HomeMy WebLinkAboutCity of Tamarac Resolution R-2020-005 Temp. Reso. #13390
January 8, 2020
Page 1 of 4
CITY OF TAMARAC, FLORIDA
RESOLUTION NO. R-2020-
A RESOLUTION OF THE CITY COMMISSION OF THE CITY
OF TAMARAC, FLORIDA, APPROVING AN AGREEMENT
WITH TETRA TECH FOR A RISK AND RESILIENCE
ASSESSMENT; UTILIZING TETRA TECH AS A SOLE
SOURCE VENDOR; AUTHORIZING AN EXPENDITURE IN
AN AMOUNT NOT TO EXCEED $142,998.00 FOR SAID
PURPOSE; AUTHORIZING PROPER CITY OFFICIALS TO
TAKE ALL NECESSARY STEPS TO EFFECTUATE THE
PURCHASE; AUTHORIZING AN ADDITIONAL
APPROPRIATION IN THE AMOUNT NOT TO EXCEED
$142,998.00 TO BE INCLUDED IN A FUTURE BUDGET
AMENDMENT PURSUANT TO F.S. 166.241(2);
PROVIDING FOR CONFLICTS; PROVIDING FOR
SEVERABILITY; AND PROVIDING FOR AN EFFECTIVE
DATE.
WHEREAS, the City of Tamarac is responsible to protect and maintain the safety
and integrity of the City's water distribution system; and
WHEREAS, Community water systems are facing new requirements for water
supply security, resiliency, and emergency response under the America's Water
Infrastructure Act (AWIA); and
WHEREAS, in order to meet the requirements of the AWIA, the City is required to
develop a Risk and Resilience Assessment (RRA) and Emergency Response Plan
(ERP), the RRA must be developed by December 30, 2020 and the ERP by June 30,
2021 ; and
WHEREAS, the AWIA RRA and ERP requirements are aimed at ensuring the City
is able to identify the City's mission critical physical and cyber assets, assess reasonable
worst-case threats from malevolent and natural hazards, and develop mitigation
Temp. Reso. #13390
January 8, 2020
Page 2 of 4
measures to prevent or minimize the impact of those threats; and
WHEREAS, the City of Tamarac utilized Tetra Tech to perform a Vulnerability
Assessment for the City's water system in 2003, City Staff deem Tetra Tech to be well
positioned to help the City meet the requirements of the RRA and ERP; and
WHEREAS, City Staff recommend utilizing Tetra Tech as a Sole Source Vendor
due to the fact that they have previously performed the previous studies related to this
study, and are in possession of all of the data; and
WHEREAS, release of the previous data required to issue a competitive solicitation
could create a homeland security issue due to the sensitive nature of this project and the
compelling need to limit additional outside access to the water system's information, as a
result of these factors, a competitive solicitation is completely impractical; and
WHEREAS, after careful assessment, Public Services Staff determined that it is in
the City's best interest to utilize Tetra Tech, as a Sole Source Vendor, to develop the
AWIA RRA and ERP per the attached proposal, at a cost not to exceed $142,998.00, a
copy of said proposal is attached hereto as Exhibit 1; and
WHEREAS, it is the recommendation of the Director of Public Services, Director
of Financial Services, and the Purchasing & Contracts Manager that the City Commission
authorize an Agreement with Tetra Tech, as a Sole Source Vendor, to develop the AWIA
RRA and ERP per the attached proposal, at a cost not to exceed $142,998.00; and
WHEREAS, the City Commission of the City of Tamarac, Florida deems it to be in
the best interest of the citizens and residents of the City of Tamarac to approve and to
authorize the appropriate City Officials to execute said Agreement with Tetra Tech, as a
Sole Source Vendor, to develop the AWIA RRA and ERP per the attached proposal, at a
cost not to exceed $142,998.00.
