system block diagram for all critical facilities including interdependencies of other facilities and supply points. The diagrams will include barriers, major components (including large pieces of equipment, buildings, and storage units), and communications system components. Subtask 3.2. Onsite Physical Assessment HDR will conduct the physical site assessment and will tour each critical facility as well as representative sub -critical facilities and review its operating components. Observations, discussions, and interviews will be recorded in written notes and digital photographs. The site assessment will include observation of the following items: • Condition and serviceability. • Suitability for intended use (deterrence, detection, delay, response, mitigation.) • Hardware connectivity • Communication system • NAR (nuisance alarm rate) • FAR (false alarm rate). • Personnel entry and parking policies • Chemical and equipment delivery policies • Contractor security policies + Motor pool policies • Hazardous materials handling • In addition to the above, other operations for the water department offices will also be reviewed. These operations will include: • Bandling of cash. • Screening and movement of customers throughout the building • Protection of employees with direct customer contact • Building evacuation routes and emergency plans. • Public parking location, access, controls. Existing security system effectiveness will be assessed in the field by the team. Any protection system judged to be lower than medium or high performance will be identified as vulnerable. This assessment will result in a ranking of which water facilities are most likely to be successfully attacked. Subcritical facilities will be assessed in the field for major vulnerabilities. Facilities such as small to mid -sized distribution pipelines, storage reservoirs and pumping stations, if considered noncritical, may be analyzed as typical systems. General recommendations will be made regarding the physical protection systems and operational systems associated with noncritical facilities. Subtask 3.3. Assessment of Vulnerability of Control System HDR will conduct the SCADAXyber site assessment using Glenn Wolf, who is a Certified Information Systems Security Professional (CISSP) and Terry Dahlquist of MMI. Kalispell to provide a representative for 8 hours who is familiar with the SCADA controls infrastructure as well as how the control system integrates into the operation of each facility. Analysis is Iimited to one SCADA system (one make/model of SCADA software, one make/model of networked PLC and one make/model of radio) and one administrative network (one subnet). A subnet is a part of a larger network. Generally, networked devices or machines within the same subnet will have IP addresses that begin with the same two or three numbers in the dotted four number address scheme (dot delimited IP address). Administrative and SCADA system can be scanned from one location. A review of the system architecture and design will be performed. An interview will be conducted wzth Kalispell personnel to capture any recent modifications. Particular emphasis will be placed on any Internet and extra -net configurations, Virtual Private Network (VPN) configurations, modem access points, wireless access points, intrusion detection systems, routers, firewalls, switches, and radio and land -based telemetry systems. RAM-W questionnaires/worksheets will be utilized. A review of IS and SCADA policies and procedures will be performed. This will include email policies, acceptable internet use policies, password policies, hiring/termination policies, anti -virus policies, system log policies, incident response policies, remote access policies, system/network administrator certification and training policies, backup and restore policies and business continuity/disaster recovery plans and policies. It is anticipated that the SCADA/Cyber on -site assessment will require a total of 1-1/2 days on site. Westin report formats will be utilized. Unlike physical security, computer and SCADA security cannot be fully evaluated by visual inspection. Hackers utilize electronic tools and search for security holes in operation systems, software and network infrastructure. The only means of detecting these holes is by analyzing the systems electronically. Westin will perform Automated Vulnerability Detection to properly evaluate the City's systems. Westin report formats will be utilized. Subtask 3.4. Assessment of Security Policies and Procedures HDR will review written security policies to evaluate policies and procedures. Items to be included are: + Entry control procedures. + Access to keys. + Reporting • Arrangements with police and private security companies. • Responding to alarms. • Policies regarding distribution of sensitive information. City staff will study case histories of responses to vandalism, intrusion, or theft to assess current practices and include threats to City staff. HDR will provide general comment of Policies and Procedures assessment as part of the Task 4.0 effort. Deliverables HDR: System block diagram Schedule for onsite physical assessment Field notes and digital photographs. Summary of existing Security policies and Procedures. Task 4.0. Performance Based Risk Evaluation HDR will produce a Risk Analysis and Consequence Assessments. HDR will conduct a risk analysis for the existing security system as a baseline comparison for security system enhancement recommendations. The