HomeMy WebLinkAboutOrdinance No. 03-1521 CITY OF THE COLONY, TEXAS
O INANCE NO.
AN ORDINANCE OF THE CITY OF THE COLONY, TEXAS,
AUTHORIZING THE CITY MANAGER TO ENTER INTO A CONTRACT
WITH FREESE AND NICHOLS~ INC. TO CONDUCT A VULNERABILITY
ASSESSMENT OF THE CITY WATER SYSTEM; ATTACHING THE
APPROVED FORM OF CONTRACT AS EXHIBIT "A"; AND PROVIDING
AN EFFECTIVE DATE.
BE IT ORDAINED BY THE CITY COUNCIL OF THE CITY OF THE COLONY,
TEXAS:
SECTION 1. That the City Manager of the City of The Colony, Texas is hereby authorized
to execute on behalf of the City a contract with Freese and Nichols, Inc. to conduct a vulnerability
assessment of the city water system. The approved form of contract is attached hereto as Exhibit "A",
and made a part hereof for such purposes.
SECTION 2. This Ordinance shall take effect immediately from and after its passage by the
City Council of the City of The Colony, Texas.
DULY PASSED AND APPROVED by the City Council of the City of The Colony, Texas
this 15th day of December, 2003.
APPROVED:
ATTEST: ~(m Dillard, Mayor
Patti A. Hicks, City Secretary
City
EXItIBITA
SCOPE OF SERVICES AND RESPONSIBILITIES OF OWNER
This is an exhibit attached to, made a part of and incorporated by reference into the Agreement between CITY
OF THE COLONY (OWNER) and FIVi providing for professional engineering services.
Under the I~R. 3448 bioterrorism act signed in June 2002 (P.L. 107-188) each con~nonity water system
serving a population greater than 3,300 ~s required to conduct an assessment of the vulnerability of its system to
mten~onal acts intended to substantially disrupt the ability of the system to provide a safe and reliable supply of
drinking water. In addition, each community water system serving a population greater than 3,300 is required
to prepare or revise where necessary, an emergency response plan. As such, a Vulnerability Assessment and an
ulxt~ted Water Utility Emergency Response Plan is needed to plan response to an intentional attack on the
public water system
FNI will prepare a Water Utility Vulnerability Assessment utilizing RAM.Ws~ and a Water Utility Emergeacy
Response Plan as follows:
L BASIC SERVICES: FNI shall render the following professional surviees in connection with the
development of the Project:
A. PROJECT PLANNING
Upon execution of tiffs AGREEIVIENT, FNI shall:
1. Consult with OWNER to: (a) review the scope of services, (b) verify OWNER's requirements
for the Project, (c) define pm'pose, miss/on, goals, issues, and object/xes of the Project, (d)
review ut/I.ky system maps, (e) discuss computerized mon/toring and control, (f) d/scuss
current utility security, (g) discnss current utility emergency response planning, Ca) d/scnss
historical/existing data related to utility threats, vandalism, theft, and emergency response
incidents, and (i) identify critical customers.
2. Rev/ew current utility security survey and emergency response plan, if available.
3. The informer!on, assezsmants and plans developed herein as part of the Project, shall be held
confidential and its integrity protected through appropriate information protection strategies
and protocols. Develop document and file (electronic and paper file) security and control
plan and protocols. Implement plan and protocols with OWNER's personnel and FIVI.
B. DATA DEVELOPMENT
1. Obtain utility system maps, studies, and facility cons/xuction plans from OWNER. Develop
utility system schematic and document utility operation information.
2. Obtain available information SUch as City and utility organizational structure, emergency
response orgaviT~tlonal structure and incident command systore; inter]ocal agreements and
contractz for emergency serv/ces; current City and uti]ky emergency comronn[cation system;
and other resources for emergency response.
3. Conduct Planning Workshop with OWNER's staff to verify utility system mission, prioritize
facilities, identify and pr/odtize undesirable consequences of system malfunction, and
FNI
A-1 OWNER
identify design basis threat. A total of one (1) - 4 hour maximum planning workshop is
budgeted. Additional workshops can be conducted if needed as an additional service with
prior approval of the City. Based on the discussion and information obtained from the
0 '
WNER s staff;
a Identify important mission/functions of the utility system
b Identify acceptable level of performance (pressure, capacity, service area,
quality, and critical customers).
c Identify undesirable consequences (such as economic loss, duration of loss,
population impacted, loss of fire protection, and environmental) that could
affect the missions/functions. Prioritize consequences.
d Review system interrelationships and interdependencias (power/electrical,
SCAD& chemical delivery, manpower).
e Determine and prioritize the critical facilities that need to be protected to
minimize the impacts of the undesirable consequences based on capacity,
population ' ·
served, cnacal customers, water pressure, driulcing water quality,
and receiving stream water quality.
f Identify malevolent acts that could reasonably cause the undesirable
consequences snch as:
(1) Loss of critical function and/or major service disruption,
(2) Intentional attack on public safety via utility assets, contamination of
the water supply, and chemical releases or chemical theft.
4. Sulact and characterize up to three design basis threats such as insider threat, outsider threat,
end cyber threat. The three design basis threats shall be based on available information from
local law enforcement, the Environmental Protection Agency, and the Federal Bm of
Investigation.
5. Develop draft facility prioritization and draft consequence critoris~
6. Conduct a systematic site characterization of the water system by conducting a site visit with
OWNER's personnel .to the OWNER's critical facilities (sites). A total of six (6) hours plus
travel time is budgeted for site characterizations. Additional site characlerizafions can be
conducted if needed as an additional service with prior approval of the City. All facilities that
will be cheractetized shall under the jurisdiction of the City of the Colony. Document site
visits with digital photos. Collect performance data at each site (when applicable) on:
a Important facilities, processes, and assets. Develop site plans and functional
schematics for each site. Identify equipment capacities.
b Neighberhood character and adjacent facilities.
c Personnel assignments and personnel hours.
d System interrelationships and interdepondencias (power/electrical, SCAD&
chemical delivery, manpower).
e Main transmission piping at thc facility being investigated. Identify system
redundancies and primary valving locations for system isolation.
