The URL can be used to link to this page

Home My WebLink AboutItem #07 Approval to Award of Utilities SCADA Network Construction Project to SourceLink Communications0 C 0 (? (? florida AGENDA ITEM COVER SHEET Meeting Date: June 16, 2015 Item # 71 Reviewed By Contact Name: Al Butler, Support Services Department Director: Contact Number: 407 - 905 -3100, ext. 1543 City Manager: Subject: Award of Utilities SCADA Network construction project to SourceLfnk Communications for a total cost of $25,581.55 and to have CenturyLink Communications do the configuration programming needed to add the SCADA network to the city's computing infrastructure at a cost not to exceed $5,760. The network equipment would also be added to the city's existing CenturyLink Centurion maintenance contract for a small annual fee. Background Summary: The Ocoee Utilities Department is seeking to better manage its main water and wastewater facilities by creating a supervisory control and data acquisition ( SCADA) Network that will connect these facilities to each other and to the Utilities Administration Building so that staff may monitor and operate equipment at these facilities from remote locations. The SCADA Network is part of an overall plan for modernizing the city's utility systems and will connect five facilities: • Utilities Administration Building • Wastewater Treatment Plant • Forest Oaks Water Plant • South Water Plant • Maguire Booster Station Redundant SCADA servers will be located at the two water plants. Client computers will be located at the Wastewater Treatment Plant and Maguire Booster Station. The two servers will each continuously scan the entire network and store the information they receive. If one server cannot communicate with a given device, it will asynchronously look to the other server for a data update to cover the period of time when communication was lost. The two client locations and all remote users will access the SCADA data through the network to reach one of the four SCADA nodes. (The Utilities Administration Building is not a node on the network; it is an outside point for city staff access.) The two water plants and the Maguire Booster Station will have identical "branch office" SCADA network nodes constructed to provide access to the SCADA equipment located on site. The connection between the Utilities Administration Building and the adjacent Wastewater Treatment Plant exists today using a fiber optic cable and is part of the existing secure city data network that is an integral part of the CenturyLink Managed Office Essentials network recently installed throughout the city. The city's Managed Office network uses the CenturyLink multi - protocol label switching (MPLS) transport mechanism for connecting site to site and to the Internet. Because CenturyLink service is not economically available, the city will use broadband service provided by Bright House Networks (BHN) to serve the two water plants and the Maguire Booster Station. BHN broadband service has already been established at these locations. To provide connectivity redundancy, Verizon wireless service will also be provided to allow city staff and equipment to connect to each location when BHN service is lost. All SCADA communications will occur over virtual private network (VPN) connections. A firewall established at the Wastewater Treatment Plant will be the point of interconnection between the SCADA Network and the city's Managed Office network. Price proposals were sought from suitable contracting firms based on a performance specification early in the project life- cycle. The initial price proposal from one company was in excess of $65,000. When staff subsequently developed a detailed network design, equipment cost estimates were secured by staff from a number of sources identified as lowest -cost providers. The original contracting firm chose not to submit a new price proposal based on the city's revised specification and published cost expectation. Cost proposals were subsequently received from SourceLink Communications, Inc. ($25,581.55) and Presidio Networked Solutions ($23,030.40); however, the latter proposal was judged to be non- responsive since it omitted $7,800 in needed equipment. Nevertheless, for those items that appear on both price proposals, the costs are similar to each other and to staffs cost estimate. This strongly suggests that the remaining items that appear only on the SourceLink Communications price proposal and are consistent with staff's cost estimate represent the lowest reasonable cost that might be incurred. CenturyLink is presently responsible for the city's Managed Office Essentials voice and data network and is the logical choice for doing the configuration programming that will add the new SCADA equipment to the city's infrastructure. This work would be done on an hourly basis under our existing contract. Issue: Staff seeks to award the task of furnishing and installing the Utilities SCADA Network to SourceLink Communications, for a price of $25,581.55. City Commission approval is required since staff could get only two of the three price quotes required under existing purchasing rules, and one of those proposals was incomplete. Staff seeks to additionally hire CenturyLink Communications to do the equipment configuration programming needed to make the SCADA system operational at a cost not to exceed $5,760 and to add the SCADA equipment to the existing CenturyLink Centurion maintenance contract for a small recurring service fee covering equipment service and replacement. Recommendations Staff recommends the City