NOW, THEREFORE, BE IT RESOLVED BY THE CITY COMMISSION OF THE
Temp. Reso. #13390
January 8, 2020
Page 3 of 4
CITY OF TAMARAC, FLORIDA, THAT:
SECTION 1: The foregoing "WHEREAS" clauses are hereby ratified and
confirmed as being true and correct and are hereby made a specific part of this Resolution
upon adoption hereof, and all exhibits referenced and attached hereto are incorporated
herein and made a specific part of this Resolution.
SECTION 2: The City Commission HEREBY approves an Agreement
between the City of Tamarac and Tetra Tech ("The Agreement") and issue the purchase
order accepting the terms of the proposal to develop the AWIA RRA and ERP.
SECTION 3: An expenditure in the amount not to exceed $142,998.00 per
the proposal and subsequent Agreement with Tetra Tech is hereby approved.
SECTION 4: This project is currently not funded; and requires an
appropriation in the amount not to exceed $142,998.00, which shall be included in a future
budget amendment pursuant to F.S. 166.241(2).
SECTION 5: All resolutions or parts of resolutions in conflict herewith are
hereby repealed to the extent of such conflict.
SECTION 6: If any clause, section, other part or application of this
Resolution is held by any count of competent jurisdiction to be unconstitutional or invalid,
in part or application, it shall not affect the validity of the remaining portions or applications
of this Resolution.
Temp. Reso. #13390
January 8, 2020
Page 4 of 4
SECTION 7: This Resolution shall become effective immediately upon its
passage and adoption.
PASSED, ADOPTED AND APPROVED this day of C4 72020.
r,„//1,- ,
CHELLE J. GO 5.
MAYOR
ATTEST:
LILLIAN PABON, CMC
ACTING CITY CLERK
RECORD OF COMMISSION VOTE:
MAYOR GOMEZ
DIST 1: V/M BOLTON
DIST 2: COMM. GELIN
DIST 3: COMM. FISHMAN
DIST 4: COMM. PLACKO L
I HEREBY CERTIFY THAT I HAVE
APPROVED THIS RESOLUTION
AS TO FORM
4
SAM EL S. GOREN /'
-CITY ATTORNEY
TR 13390-Exhibit 1
' it TETRA TECH AWIA Risk and Resilience Assessment
Project Understanding and Approach
Project Understanding
The objective of the Risk and Resilience Assessments(RRAs) under AWIA is to identify the utility's mission
critical physical and cyber assets,assess reasonable worst case threats from malevolent and natural
hazards,and develop mitigation measures to prevent or minimize the impact of those threats. EPA
compliance will involve a letter certifying completion of the RRA.This work will be completed in
conjunction with City of Tamarac(City)staff and so that it can used as a basis for developing an updated
Emergency Response Plan(ERP).
The City serves a population of approximately 65,000,
which per AWIA guidelines requires it to develop the RRA �� G
by December 31,2020 and the ERP by June 30,2021. Based
on discussions with City Staff and review of available �� ",
documents, it is evident that the City is well positioned to 425)N 9?
meet the requirements for the RRA and ERP.Therefore, C� ���
much of the work on the project will involve compiling and L° 4 I I RISK4 ki.
leveraging the City's available documentation from the
following documents:
• 2003 Vulnerability Assessment Report
• 2003 Security Enhancement Recommendations
• Network and SCADA system documentation
Probability
The City is undertaking the RRA and ERP efforts well in
advance of the regulatory deadline. Because of the
organization and availability of existing technical
documents,the RRA and ERP can be comfortably
completed in advance of December 31,2020 and June 30, 2021 deadlines, respectively.
Project Approach
The projected start date is August 2019 with a completion date of December 31,2020. We will work with the City
prior to project kickoff to develop a more detailed scope and sub-tasks.To meet the technical requirements and
schedule for the RRA and ERP.
Tetra Tech proposes to perform the RRA and ERP in conformance with the methodology presented in the Risk
Analysis and Management for Critical Asset Management Protection (RAMCAP°Standard for Risk and Resilience
Management of Water and Wastewater Systems(ANSI/AWWA, 2010)as described in the AWWA J100 standard
(Figure 1).