risk analysis will be conducted using the RANI-Wsm risk equations and the values for probability of security system effectiveness and consequence of the loss from attack. Evaluation of existing protection systems at each critical system. Assessment of system's ability to detect, delay and respond. Assessment of operational protection measures. HDR will perform a facilities upgrade analysis to identify security upgrades required to achieve the amount of risk reduction desired. City staff must decide upon the desired level of protection and corresponding risk reduction prior to the upgrade analysis. The goal will be the application of countermeasures to the risk equation until the desired level of risk is attained. The upgrade analysis will include: • A calculation of system effectiveness for each critical facility • Evaluation of physical protection or operations systems for delay, detection, and response. • Identification of vulnerabilities. Calculation of risk associated with each critical facility based on the design basis threat, the consequences analysis and the security system effectiveness. Deliverables HDR: Upgrade analysis City: Written comment on upgrades analysis. Task 5.0..Prioritized Plan for Security Improvements and Final Security Plan Subtask 5.1 Implementation Plan HDR will develop a list of the most feasible, cost-effective fixes, upgrades, and capital projects to reduce identified water system vulnerabilities. HDR will prepare a detailed plan for implementation based on a prioritization of potential improvements. The implementation plan will: • Recommend security enhancements, if appropriate, for critical facilities that may include a combination of physical and electronic security as well as operations procedures • Apply the risk analysis to each recommended security enhancement to determine if the desired reduction in risk is achieved. Provide planning level budgetary level estimates for the anticipated implementation cost for each enhancement. HDR will conduct a review meeting of the Draft Implementation Plan. Subtask 5.2 Security Plan HDR will prepare the draft of the Security Plan. The draft Plan will include a summary of all analyses performed and direction received from City Staff during this phase of the project. The draft Plan will identify potential security enhancement alternatives for each vulnerability as well as estimated capital costs. In addition, an implementation plan will also be part of the Security Plan, and be based on the C1P for the City. The content of this draft Plan is highly confidential. Each copy of the draft Plan will be numbered, and HDR will produce a tracking log for each copy of the draft Plan. All reviewers must make all comments on the draft version and return the original to the City's project manager. HDR will conduct a review meeting of the draft Security Plan. HDR staff will incorporate recommendations into a revised final Security Plan. The final security plan will identify all upgrades, enhancements, or procedural modifications. Deliverables HDR: Draft and Final Implementation Plan Draft and Final Security Plan City: Comments on draft Implementation and Security Plans Task 6.0. Emergency Response Plan According to Title N of the Bioterrorism Preparedness Bill, H.R. 03448, the Emergency Response Plan (ERP) shall include, but not be limited to, plans, procedures and identification of equipment that can be implemented or utilized in the event of a terrorist or other intentional attack on the public water system. The following scope of services provides a detailed description of the work tasks to be performed by HDR for the development of the Emergency Response Procedures Plan for the Kalispell Water System. All of the materials and information concerning the City's Emergency Response Plan are considered to be confidential. HDR has policies and procedures in place to assure the security of information gathered from the City for background study, and for the security of materials developed in the process of performing the tasks listed below. Team members will be required to sign confidentiality agreements covering the infonmation and documents gathered and generated during the assessment. During the initial organizational phases, HDR will ensure that participants receive these security guidelines and understand how to apply them. Subtask 6.1 Emergency Response Plan and Procedures Background The intent of this task is to review all documents related to the City's Risk Management, Emergency Preparedness Plans and Emergency Operations Manuals. HDR will develop a single "go to" emergency document, regardless of the type of event — accidental, natural, or intentional that the City can use in response to a crisis. HDR will identify components that are appropriate to include in a single ERP document as well as the emergency requirements developed in the Vulnerability Assessment and the guidance developed by the EPA. Deliverables: HDR: Review Background Information Confidentiality Agreements for ERP development team City: Existing Operating Procedures City organization chart and employee job descriptions Emergency equipment inventory List of City ERP development team members and contact information Subtask 6.2 Emergency Response Procedures Development Guidance by the EPA indicates the ERP should address the following incident specific events: • Contamination Event (Articulated Threat with Unspecified Material) • Contamination Threat at a Major Event • Notification from Health