Commission award the work to SourceLink Communications in the amount of $25,581.55, with equipment programming configuration to be performed by CenturyLink Communications under the terms of the city's existing contract for data network services. CenturyLink would also have continuing responsible for equipment maintenance under an existing city contract. Attachment: • City of Ocoee SCADA Network Statement of Work. • SCADA Network Bill of Materials. • Price Proposal from SourceLink Communications. • Price Proposal from Presidio Networked Solutions. Financial Impact: The planned project was included in the FY 2014 utilities capital budget and is ADG Job No. 31014, with funding in Account No. 408 - 533 -00 -6302. The currently available budget is $137,558.68. Centurion maintenance is expected to cost a few hundred dollars per year. ra Type of Item: (please mark with an 'Y) Public Hearing For Clerk's Dept Use: Ordinance First Reading Consent Agenda Ordinance Second Reading Public Hearing Resolution Regular Agenda X Commission Approval Discussion & Direction X Original Document/Contract Attached for Execution by City Clerk Original Document/Contract Held by Department for Execution Reviewed by City Attorney N/A Reviewed by Finance Dept. Charles Smith, Reviewed by Utilities Director N/A N/A SourceLink Communications, Inc. Structured Cabling Solutions 17521 County Road 455 Montverde, FL 34787 Phone (407) 654 -2400 Fax (407) 654 -2428 Toll Free (888) 692 -5100 Client: City Of Ocoee 150 N. Lakeshore Drive Ocoee, FL 34761 -2258 Attn: Mr. Al Butler Phone: (407) 905 -3100 P R O P O S A L Job Site: Waste Water Treatment 1800 A.D. Mims Ocoee, FL 34761 Email: abutler @ci.ocoee.fl.us We have prepared our proposal below in this format for your convenience. We appreciate the opportunity to estimate this work and look forward to working with you on this installation. Thank You, Randy Hardy SourceLink Communications, Inc. Statement of Work: SourceLink Communications, Inc. will provide labor and materials for the installation of the following: SCADA NETWORK EQUIPMENT Description Ouantity Unit Price 1. StarTech 4POSTRACKI2A Open Rack 3 $ 350.00 (e) 2. Tripp Lite SRCAGENUTS Screw Kit 3 $ 30.00 (e) 3. Cisco 1941 W Wireless Integrated Router 4 $2,045.00 (e) 4. Cisco EHWIC4ESG 4 -Port Interface Card 3 $ 255.00 (e) 5. Cisco EHWIC- 4G -LTE -V Wireless Cellular Interface Card 4 $ 926.55 (e) 6. Cisco PWR- 1941 -POE AC Power Supply for POE Service 3 $ 175.00 (e) 7. Tripp Lite PDUMHI5ATNET lU Power Distribution Unit 2 $ 465.00 (e) 8. Tripp Lite SMART500RT1U Rack - mounted UPS 2 $ 165.00 (e) 9. Tripp Lite SU750RTXLCD2U Rack - mounted UPS 1 $ 500.00 (e) 10. Emerson Islatrol/EDCO RM- Cat6 -08POE Surge Suppressor 1 $ 600.00 (e) 11. AVTECH Room Alert 12ER Monitoring & Alert Package 3 $ 728.46 (e) 12. AVTECH Spot Flood Sensor 3 $ 196.00 (e) 13. AVTECH Axis M101 I -W Network Camera 3 $ 225.00 (e) 14. StarTech UNISLDSHF19 IU Sliding Ventilated Rack Shelf 3 $ 118.00 (e) 15. Panduit DP245E88TGY lU Cat -5E 24 -port Patch Panel 3 $ 150.00 (e) 16. EnGenius ENU210EXT Outside WAP 4 $ 295.00 (e) 17. Cisco ASA Cisco 5506 1 $ 904.00(e) Equipment Bid Amount: $ 23,012.55 Initial SCADA NETWORK EQUIPMENT INSTALLATION Installation of the Following SCADA Network Equipment at Customer Designated Locations. [3] StarTech 4POSTRACK12A Open Rack [3] Tripp Lite SRCAGENUTS Screw Kit [4] Cisco 1941W Wireless Integrated Router [3] Cisco EHWIC -4ESG 4 -Port Interface Card [4] Cisco EHWIC- 4G -LTE -V Wireless Cellular Modem Interface Card [3] Cisco PWR- 1941 -POE AC Power Supply for POE Service [2] Tripp Lite PDUMHI5ATNET I Power Distribution Unit [2] Tripp Lite SMART50ORTIU 500VA 30OW Rack - mounted UPS [ 1 ] Tripp Lite SU750RTXLCD2U 750VA 67W Rack - mounted UPS [ 1 ] Emerson Islatrol/EDCO RM- Cat6 -08POE Surge Suppressor [3] AVTECH Room Alert 12ER Monitoring & Alert Package [3] AVTECH Spot Flood Sensor [3] AVTECH Axis M1011 -W Network Camera [3] StarTech UNISLDSHF19 lU Sliding Ventilated Rack Shelf [3] Panduit DP245E88TGY lU Cat -5E 24 -port Patch Panel [4] EnGenius ENH2I OEXT Long -range Outside Wireless Access Point [ 1 ] Cisco ASA Cisco 5506 Firewall Edition Labor Bid Amount: $ 2,569.00 Initial Total Bid Amount: $25,581.55 Initial The Attached Proposal Price Is Based On the Followin¢ Conditions 1. CLEAR, UNOBSTRUCTED AND SAFE ACCESS WILL BE PROVIDED BY CLIENT TO ALL AREAS OF INSTALLATION INCLUDING BUT NOT LIMITED TO CONDUITS, WORK AREAS, LADDER RACK, CLOSETS, ETC. IF CONDUITS HAVE EXISTING CABLE, SOURCE LINK COMMUNICATIONS, INC. DOES NOT GUARANTEE THAT NEW CABLE WILL FIT IN CONDUIT. ALL COSTS RELATED TO ATTEMPTING TO FIT CABLES IN CONDUIT WOULD BE BILLED ON A TIME AND MATERIALS BASIS AT THE RATES DISPLAYED IN THE TIME AND MATERIALS FEE SCHEDULE. 2. LABOR (UNLESS LISTED OTHERWISE NOTED IN THE ATTACHED BID LANGUAGE ) WILL BE PERFORMED IN SHIFTS NOT TO EXCEED EIGHT HOURS PER INSTALLER. SHIFTS WILL OCCUR BETWEEN THE HOURS OF 7:00 AM AND 5:00 PM MONDAY - FRIDAY. 3. SOURCELINK COMMUNICATIONS, INC. DISCLAIMS ALL WARRANTIES, IMPLIED OR OTHERWISE, EXCEPT AS EXPRESSLY PROVIDED HEREIN. SOURCE LINK COMMUNICATIONS, INC. WARRANTIES THE LABOR WE PERFORM TO BE SUBSTANTIALLY FREE FROM DEFECTS IN MATERIALS AND WORKMANSHIP FOR A PERIOD OF ONE YEAR FROM THE DATE WORK IS COMPLETED. THE WARRANTY DOES NOT APPLY TO REWORK OR REPAIR OF OTHER PARTIES WORK. OUR WARRANTY IS LIMITED TO REPAIRING OR REPLACING (AT OUR OPTION ) THE ITEM(S), WHICH AT THE OPINION OF SOURCE LINK COMMUNICATIONS, INC. PROVE TO BE DEFECTIVE UPON OUR INSPECTION. MATERIALS SOLD BY SOURCE LINK COMMUNICATIONS, INC. ARE SUBJECT TO THEIR MANUFACTURERS' WARRANTY TERMS AND OUR WARRANTY DOES NOT INCLUDE THOSE ITEMS. ALTERATION, ABUSE, OR MISUSE VOIDS ANY AND ALL WARRANTIES, OURS, MANUFACTURER, RETAIL, OR DISTRIBUTOR. 