The AWIA RRA and ERP requirements emphasize cybersecurity threats in light of the increasing occurrences of
system intrusions,database hacks,and ransomware attacks.The RRA will consider the City's cyber assets—
computers,networks,data and communications systems—critical to the safe production of drinking water and
business operations.These include both Information Technology(IT)and Operational Technology(OT)systems,
including:
• Plant industrial control systems(ICS).
• Supervisory Control and Data Acquisition (SCADA)systems.
• Supporting network and computer infrastructure.
• Business applications supporting critical utility operations.
1
TR 13390-Exhibit 1
ICI TETRA TECH AWIA Risk and Resilience Assessment
What assets do I have and which are critical?
u- 1)Asset Characterization
4 What threats and hazards should I consider?
i-► 2)Threat Characterization
4 What happens to my assets if a threat or hazard
happens? How much money lost, how many lives lost,
14' 3) Consequence Analysis how many injuries?
�-► 4)Vulnerability Analysis What are my vulnerabilities that would allow a threat or
4 hazard to cause these consequences?
I'' 5)Threat Analysis� y 4., What is the likelihood that a terrorist, natural hazard,or
4 dependency/proximity hazard will strike my facility?
6) Risk/Resilience AnalysisiS What is my risk and resilience?
4 Risk=Consequences x Vulnerability x Threat Likelihood
L — 7) Risk/Resilience Management Resilience=Service Outage x Vulnerability x Threat
Likelihood
What options do I have to reduce risks and increase
resilience? How much will each benefit in reduced risks
and increased resilience? How much will it cost?What is
the benefit—cost ratio of my options?
Figure 1.
These tasks will closely mirror the physical RAMCAP assessment tasks but may involve a different City team with
knowledge of the City's computerized systems from both IT and SCADA perspectives.This assessment is intended
to evaluate the risks to critical systems,and the City's ability to quickly and effectively recover from any disruption
of these systems.
Tetra Tech proposes to conduct the RRA and ERP for the City's mission critical assets including its administrative
and operations facilities,wells,treatment building,storage facilities and repump stations.
Task 1—Project Management
Project management activities will extend for the duration of the project and will be the responsibility of our
Project Manager,Theresa Pedrazas, PE.Theresa will be the point of contact for the City's Project Manager and will
be assisted by Ken Caban, PE in the Tetra Tech Miami office.
Theresa will be responsible for organizing and leading communications, project meetings,and workshop activities
required for the project. For the duration of the project,Theresa will lead all budget,schedule,quality control,and
resource assignment responsibilities.At least monthly,Theresa will provide the City with invoicing, progress
report,and upcoming planned activities.
As the Eastern United States leader for Tetra Tech's AWIA compliance activities,Theresa will continually track EPA
updates to AWIA requirements, including the anticipated final guidance scheduled for release in August 2019.
Based on communications to date, it is expected that the final guidance will be very similar to the process laid out
by the AWWA J100 standard.
Task 2- Data Collection
The critical path item in developing a plan of this nature and meeting the regulatory requirements is data
2
TR 13390-Exhibit 1
Ezi
TETRA TECH AWIA Risk and Resilience Assessment
collection.We will address this need immediately. Using the AWIA requirements as a minimum baseline,Tetra
Tech will identify the City's objectives and available data.These factors will determine the extent of the data
collection required. Based on these determinations,Tetra Tech will,in advance of the kickoff,develop a data needs
list and data log.
Tetra Tech will arrange and attend a project kickoff meeting. The data log will be reviewed at the kickoff meeting,
and a collection schedule will be finalized.We anticipate any field data collection to take place in September 2019.
This data collection timeframe enables us to collect data in advance of the final published requirements and begin
analysis as soon as the final requirements are published.
We anticipate approximately a week of field time to review the City's assets and conduct staff interviews.