Officials of Potential Water Contamination • Intrusion Through Supervisory Control and Data Acquisition • Significant Structural Damage Resulting from an Intentional Act In addition to the five events identified by the EPA, HDR will develop specific procedures for the following scenarios: • Facility Security Breach • Assault • Contamination or Bomb Event • Bomb • Explosion • Significant Structural Damage Resulting from a Natural Disaster • Injury or Fatality • Major Snow Storm/Blizzard HDR will facilitate a workshop with City and utility representatives to discuss and develop the following: • Utility direction and control • Duties and responsibilities by position during a crisis • Crisis communication procedures • Emergency mitigation opportunities 0 Emergency training opportunities • Response actions • Recovery actions Based on the results of this workshop, HDR will develop a draft ERP to identify and define specific procedures to be followed by City personnel during an emergency event. HDR will provide five (5) draft copies and one (1) electronic version of the emergency response plan for City review. The draft copies will be provided with a tracking log to assist City staff as part of the review process. City staff will collect all review copies with comments and return to HDR as tracked changes. Deliverables: HDR: Lead Site Workshop Five (5) copies of the draft ERP One (1) electronic copy of the draft ERP City: Comments on the draft ERP Coordination of Site Workshop Subtask 6.3 Inter -Agency Coordination HDR shall conduct a workshop with appropriate outside agencies to finalize their input to appropriate ERP sections. This workshop will address specific events and specific needs requiring outside agency input. The purpose of this workshop will be to develop appropriate Iines of communication and responsibilities between organizations. Based on the results of this workshop, HDR will add appropriate additional information to the Draft Emergency Response Procedures to identify and define specific points of contact, lines of communication, and responsibilities between organizations to be followed by City personnel during an emergency event. HDR will provide five (5) draft copies and one (1) electronic version of the emergency response procedures for City review. The draft copies will be provided with a tracking log to assist City staff as part of the review process. City staff will collect all review copies with comments and return to HDR electronically as tracked changes. Deliverables: HDR: Lead Site Workshop Five (5) copies of the draft ERP One (1) electronic version of the draft ERP City: Comments on the draft ERP Coordination of Site Workshop Subtask 6.4 Development of Security Operation Procedures It is expected that the recommendations for improved security of the facility will include modifications to the operations procedures for the various facilities of the water system. HDR will provide an outline of the security operation procedures (Security SOPS) the City can implement in their daily business practices to increase their security posture. The New Procedures Outline will concentrate on actions the City can take in response to an elevated National Threat Level, policy and procedure changes recommended in the final vulnerability report, and operational impacts or procedural controls required as a result of the implementation of physical or electronic enhancements. These procedures cover such topics as issue and use of photo identification and access cards, procedures for deliveries, guard patrolling procedures, and maintenance of exterior and perimeters. It is the intent that any incidents/emergencies to be dealt with in the course of "normal" operating procedures will be covered by an appropriate section of the ERP. HDR will develop the Security SOPs and necessary "cross referencing" between the SOPs and ERP. HDR will provide live (5) draft copies and one (1) electronic version of the Security SOPS outline for City review. City staff will collect all review copies with comments and return to HDR electronically as tracked changes. HDR will participate in a review meeting with City staff to review their comments on the recommended procedures outline. HDR will prepare meeting notes summarizing the final disposition of the recommended procedures. The meeting notes will be provided to City staff for review and approval. Upon review of the meeting notes, City will provide HDR final direction via the hand written comments on the security procedures outline. Deliverables: HDR: Comments to City Security Operation Procedures Review Meeting minutes Five (5) copies of the Security Operations Outline One (1) electronic version Security Operations Outline City: Comments to Security Operation Procedures Coordinate Review Meeting Subtask 6.5 Draft Security Operational Procedures After receiving and reviewing the final direction and approval of the Security SOP outline, HDR will provide a draft of the Security SOPS to the City for review. HDR will provide City one full hard copy of the draft Security SOPs and one electronic file on CD in Microsoft© Word 2000 format. City will be responsible for internal distribution for review and comment. City staff will collect all review copies with comments and return to HDR electronically as tracked changes. Deliverables: HDR: Five (5) copies of the draft Security SOPS One (1) electronic version of the draft Security SOPs City: Comments on the draft Security SOPS Subtask 6.6 Review Meeting After