4. PAYMENT TERMS ARE THE FOLLOWING: EQUIPMENT 100% DUE UPON ORDER PAYABLE VIA ACH PAYMENT OR CREDIT CARD; PAYABLE IN U.S. FUNDS. INSTALLATION NET30 TERMS UPON EXECUTED PURCHASE ORDER S. PAYMENT TERMS ARE OUTLINED IN THIS PROPOSAL. IF PAYMENT IS NOT MADE WITHIN THE DEFINED TERMS A LATE FEE OF S% OF ANY UNPAID BALANCE WILL BE CHARGED PER MONTH. THE LATE FEE WILL BE INCORPORATED INTO THE REMAINING BALANCE. AN UPDATED INVOICE OUTLINING ALL LATE FEES WILL BE SENT OUT. 6. ANY CHANGES, ADDITIONS, OR DELETIONS TO OR FROM THE PROPOSAL'S ATTACHED STATEMENT OF WORK, BID PRICE, OR CONDITIONS ARE TO BE DETAILED ON A SOURCE LINK COMMUNICATIONS, INC. CHANGE ORDER SIGNED BY CLIENT PRIOR TO WORK COMMENCING ON THE CHANGES. 7. SOURCELINK COMMUNICATIONS, INC. RESERVES THE RIGHT TO LIEN JOBS FOR NON - PAYMENT BY CLIENT. 8. THIS BID MAYBE WITHDRAWN BY US IF NOT ACCEPTED IN WRITING WITHIN 30 DAYS. 9. ALL WORK TO BE COMPLETED IN A COMPETENT MANNER ACCORDING TO STANDARD PRACTICES. ANY ALTERATION OR DEVIATION FROM ABOVE SPECIFICATIONS INVOLVING EXTRA COSTS WILL BE EXECUTED ONLY UPON WRITTEN ORDERS, AND WILL BECOME AN EXTRA CHARGE OVER AND ABOVE THE ESTIMATE. OWNER TO CARRY FIRE, TORNADO, AND OTHER NECESSARY INSURANCE. 10. MATERIAL PRICE INCLUDES MISCELLANEOUS MATERIAL AND SHIPPING UNLESS OUTLINED ON THE FIRST (1ST) PAGE. 11. IF A SCISSOR LIFT IS REQUIRED FOR INSTALLATION DUE TO EXCESSIVE HEIGHTS THAT CANNOT BE REACHED WITH A LADDER, ADDITIONAL COSTS WILL BE INCURRED. THE COSTS WILL BE IDENTIFIED ON A CHANGE ORDER FOR THE COST OF THE SCISSOR LIFT AND WILL BE IN ADDITION TO THE ORIGINAL BASE BID AMOUNT. 12. IF FOR ANY REASON THE EXISTING CABLING THAT IS BEING REUSED IN THIS PROJECT HAS TO BE REPLACED IT WILL BE IN ADDITION TO THE BID PRICE. 13. IF SOURCELINK COMMUNICATIONS, INC. MUST ENFORCE THE TERMS OF THIS AGREEMENT IT SHALL BE ENTITLED TO RECOVER ITS COSTS INCLUDING REASONABLE ATTORNEY'S FEES. 14. THIS AGREEMENT SHALL BE GOVERNED AND CONTROLLED BY THE LAWS OF THE STATE OF FLORIDA AS TO INTERPRETATION, ENFORCEMENT, VALIDITY, CONSTRUCTION, AND EFFECT AND IN ALL OTHER RESPECTS. BY EXECUTION OF THIS AGREEMENT, THE PARTIES CONSENT TO VENUE IN LAKE COUNTY, FLORIDA OF ANY ACTION BROUGHT TO ENFORCE THE TERMS OF THIS AGREEMENT OR TO COLLECT ANY MONIES DUE UNDER IT. 15. THE TERMS AND PROVISIONS OF THIS AGREEMENT ARE BINDING ON AND SHALL INURE TO THE BENEFIT OF THE PARTIES AND THEIR RESPECTIVE HEIRS, REPRESENTATIVES, SUCCESSORS, AND PERMITTED ASSIGNS. 16. THIS AGREEMENT CONSTITUTES THE ENTIRE AGREEMENT BETWEEN THE PARTIES AND SHALL BE DEEMED TO SUPERSEDE AND CANCEL ANY OTHER AGREEMENT BETWEEN THE PARTIES RELATING TO THE TRANSACTIONS CONTEMPLATED IN THIS AGREEMENT. NONE OF THE PREVIOUS AND CONTEMPORANEOUS NEGOTIATIONS, PRELIMINARY DRAFTS, OR PREVIOUS VERSIONS OF THIS AGREEMENT LEADING UP TO ITS EXECUTION AND NOT SET FORTH IN THIS AGREEMENT SHALL BE USED BY ANY OF THE PARTIES TO CONSTRUE OR AFFECT THE VALIDITY OF THIS AGREEMENT. EACH PARTY ACKNOWLEDGES THAT NO REPRESENTATION, INDUCEMENT, OR CONDITION NOT SET FORTH IN THIS AGREEMENT HAS BEEN MADE OR RELIED ON BY EITHER PARTY. 17. CLIENT IS RESPONSIBLE FOR OBTAINING RIGHTS OF WAY, AND OTHER ACCESS AS DETERMINED NECESSARY BY SOURCELINK COMMUNICATIONS, INC. 18. IF A PERMIT IS REQUIRED SOURCELINK WILL OBTAIN A PERMIT. CUSTOMER AGREES TO PAY FOR THE PERMIT AND ALL ASSOCIATED COSTS INCLUDING ADMINISTRATIVE COSTS AND ANY OTHER FEES DEEMED NECESSARY BY SOURCELINK AND LOCAL JURISDICTIONS. 19. SOURCELINK COMMUNICATIONS ACCEPTS CREDIT CARD AS PAYMENT ON ALL INVOICES. THERE WILL BE A 4% SURCHARGE FOR ALL INVOICES PAID WITH A VISA, DISCOVER, AMERICAN EXPRESS OR MASTERCARD. Date: 06/1/2015 Terms; See item #4, above Quote # RH- 15040 -00 REV 01 ACCEPTANCE: THE TERMS ON THIS AND THE ATTACHED PAGE INCLUDING THE ABOVE WORK DESCRIPTION ARE HEREBY UNDERSTOOD AND ACCEPTED BY THE UNDERSIGNED WHO BY SIGNING THIS DOCUMENT REPRESENTS THAT THEY ARE AUTHORIZED TO CONTRACT CLIENT WITH CONTRACTOR ON THE ABOVE PROPOSAL AND APPROVE PAYMENT. SOURCELINK COMMUNICATIONS ACCEPTS CREDIT CARDS AS PAYMENT ON ALL INVOICES. THERE WILL BE A 4%-SURCHARGE ADDED TO ALL INVOICE AMOUNTS FOR ALL INVOICES PAID WITH A VISA, DISCOVER, AMERICAN EXPRESS OR MASTER CARD. AUTHORIZED SIGNATURE TITLE PRINTED NAME COMPANY PURCHASE ORDER NO. APPROVAL DATE SCI REQUIRED BILLING INFORMATION A/P CONTACT: PHONE # EMAIL ADDRESS: BILLING ADDRESS IF DIFFERENT THAN ABOVE ADDRESS: CITY: STATE: ZIP CODE: IS A PURCHASE ORDER # REQUIRED FOR PAYMENT YES NO ? (THIS INFORMATION TO BE FILLED PRIOR TO SCHEDULING OF INSTALLATION) IF PAYING BY CREDIT CARD PLEASE INDICATE WHAT METHOD OF PAYMENT WILL BE USED. Visa Master Card American Express Discover. Name as appears on Card: Card Number: 3 -Digit Security Code: Expiration Date: TO: City of Ocoee Accounts Payable 150 N. Lakeshore Drive Ocoee, FL 00000 (p) (407) 905 -3100 Ext. 1523 Customer#: CITY0262 Account Manager: Ross LoBrutto Inside Sales Rep: Susan Bacci Title: City of Ocoee - SCADA QUOTE: 11657786 -01 DATE: 06 108/2015 PAGE: 1 of 2 FROM: Presidio Networked Solutions Susan Bacci 5337 Millenia Lakes Blvd. Suite 300 Orlando, FL 32839 sbacci @presidio.com (p) 407.641.0563 Contract Vehicle: Florida NASPO ValuePoint Cisco /IronPort AR233 (14 -19) FL#43220000- WSCA -I4-A CS ASA5506 -K9 15 CISCO1941 W -A /K9 16 Total: 1 ASA5506 -K9 ASA 5506 -X with FirePOWER services, 8GE, AC, 3DES /AES $606.95 1 $606.95 2 CON - SNT- ASA55WK SMARTNET 8X5XNBD ASA 5506 -X with