In October,Tetra Tech will schedule and conduct a prioritization and risk/consequence review workshop. It is
assumed that the following documents will be used as a basis for the workshop:
• 2003 Vulnerability Assessment Report
• 2003 Security Enhancement Recommendations
Additional technical documentation that may be requested include:
• Latest version of all security policies and procedures
• Any contract/asset access service agreements
• Security documentation such as post orders, recent calls for service,and security organization chart.
• Electronic engineering files of the administration and operations building utilities, communications and
security systems
• Available record drawings and O&M manuals
• Most recent Emergency Management Plan
• Existing SCADA and computer network documentation
Because of the volume of documentation available,it is envisioned that the workshop will largely consist of a
review and reconfirmation of existing findings rather than a replication of past work. For example,the 2003
Vulnerability Assessment included a risk determination and asset prioritization activity.The workshop will be
designed to review and update those findings to reflect current conditions.
Cybersecurity represents a more substantial risk than it did in 2003.The workshop will include a review of the
City's IT and SCADA systems and networks as they relate to the safe production and distribution of drinking water.
Following the workshop,and in conjunction with fieldwork,Tetra Tech's cybersecurity lead will review the City's IT
and SCADA systems and networks with the corresponding City staff.This workshop will require City staff
participation from the Engineering,Operations, IT,and Finance departments.
Prior to the workshops,Tetra Tech will formally request information from the City to identify the key components
of the City's network and cyber infrastructure.The purpose of this request is to allow Tetra Tech to become
familiar with the City's critical automated systems prior to the onset of project work. Provided information should
include network diagrams,addressing schemes and system descriptions,as well as drawings showing the
relationship of each system to the treatment process(i.e., process flow diagrams, record drawings and O&M
manuals).
Data gathering,through existing documentation and field assessment will address the following elements:
• Malevolent acts and natural hazards(physical and cyber intrusion by internal/external perpetrators and
fires and storm events)
• System resilience
• Monitoring practices
• Financial network infrastructure
3
TR 13390-Exhibit 1
Ii21
TETRA TECH AWIA Risk and Resilience Assessment
• Chemical handling
• Operation and maintenance
Task 3- Risk and Resilience Assessment
3.1 Asset Prioritization
With the data collection complete,asset priorities updated,and objectives outlined,Tetra Tech will begin by
determining what improvements have been implemented since 2003,identifying the status of existing systems,
and analyzing existing systems and deficits per the EPA guidelines and the City's objectives.
At a minimum,this assessment will include the following system elements:
• Transmission pipelines
• Repumping facilities
• Physical security systems and practices
• Source wells
• Treatment facilities
• Finished water storage
• Cyber networks including IT and SCADA
• Administration and operations facilities
Tetra Tech will confirm/revise prioritization of the key water facility sites for on-site field assessment. Each site will
be classified based on criticality as defined in the J100 methodology.
Deliverable: Updated Asset Prioritization
3.2 Asset/Threat Characterization Detect
Tetra Tech will prepare for and facilitate a RAMCAP° Introduction&
Asset/Threat Characterization workshop with the City,at the City's offices,to
introduce the assessment approach to all attendees and develop the
Physical and Cyber Asset Characterization.Tetra Tech will review the major
cyber assets associated with each facility and their criticality to the City's Deter
ability to produce and distribute safe drinking water.