receiving and reviewing City ERP and SOP comments, IIDR shall conduct a review meeting. In the review meeting, HDR will summarize the final response to City comments and HDR's recommendations. HDR will prepare review meeting notes for City approval. Deliverables: HDR Review meeting notes City: Coordinate review meeting Meeting note approval Subtask 6.7 Final Draft Emergency Response Plan and Security Operational Procedures Based on the outcome of City reviews and direction received from the review meeting, HDR will finalize the ERP and Security SOPS and submit Five (5) hard copies and one (1) electronic copy of the final ERP to City. It will be the City's responsibility to develop the final Security SOPS language for adoption by the governing body. Deliverables: City: No specific deliverables for this task HDR: Five (5) hard copies of ERP and Security SOPS One (1) electronic version of final ERP and Security SOPS Task 7.0. Project Management HDR will manage and control its professional services contract to provide efficient completion of the project. Under this task, we will prepare and implement a project management plan; provide scope, schedule, and cost control services; negotiate and administer the contract; and initiate and attend project coordination meetings. Subtask 7.1 Project Management Plan A project management plan will be developed that includes: 1) project objectives and priorities; 2) role of the City of Kalispell, HDR, and MMI throughout the project; 3) contract work plan including scope, schedule, budget, resource assignments, and coordination requirements; 4) quality assurance and quality control plan; 5) management tools and techniques; 6) reporting requirements; and 7) administrative procedures such as invoicing, communication protocol, and formats. The plan will be distributed to consulting team members and City personnel. Subtask 7.2 Project Coordination Meetings HDR will conduct periodic meetings (usually monthly) with Kalispell staff to review project progress, schedule and budget; identify information needs, and make decisions regarding any changes in the scope. These meetings will be held in conjunction with other meetings and workshops identified in specific tasks where possible. Subtask 7.3 Progress Reports A progress report will be prepared with each monthly invoice. The progress report will summarize the work progress to date, the budget expenditures to date, and identify any information requirements or decisions that need to be made by the City of Kalispell. Deliverables HDR: Management plan, progress reports and invoices, and meeting agendas and minutes. Engineering Services Budget Summary TASK Amount 1.1 Establish Security Planning Team $251.00 1.2 Collect and Review Background Information $1,572.00 1.3 Define Mission Objective Criteria and Critical Facilities $1,220.00 1.4 Prioritization of Adverse Events $964.00 2.0 Evaluate and Assess Malevolent Events $1,949.00 3.1 Site Characterization $836.00 3.2 Physical Assessment $5,507.00 3.3 Controls Assessment $13,214.00 3.4 Policies & Procedures Assessments $1,220.00 4.0 Risk Evaluation $964.00 5.1 Implementation Plan $3,859.00 5.2 Security Plan $6,762.00 6.1 Emergency Response Plan & Procedures Background $974.00 6.2 Emergency Response Procedures Development $2,948.00 6,3 Inter -Agency Coordination $1,526.00 6.4 Security Operations Procedures Development $1,436.00 6.5 Draft Security Operational Procedures $1,511.00 6.6 Review Meeting $1,776.00 6.7 Final Draft ERP & Security Operational Procedures $2,093.00 7.0 Project Management $8,697.00 Vulnerability Assessment Total (Tasks 1.6 and 7) $47,016.00 Emergency Response Plan Total (Task 6) $12,265.00 Project Total $59,280.00 BASIS OF FEE AND BILLING SCHEDULE PLANNER PRODUCT LABOR HOUR ESTIMATE Professional Clerical Total PM PE1 SP1 SP2 SP3 SP4 SP5 PA Task Approach and Activities 1.1 Establish Sercuritv Team 1 0 0 0 1 0 0 0 2 1.2 Collect and Review Back round Information 2 4 0 2 4 0 0 0 12 1.3 JDefine Mission Objective Criteria and Critical Facilities 4 2 0 0 4 0 0 0 10 1.4 Prioritization of Adverse Events 4 0 0 0 4 0 0 0 8 2 Evaluate and Assess Malevolent Events 4 4 0 0 8 0 0 0 16 3,1 Site Characterization 2 2 0 0 2 1 0 0 7 3.2 Physical Assessment 16 0 0 32 0 0 0 0 48 3.3 Controls Assessment 0 0 0 0 0 12 64 0 76 3A Assessment of Policies & Procedures 4 2 0 0 4 0 0 0 10 4 Risk Evaluation 4 0 0 0 4 0 0 0 6 5.1 Implementation Plan 4 2 0 20 8 0 0 0 34 6,2 Security Plan 20 2 0 16 16 0 0 0 54 S.1 ERP &Procedures Back round 2 2 0 0 4 0 0 0 8 6.2 Em2Mency.Resppnse Procedures Development 8 0 0 0 8 0 0 0 16 6.3 Inter -Agency Coordination 4 4 0 0 4 0 0 0 12 6.4 Securi operations, Procedures Development 4 0 0 0 8 0 0 0 12 6.5 Draft Security Operational Procedures 4 1 0 0 0 $ J 0 0 1 0 12 6.6 Review Meeting 8 2 1 0 0 2 0 0 0 12 6,9 tFinal Draft ERP & Security Operational Procedures 4 2 0 0 8 0 0 0 14 7.1 pro"ect maqafferrtent is 0 16 0 0 0 0 16 48 Total Hours 115 28 i6 70 97 13 64 1S 419 Key Personnel _ Name PM - Project Manager Craig Caprara, Project Manager PE1-Project Engineer Terry Richmond, Project Engineer SP1-Security Professional Bob Bosco, Security Professional SP2-Security Professional Daie Anderson, Security Professional SP3-Security Professional David Vogt, Security Professional SP4-Security Professional Terry Dahlquist, Security Professional SP5-Security Professional/SCADA Glenn Wolf, SCADA PA- Clerical/Project Assistant Chris Kelly, Project Assistant City of Kalispell Page 1 Kali Security finalbudget-As