FirePOWER services, 8GE, $95.20 1 $95.20 SW APP SUPP + UPGR Cisco AnyConnect Plus Perpetual License $0.00 1 i for 12 mo(s) j $0.00 for 12 mo(s) 12 AC- PLS- P -25-S Cisco AnyConnect 25 User Plus Perpetual License $100.65 3 ASA5506 -SSD ASA 5506 -X SSD $0.00 1 $0.00 4 SF- ASA- FP5.4.1 -K9 Cisco FirePOWER Software v5.4.1 for ASA 5500 -X $0.00 1 $0.00 i 5 ASA5506- CTRL -LIC Cisco ASA5506 Control License $0.00 1 $0.00 6 SF- ASA- K- 9.4 -K8 ASA 9.4 Software image for ASA 5506/5508/5516 series $0.00 1 $0.00 i 7 CAB -AC AC Power Cord (North America), C13, NEMA 5 15P, 2.1m $0.00 1 $0.00 f 8 ASA5500- ENCR -K9 ASA 5500 Strong Encryption License (3DES /AES) $0.00 1 $0.00 I 9 ASA5506- PWR -AC ASA 5506 -X Power Adaptor $0.00 1 $0.00 CISCO1941 W -A /K9 15 CISCO1941 W -A /K9 16 Total: L -AC- PLS -P -G I 18_ ISR- CCP -EXP- - 19 10 L- AC- PLS -P -G Cisco AnyConnect Plus Perpetual License Group $0.00 1 11 CON- SAU- LACPLSPG SW APP SUPP + UPGR Cisco AnyConnect Plus Perpetual License $0.00 1 i $0.00 4 $0.00 for 12 mo(s) 12 AC- PLS- P -25-S Cisco AnyConnect 25 User Plus Perpetual License $100.65 1 - 13 - - - _ CONSAU ACPL25 ------- - - -- - - - -- - - - - - -- - SW APP SUPP + UPGR Cisco AnyConnect 25 -- $26.40 - - -- - - 1 for 12 mo(s) 14 L- AC- PLS -P -25 Cisco AnyConnect 25 User Plus Perpetual (ASA License Key) $0.00 99999 - -- --- ---------- -- -- --- - - - - -- - ----- - - - - -- Total: CISCO1941 W -A /K9 15 CISCO1941 W -A /K9 16 CON - SNT- 1941WA �( 17 CAB -AC I 18_ ISR- CCP -EXP- - 19 S801W7K9- 12421JA $702.15 $0.00 $0.00 $100.65 $26.40 $0.00 $127.05 Cisco 1941 Router w/ 802.11 a/b /g /n FCC Compliant WLAN ISM $1,277.95 4 $5,111.80 SMARTNET 8X5XNBD Cisco 1941 Router w/ 802.11 a /b /g /n FCC $164.80 4 $659.20 for 12 mo(s) AC Power Cord (North America), C13, NEMA 5-15P, 2.1m $0.00 4 $0.00 Cisco Config Pro Express on Router Flash $0.00 4 $0.00 Cisco 801 Series IDS WIRELESS LAN $0.00 4 $0.00 QUOTE: 11657766 -01 DATE: 06/08/2015 PAGE: 2 of 2 20 MEM -CF -256MB 256MB Compact Flash for Cisco 1900, 2900, 39001SR $0.00 4 $0.00 21 MEM- 1900- 512MB -DEF 512MB Default DRAM for Cisco 1941 ISR $0.00 4 $0.00 1 22 S801RK9W- 12421JA Cisco 801 Series IOS WIRELESS LAN LWAPP RECOVERY $0.00 4 $0.00 23 SL- 19- IPB-K9 IP Base License for Cisco 1900 $0.00 4 $0.00 j i 24 S190UK9- 15501T Cisco 1900 IOS UNIVERSAL $0.00 4 $0.00 25 EHWIC- 4G-LTE -VZ 4G LTE EHWIC for Verizon, AWS1700 MHz, EVDO $701.50 4 $2,806.00 I 26 4G-AE010 -R Single Unit antenna Extension Base (10 foot cable included) $45.75 4 $183.00 27 4G- LTE - ANTM -D 4G LTE articulating dipole antenna 70OMHz- 2600MHz bands $21.35 4 $85.401 28 4G- LTE - ANTM -D 4G LTE articulating dipole antenna 700MHz- 2600MHz bands $0.00 8 $0.00 I 29 4G- AE010 -R Single Unit antenna Extension Base (10 foot cable included) $0.00 8 $0.00 r 30 SL -19- SEC -K9 Security License for Cisco 1900 $610.00 4 $2,440.00' 31 PWR- 1941 -POE Cisco 1941 AC Power Supply with Power Over Ethernet $122.00 4 $488.00 I 32 CAB -AC2 AC Power cord North America $0.00 4 $0.00 33 EHWIC- D- 8ESG -P Eight port 10/100/1000 Ethernet switch interface card w/ PoE $606.95 4 $2,427.80 34 PS- SVC -FF 35 PS- SVC -FF Total: $14,201.20 Fixed Fee for Presidio employee labor $4,000.00 1.00 $4,000.00 Comments: FL Dept of Management Services /Consultant Services IT 973 - 561 -010 -1 Deliverable: Kickoff Fixed Fee for Presidio employee labor Comments: FL Dept of Management Services /Consultant Services IT 973 -561 -010 -1 Deliverable: Deployment $4,000.00 1.00 $4,000.00 Sub Total: $23,030.401 ;Grand Total: $23,030.401 TERMS AND CONDITIONS OF THE REFERENCED VVSCA CISCO CONTRACT AR233 (14 -19) FL#43220000- WSCA- I4-ACS APPLIES TO THIS QUOTE Customer hereby authorizes and agrees to make timely payment for products delivered and services rendered, including payments for partial shipments Customer Signature Date Presidio Networked Solutions, Inc. Service Agreement v2.1 6STOMER INFORMATION Pt ESID10 Solution Arch Dame (0 ,pp#).• Troy Company Name Name and Title of Person Requesting Service City of Ocoee Al Butler Address Email Address 150 North Lakeshore Drive abutier@ci.ocoee.fl.us City, State and Zip Phone/Fax Authorizing PO Ocoee, FL 34761 407 - 554 -7063 ESCRIPTION ` - RVICES w -. Customer agrees the services described below comprise the Ie a sco of tasks authorized under this agreement. Additional attached if necessary. Any services beyond this scone require nal razed Service Agreement prior to commencement Executive Summary City of Ocoee (COO) wishes to engage Presidio Networked Solutions to install and configure a SCADA network infrastructure with four (4) Cisco 1941W routers (with built in wireless, POE ports, and Verizon wireless 4G cards) and one (1) Cisco ASA 5506 firewall for IPSEC backup tunnels and remote access. Project Obiectives Provide a senior network engineering resource to implement a new SCADA WAN infrastructure for city wastewater and water utility plants over a Brighthouse Network with DMVPN and Verizon wireless 4G as backup /failover. SCADA WAN Network Installation • Conduct detailed design workshop with COO network engineering team • Generate detailed design document (DDD) from detailed design workshop • Deploy four (4) Cisco 1941 W routers and one (1) Cisco ASA 5506 firewall for new WAN infrastructure • Perform router and firewall configurations for SCADA WAN infrastructure based upon design document, including such things as: • Base configurations (Hostname, IP Address, SNMP, VPC, HA) • Routing protocols EIGRP (OSPF if deemed necessary) • DMVPN connectivity for full mesh network • Full redundancy in WAN environment with DMVNP and IPSEC tunnel