Tetra Tech will facilitate a discussion with the City to define their mission,
followed by a discussion of how each facility is critical to this mission.Threat
analysis will consist of malevolent acts and natural hazards. Tetra Tech will
request the City to provide historical records of previous malevolent acts, Delay
natural events,service outages due to utility or external factors,and other
historical data for use in subsequent tasks. 5
The meeting will be held at the City's office and attended by the Tetra Tech
team including the project manager, project engineer,cybersecurity y
specialist, and physical security specialist. Devalue
The workshop will include identification of reasonable,worst-case threats "
using the RAMCAP°table of potential hazards and threat scenarios based on
leading physical and cybersecurity guidance identified as AWIA consensus
standards for water utilities including
• AWWAJ100Standard Respond
• AWWA Cyber Security Guidance&Tool
4
TR 13390-Exhibit 1
lilt TETRA TECH AWIA Risk and Resilience Assessment
• National Institute of Standards and Technology(NIST)Cybersecurity Framework
• ISA/IEC-62443(Formerly ISA-99) Industrial Automation and Control Systems Security
• National Institute of Standards and Technology(NIST)SP800-82 Rev. 1 Guide to Industrial Control
Systems(ICS)Security
Following the asset characterization,a Threat Characterization will be conducted.The threat analysis will
consist of malevolent acts and natural hazards, including those threats that can impact off-site assets
controlled by others(e.g.,utilities and chemical suppliers).Tetra Tech will prepare for and facilitate a
Threat Characterization meeting in conjunction with the Asset Characterization meeting with the City to
identify reasonable,worst-case threats using the RAMCAP°table of potential hazards and threats. During
the meeting,Tetra Tech will request of the City to provide historical records of previous malevolent acts,
service outages due to off-site assets controlled by others, and other historical data for use in subsequent
tasks. Representatives from local law enforcement will be invited to attend and provide input.The
meeting will identify threats and narrow the focus of threats that represent real, physically possible
threats to critical assets identified in the Asset Characterization.
Tetra Tech will prepare an Asset Classification and Threat Characterization Technical Memorandum
summarizing the key assets and associated criticality identified during the workshops.
Deliverable:
• Asset/Threat Characterization Workshop minutes
• Asset Classification and Threat Characterization Technical Memorandum
3.3 Field Investigations
Tetra Tech will conduct field investigations to determine the ability of current protection systems to
withstand each specified threat.Tetra Tech will begin with threat analysis assumptions identified during
the Asset/Threat Characterization meeting to estimate the likelihood of a malevolent act or natural
hazard based on relative alternative targets and historical records, respectively.
Based on feedback from the RAMCAP° Introduction&Asset Classification workshop,Tetra Tech will
prioritize the key water system sites for on-site field assessment. Each site will be classified based on the
criticality of cyber assets associated with that facility as defined in the RAMCAP° methodology.
3.4 Consequence Analysis
Tetra Tech will compile all information and scores to calculate risk and resilience for each threat-asset pair
and confirm/revise the Consequence Analysis to rank threat-asset pairs according to the magnitude of
resulting consequences, using a consequence scale as provided in the RAMCAP° methodology.
Consequences will be estimated in terms of loss of life and serious injury;financial losses;duration and
severity of service denial; and economic losses to the utility.This analysis will be used as the basis for the
Vulnerability and Threat Analysis workshop to follow.
Deliverable:Consequence Analysis Technical Memorandum
3.5 Vulnerability and Threat Analysis Workshop
Tetra Tech will facilitate a Vulnerability&Threat Analysis Meeting with the City to determine the ability of
current protection systems to withstand each specified threat in a threat-asset pair.Tetra Tech will
present threat analysis assumptions during the workshop to estimate the likelihood of a malevolent act or
natural hazard based on current cybersecurity threats and historical records.The information gathered
during this workshop will be used as the basis for the Risk and Resilience Analysis task to follow.
Deliverable:Vulnerability and Threat Analysis Findings Workshop minutes
5
TR 13390-Exhibit 1
UTETRA TECH AWIA Risk and Resilience Assessment
3.6 Risk and Resilience Analysis
Tetra Tech will compile all information and scores gathered in the preceding tasks to calculate risk and
resilience for each threat-asset pair. Risk is calculated as the product of the Consequence(C,expressed as
a scored value),Vulnerability(V,expressed as a probability),and Threat(T,expressed as a probability).