Transmission piping of the distribution system is not included.
f Identify em'rent security and monitoring system for chemical feed system,
storage and handling if applicable
a-2 FNI
OWNER
g Power supply and communications system.
h Physical protection and security system features of deterrence, detection,
delay, and response.
i Security policies and procedures and compliance with same.
Entry control for visitors, deliveries, contractors, and vendors and quantity
of same.
k Response time for local law enforcement and emergency services.
1 Construction site security and temporary water metering procedures.
m System monitoring, testing of chemicals, real time monitoring.
7. Conduct and document systematic characterization of the Supervisory Control and Data
Acquisition (SCADA) system by identifying cyber protection features if applicable.
a Develop SCADA system architecture diagram based on information
provided by OWNER. Identify network connections.
b The review will ineludu a preliminary investigation of the use of firewalls,
proxy servers and other security or inlxusion dctection devices used to
prevent unauthorized access to equipment and dm.
c Hackers and unauthorized persons can disrupt utility department operations.
Several areas will be investigated to determine exposure. A pert scan can
be conducted to determine data routes available to inauders, if needed. The
use of routable and non-routable Intemct protocol (IP) addresses will be
studied to identify exposed systems. The level of security patches,
encrypfion schemes and security logging will be investigated.
d Computer information access wffi be reviewed, including password policies,
f'fle and folder permissions, user/group privileges and equipment/data access.
e Identify physical protection features such as protection of physical cabling,
network equipment protection, PC protection, and SCADA equipment
protection.
C. WATER SYSTEM VULNERAB1L1TYASSESSMENT
I. Utilizing up to three critical facilities and up to three design basis threats, conduct
vulnerability assessment. Selection will be based on the available information and the
OWNER's input.
2. Project how the malevolent acts might be conducted (adversary strategy) such as system
contamination (chemical, biological and radiological), physical damage, cyber attack on the
SCADA or other process control systems, or interdependency disruptions (power/electrical,
chemical delivery, and transportation systems).
3. Based on available information from the Environmental Protection Agency and the Federal
Bureau of Investigation, assess the likelihood (clualitative probability i.e. tfigh, medium, or
low) of each design basis threat (terroriSt, insider, former employee, determined vandal,
casual vandal).
4. Identify critical system assets at each critical facility. Approximate the consequences of
losing each critical asset and potential ways to access critical assets. Prioritize critical assets
based on relative consequences.
5. Evaluate physical and operational protection system effectiveness at each critical facility
Estimate relative system effectiveness
FNI.
^-a ovom , _-
6. Develop matrix and assign relative/qualitative values to: likelihood of attack (if data is
available), degree of vulnerability (effectiveness of security system), and consequences for
each critical asset for each design basis threat.
7.De/me risk for each critical asset based on results of matrix (risk = probability x vulnerability
x consequence).
8. Snmm~rize the selected most critical assets (targets) in the water system, summarir~
interrelationships within other assets in the system, summarize the consequences of
malevolent acts that could be directed against them, and evaluate effectiveness of both
existing and recommended protection systems. Provide recommendations for system
improvements. · · ·
Prepare au interim technical memorandum outlining recommendations.
9. Conduct an interim progress meeting with OWNER's staff to discuss contents the resu/ts of
the vulnerability assessment and to disenss options for system improvements. Additional
meetings, if needed, will be billed as an additional service with prior approval of the City. In
particular, surveil/ance and distribution system monitoring equipment options will be
disenssed in detail.
10. Prepare an opinion of probable ensts for system improvements. Based on risk and cost,
prioritize system improvements.
11. Prepare final draft of technical memorandum outlining prioritized plan for security upgrades,
modifications of operational procedures, and/or policy changes to mitigate identified risk~ to
critical assets.
12. Compilation of information. The infonnatiou, assessments and plans developed herein as part
of the Project, shall be held confidential and its integrity protected through appropriate
information protection strategies and protocols developed as part of this Project. No report
~ be submitted to the Environmental Protection Agency or any other governmental agency
without proper document confidentiality protection provisions.
13. Prepare and furnish up to five (5) copies of draft vulnerability assessment summary repo~
Conduct an interim progress meeting with Owner's staff. Incorporate OWNER's comme, nts.
Submit SUmmary report to the Environmental Protection Agency. Submit certification to the
Environmental Protection Agency that the OWNER has conducted a vulnerability assessment.
I4.Furnish five (5) copies of the final vulnerability assessment report and eleven (11) copies of
the vuinerabi/ity assessment smnmmy report.
D. ~,IERGENCY RESPONSE PLAN_DEVELOPMENT
1. Conduct an Emergency Response Plan kickoff meeting with City staff. Based on
vulnerability assassmant, identify up to three (3) utility emergency incidents for development
of incident specific plans SUch as intruder detection, SCADA system maffunction, power
outages, treated water contamination, and physical damage to critical assets.
2. Identify utility related assistance available from the Texas Commission on Environmental
Quality C/CEO.), the EnvironmentaI Protection Agency (EPA), and County.
3. Prepare up to three (3) incident specific emergency response plans.
4. Prepare and furnish up to five (5) copies of the Draft Emergency Response Plan. Condnct an
interim progress meeting with Owner's staff.
5 incorporate review comments and furnish up to five (5) copies of the Water Utility
Emergency Response Plan
^-4
OWNS_