backup • Wireless configuration on router for local end users (single SSID with passphrase) • Up to 5 ACL's on public side to lock down only DMVPN traffic • DHCP pools for local network • Up to 3 VRF's for route separation (if required) • Up to 2 IP SLA for circuit monitoring • Up to 5 ACL's on ASA for traffic segregation between SCADA and city network • Perform testing of implemented configurations of Cisco 1941 routers data center core network (network wide reachability, failover, etc.) Customer will be responsible for connecting servers and testing connectivity. • Perform As -built documentation of newly installed equipment Project Locations This work will be performed onsite at COO location in Ocoee, FL as well as remotely from a Presidio office. Assumptions The following assumptions were made while creating the service agreement: • Customer will verify all connectivity for all devices prior to work proceeding • Customer will be responsible for all IP information needed to complete this project (public IP addressing, etc.) • Customer is responsible for all end system network and storage configurations. • Customer will provide all necessary cabling and cable management. • Customer will provide all necessary physical and logical access required to support the purpose of this agreement. • Customer's technical resources will be made available to the Presidio project team. • Customer will schedule appropriate maintenance windows for system upgrades and installs and notify user community • Customer will provide a single point of contact with the authority and the responsibility of issue resolution and the identification, coordination and scheduling of the appropriate customer personnel. • Presidio will pre- configure equipment as much as possible. • Presidio in not responsible for the installation of any software not defined in this service agreement. • Presidio is not responsible for user workstation configuration or troubleshooting. • Presidio is not responsible for racking and the installation of power to support the new equipment. P R E S I D I O 5337 Millennia Lakes Blvd, Orlando FL 32839 This information is confidential or proprietary to PRESIDIO and may not be used or disclosed without prior written permission rresmio NetworKea solutions, Inc. Service Agreement v2.1 • Presidio is not responsible for any configurations on any other systems not defined in this service agreement. • Presidio is not responsible for connecting existing equipment to newly installed equipment. • Presidio will perform most of the Services under this Statement of Work during normal business hours, 8:00 a.m. to 5:00 p.m. (local time) Monday through Friday, except Presidio holidays, unless otherwise specified. • Some activities on this project may be performed on Presidio's premises. • Presidio is not responsible for moving or relocating any equipment in this service agreement. • Presidio will not make changes to the configuration of any network equipment after it has been tested and verified. a (oHowing conditions defined the complete set o cceptance criteria associat for efforts submitted by PRESIDIO as be i ' plete. Upon completion of the hours identified in this Specification Other (specify): Upon completion of tasks identified Customer agrees to provide reasonable access to facilities, equipment, and personnel necessary to complete this effort. Unless otherwise noted, all ring normal business hours (8AM — 5PM M -F excluding holidays) at the location indicated. Work outside this time will be filled at the After Hours Rate Travel expenses are estimated and include, but are not limited to mileage, hotels, meals, airfare, renta! car, panting es_ tads and tolls. PRE$JDIO 11 A ce p p. M le1pri b +t 9 less en_tha, . G r _ anent fors ices —L--including a ❑ Time and Materials (T &M) - Services will be provided on a time, materials, and ®Fixed Price - Services will be provided on a fixed price expense basis. Customer understands the estimate provided is a good faith estimate, basis. If provided, time estimates are for planning and but may be exceeded. Minimum daily charge is 4 hours per day. scheduling purposes only. Hours Estimate Hourly Rate Kickoff $ 4,000.00 Completion $ 4,000.00 Estimated Total Travel will be billed as: ❑ Actual Expenses ❑ Fixed Price $ M N/A A a r eYttt�riYi `" ctT oiiµadte c by PRESIT3T "Custom'e`r "a ree riffs To sottcft °off hire n Presidio employee s the dd'f5 inn of this greement and 12 months after its completion. The entire liability of Presidio and Customer's exclusive remedy arising out of or in any way related to `is agreement shall be limited to the total value of this agreement. Presidio shall not be liable nor shall Presidio indemnify Customer for, and stomer releases Presidio from any claims of patent infringement, including contributory infringement or inducement to infringe, based on or related the Equipment, Services or any information provided by Presidio. Unless otherwise specified, this agreement is valid for one calendar year from the u e or milestones are completed (Fixed Price). _ Customer Signature — Authorization to Proceed I Date —Authorization to Proceed Signature — Date PRE 5 i D I O 5337 Millennia Lakes Blvd, Orlando FL 32839 This information is confidential or proprietary to PRESIDIO and may not be used or disclosed without prior written 2 permission Total $ 8,000.00 Travel will be billed as: ❑ Actual Expenses ❑ Fixed Price $ M N/A A a r eYttt�riYi `" ctT oiiµadte c by PRESIT3T "Custom'e`r "a ree riffs To sottcft °off hire n Presidio employee s the dd'f5 inn of this greement and 12 months after