Resilience is calculated as the product of the Service Outage(expressed as a scored value in terms of D,
duration,and S,severity,of the outage),Vulnerability,and Threat.Therefore,
RISK = Consequence x Vulnerability x Probability
RESILIENCE = Duration x Severity x Vulnerability x Probability
Tetra Tech will prepare a Risk and Resilience Analysis Technical Memorandum compiling the results of the
analysis.Tetra Tech will prepare for and facilitate a conference call to discuss the results to ensure that all
City participants agree with the outcome and determine which risks warrant mitigation.Tetra Tech will
prepare for and facilitate a conference call to discuss the results to ensure that City stakeholders agree
with the outcome and determine which risks warrant mitigation.The call will:
1. Define what level of risk and resilience is acceptable. For those threat-asset pairs that are not
acceptable,proceed to the next action.
2. Define mitigation and resilience options as countermeasures to the threats. Estimate the capital
and operating costs for each option.
3. Identify options that apply to multiple threat-asset pairs.
4. Calculate the net benefits and benefit-cost ratio to estimate total value and risk-reduction
efficiency of each option.
S. Determine the resources needed to operate the selected options.
6. Identify mitigation options to the selected threat-asset pairs.
Deliverable:Risk and Resilience Analysis Technical Memorandum
Task 4—Draft and Final RRA Development
Tetra Tech will complete the Draft RRA for City review.At the end of the review,Tetra Tech will conduct a draft
review workshop.This workshop will depend on the level on City-provided comments.With the earlier preliminary
findings workshop,it is likely that final comments will not warrant a workshop.
Following final comments,Tetra Tech will develop a final RRA and EPA certification letter for City signature and
submittal.
Deliverables:
• Draft Final and Final RRA
• EPA Certification Letter
Task 5—Emergency Response Plan
Tetra Tech will prepare and submit a formal documentation request to the City for available information pertaining
to emergency response.Tetra Tech will conduct a desktop audit to review data provided by the City in response to
the documentation request. The documentation request may include the following information:
1. After-action reports from prior real emergencies and exercises
2. Existing documentation related to emergency response for specific facilities
3. Partnerships with external agencies.
6
TR 13390-Exhibit 1
ICI TETRA TECH AWIA Risk and Resilience Assessment
Tetra Tech subject matter experts will prepare for and facilitate an Emergency Response Planning Workshop with
representatives from the City, including other departments.The Emergency Response Planning Workshop will be
conducted over one day.
Tetra Tech will prepare an Emergency Response Plan for the City's public water system.The ERP will provide the
strategies and resources to improve the resilience of the system.The ERP will include the following elements:
1. System overview
2. Incident management overview
3. Roles and responsibilities, based on the National Incident Management System(NIMS)and
Incident Command System(ICS)
4. Internal and external contact information
5. Emergency response guidance
6. Communications plan
7. Record-keeping policies
8. Emergency response plans unique to threats identified in the Threat Characterization task
Tetra Tech will prepare for and attend a meeting with the City to review the draft ERP.The meeting will be held at
the City's office and attended by up to 3 Tetra Tech staff, including the Project Manager.After receipt of City
comments,Tetra Tech will finalize the ERP and issue to the City.
Following the completion of the ERP,Tetra Tech will prepare a certified letter attesting to the completion of the
plan for the City's public water system in conformance with AWIA requirements.
Deliverables(Draft and Final)
• Emergency Response Plan
• Meeting agendas and minutes
Proposed Schedule and Milestones
The conceptual project schedule,if approved for start in August 2019, is tentatively as follows, but can be adjusted
prior to the dates below:
• Delivers the RRA compliance letter by December 31,2020.
• Delivers the ERP compliance letter by June 30,2021.
Compensation Summary
The total Lump Sum compensation for the Scope of Services described in this proposal is $142,998. The
compensation for the Scope of Services by task is summarized below and will be invoiced by task and percentage
complete monthly.
7
TR 13390-Exhibit 1
Et
TETRA TECH AWIA Risk and Resilience Assessment
Task No. Task Description Total
1 Project Management $22,069
2 Data Collection $27,247
3 Risk and Resilience Assessment $51,790
4 Draft and Final RRA Development $18,776
5 Emergency Response Plan $23,116
J. Reimbursables -
Total Lump Sum $142,998
8