its completion. The entire liability of Presidio and Customer's exclusive remedy arising out of or in any way related to `is agreement shall be limited to the total value of this agreement. Presidio shall not be liable nor shall Presidio indemnify Customer for, and stomer releases Presidio from any claims of patent infringement, including contributory infringement or inducement to infringe, based on or related the Equipment, Services or any information provided by Presidio. Unless otherwise specified, this agreement is valid for one calendar year from the u e or milestones are completed (Fixed Price). _ Customer Signature — Authorization to Proceed I Date —Authorization to Proceed Signature — Date PRE 5 i D I O 5337 Millennia Lakes Blvd, Orlando FL 32839 This information is confidential or proprietary to PRESIDIO and may not be used or disclosed without prior written 2 permission ,km�/ City of Ocoee,.Florida City of Ocoee SCADA Network Statement of Work Version 1.1 5/29/2015 Table of Contents STATEMENTOF PURPOSE ............................................................................................... ..............................3 INTRODUCTION............................................. ............................... ................................... ..............................4 EQUIPMENTREQUIREMENTS ......................................................................................... ..............................5 NETWORKSCOPE ............................................................................................................ ..............................7 Objectives.................................................................................................................... ..............................7 Assumptions................................................................................................................ ..............................7 DATAFLOW SCENARIOS .................................................................................................. ..............................8 Siteto Site Normal Operation ..................................................................................... ..............................8 RemoteAccess Users .................................................................................................. ..............................8 InternetAccess ............................................................................................................ ..............................9 Branch Office Outage Scenario ................................................................................... ..............................9 Wastewater Treatment Plant (Hub) Outage Scenario ............................................... .............................10 NETWORK DIAGRAMS AND TOPOLOGY ......................................................................... .............................12 Forest Oaks Water Plant, South Water Plant, and Maguire Booster Station ............ .............................12 RouterConfiguration: ......................................................................................................................... 13 Wastewater Treatment Plant Cisco 1941W Router ................................................... .............................14 RouterConfiguration: ......................................................................................................................... 15 ASAConfiguration: .............................................................................................................................. 15 F4 STATEMENT OF PURPOSE This Statement of Work is to be used as a general guide for meeting the City of Ocoee's SCADA network needs. It is suggested that all best practices set forth by Cisco and the general networking community for accessibility and security be followed. This guide is not intended to outline said best practices but to only give suggestions or direction on one way to accomplish the goals. The session flows and survivability scenarios should be used as the mechanism to reach the correct and final solution. These scenarios are detailed in this Statement of Work and will need to be tested and accepted by the city at the conclusion of the project. Again, as long as the normal session flows and survivability can be achieved during all network issue scenarios, configuration augmentations are acceptable and appropriate. Once the project has been completed, all router and ASA firewall passwords must be turned over to the City of Ocoee's IT staff. INTRODUCTION The City of Ocoee proposes to construct a data network for the supervisory control and data acquisition (SCADA) equipment serving the city's water, wastewater, and reclaimed water utilities. The proposed SCADA network will connect five facilities: 1. Utilities Administration Building 2. Wastewater Treatment Plant 3. Forest Oaks Water Plant 4. South Water Plant 5. Maguire Booster Station Redundant SCADA servers will be located at the two water plants. Client computers will be located at the Wastewater Treatment Plant and Maguire Booster Station. The two servers will each continuously scan the entire network and store the information they receive. If one server cannot communicate with a given device, it will asynchronously look to the other server for a data update to cover the period of time when communication was lost. The two client locations and all remote users will access the SCADA data through the network to reach one of the four SCADA nodes. (The Utilities Administration Building is not a node on the network but an outside point for city staff access.) The two water plants and the Maguire Booster Station will have identical "branch office" SCADA network nodes constructed to provide access to the SCADA equipment located on site. The connection between the Utilities Administration Building and the adjacent Wastewater Treatment Plant exists today using a fiber optic cable and is part of the existing secure city data network that is an integral part of the CenturyLink Managed Office Essentials network recently installed throughout the city. The city's Managed Office network uses the CenturyLink multi - protocol label switching (MPLS) transport mechanism for connecting site to site and to the Internet. The city will use broadband service provided by Bright House Networks (BHN) to serve the two water plants and the Maguire Booster Station. BHN broadband service has already been established at these locations at the basic 25 MB downstream and 2 MB upstream level. BHN has assigned five fixed IP addresses for each site. To provide connectivity redundancy, Verizon wireless service will also be provided to allow city staff and equipment to connect to each location when BHN service is lost. All SCADA communications will occur over virtual private network (VPN) connections. Each branch office location will connect through the Internet to the CenturyLink MPLS network and will be routed to a new Cisco adaptive security appliance (ASA) located upstream of the main Managed Office router now in the Utilities Administration Building. The ASA will serve as a firewall security gateway between the SCADA network and the city's secure data network. Only specifically designated traffic will be able to flow through the ASA between the two networks. Traffic solely between the Utilities Administration Building and the Wastewater Treatment Plant is already covered by the secure city network and will not go through the ASA. All remote access will be through a VPN connection to the ASA. At least one VPN connection will be provided for SCADA contractors. All traffic between nodes on the SCADA network will be encrypted. 4 EQUIPMENT REQUIREMENTS A. StarTech 4POSTRACK12A 12U 4 -post Open Equipment Rack with Casters (square mounting holes on posts require inserts; e.g., Tripp Lite SRCAGENUTS Square -hole Hardware Kit). B. Cisco 1941W- A- N- SEC /K9 Integrated Wireless Security Power over Ethernet (PoE) Router. The purpose of the integrated router is to serve as a central mechanism for routing and switching. It also acts as an inside wireless access point to city staff and contractors to be able to interact with the SCADA system using smartphones and tablet computers. Each unit acts as a node on the SCADA network. Three major additions to the base model are: (i) One Cisco EHWIC -4ESG 4 -port 10/100/1000 Ethernet Switch Interface Card. This card adds four PoE- capable RJ45 ports to the two ports already on the base unit. We expect there to be at least four devices attached to the router at each location: (1) the SCADA computer, which may be a server or a client, but which are fairly similar desktop personal computers regardless of role (NIC); (2) the AVTECH Room Alert 12ER sensor hub and alarm; (3) an IP camera; and (4) an outside wireless access point (WAP). As originally configured, we will have space for two more devices to be attached to the router; these are likely to be IP cameras located on the outside of the building in which the SCADA equipment is located. The router has a space for one more such 4 -port card to be added, which will give us a total of 10 available ports. (Not needed on the unit located in the Utilities Administration Building.) (ii) One Cisco Wireless Cellular Modem EHWIC -4G -LTE -V for Verizon Service Interface Card (comes with one Cisco 4G- LTE - ANTM -D dipole antenna that mounts directly to the interface card faceplate); requires agreement for cellular service from Verizon. Utility systems need high availability, so redundant methods of system connectivity between sites and with city staff are required. The city's cellular carrier for utility services is Verizon. The router will use landline connection to Bright House Networks (BHN) broadband service as the primary means of communication. Verizon cellphone service will serve as backup for connections between SCADA network nodes and for direct access by city staff to a single location. (iii) Cisco PWR- 1941 -POE AC Power Supply. The IP cameras need PoE power supply from the router. The base power supply has only enough output to support the two connections provided on the base unit. This additional power supply is needed to support additional PoE service on the 4 -port addition. The proposed outside WAP has a separate high -power PoE supply source. The AVTECH Room Alert system has its own power supply. (Not needed on the unit located in the Utilities Administration Building.) The list shown above is a general listing of the major components. A more detailed bill of materials is available. C. Tripp Lite PDUMH15ATNET Automatic Transfer Switch Power Distribution Unit. All rack - mounted equipment will be powered by this unit. Given the established need for high reliability in the city's utility system, two uninterruptible power supplies (UPSs or battery backups) have been specified for each SCADA node. This automated transfer switch is intended to perform two functions. First, it is able to switch the power feed to the system among the available sources. Second, it powers up the equipment 5 sequentially, thereby reducing the potential for a power surge that might exceed the alarm level on any one UPS. D. Tripp Lite SU750RTXLCD2U 750VA, 675 Watt Rack - mounted UPS. This is the primary UPS for providing filtered power to the SCADA node. In addition to providing battery backup power for several minutes, thereby allowing time for the onsite backup generator to become operational, it continuously filters incoming power to reduce spikes, dips, and surges that may harm the attached equipment. E. Tripp Lite SMART500RT1U 500VA, 300 Watt Rack - mounted UPS. This is the secondary UPS for the SCADA node. It will provide power to the rack only when the main UPS is offline, such as when needed to replace the battery pack. The power duration requirement for this function is substantially less than for the primary UPS. F. Emerson EDCO RM- CAT6 -08POE Rack - mounted 8 -port Pass -thru Surge Suppressor. As a physical protective measure for a SCADA system that includes significantly dispersed connections, many of which are outside the building, a surge suppressor has been specified for all CAT -5 paths to and from the SCADA node rack. Coupled with a separate earth ground, this pass -thru mechanism should prevent the typical transient power surges that may be induced through lighting strikes from damaging the rack - mounted equipment. G. AVTECH Room Alert 12ER Monitoring and Alert Package (includes built -in digital thermometer, remote digital thermometer, remote power sensor, and advanced alerting). The purpose of this product suite is to monitor onsite power and operating conditions so as to alert city staff when there is a possible problem. These alerts can take the form or a text message or e-mail. In addition to the sensors included in the basic package, the proposed installation will include: (i) One AVTECH RMA- FS2 -SEN Spot Flood Sensor. Although the SCADA system regulates water and wastewater systems, water on the electronics is general undesirable. (ii) One AVTECH Axis M1011 -W Wireless Network Camera. Some issues may be more clearly identifiable by being able to see what is happening in the control room where the SCADA node is located. H. Ventilated 1U Rack -mount Shelf for supporting Cisco 1941W Router; e.g., Belkin, StarTech. Not all specified components are rack - mounted. This shelf is intended to support those standalone units that cannot be mounted directly on the rack; e.g., the Cisco 1941W integrated router and the BHN modem. I. Panduit DP245E88TGY 1U Cat -5E 24 -port Flat Punch -down Patch Panel (includes jack inserts). J. EnGenius ENH210EXT Enterprise -Class Long -Range High- Capacity Wireless -N Outdoor Access Point. This product is the standard external WAP used throughout the city. It is intended to allow city staff to connect securely to the SCADA node and, potentially, through that node to other parts of the city's SCADA and Managed Office networks. K. BHN Broadband Modem with 25x2 Service (minimum); provided by BHN for monthly service fee; can be expanded to provide dial -tone service for telephones and faxes (NIC). This device will provide the primary inter -node connection service using 25x2 broadband service. N NETWORK SCOPE The network is designed to achieve specific network and business objectives: 1. Secure Services: The main objective of the network is to provide secure administrative computing service for the City of Ocoee's Utilities Personnel. Only authorized employees, whether onsite or remote, will be allowed to have access to the network. Communication between the sites will use Internet Protocol Security (IPSec) tunnels for secure data flow. 2. Fully Meshed Network: Each site will need to communicate directly with all the other sites. DMVPN will be used to create the IPSec tunnels between all sites in order to keep the configuration and complexity to a minimum. 3. Full Redundancy: The City of Ocoee will contract with Verizon Wireless to provide a 4G backup service at each site. If the main connection fails, the site must be able to recover over the wireless connection and appear to the rest of the sites as still part of the dynamic multi -point virtual private network (DMVPN) cloud. 4. Wireless Access: Employees in the Utility Department will be equipped with tablets that they can use while roaming the plants. Therefore, a secure non - broadcast service set identifier (SSID) network will be used for the local wireless access. This SSID will need to be consistent over all sites. 5. Remote Access: Certain employees need to have the ability to access the network from other locations outside of those that have been mentioned previously. This will require the use of VPN client software on the user's resource and remote access configured on the ASA firewall. This design assumes the following: 1. The City will provide the local network IP addressing for each site. 2. BHN (CenturyLink for Utilities Ad min) will provide the WAN IP addresses for each site. 3. Verizon will provide wide -area network (WAN) IP addresses for the backup network. 7 DATA FLOW SCENARIOS The City of Ocoee has the following data flow scenarios: • SCADA servers located at the two water plants poll all other sites (including each other) to develop redundant data stores of SCADA system conditions. • SCADA clients are located at the Wastewater Treatment Plant and Maguire Booster Station. They monitor only the local equipment. • There is a "catch -up" procedure to update a server's database with missing data following the loss of network connectivity and subsequent service restoration. • SCADA server or client at each facility must communicate with ALL onsite equipment. • Onsite employees must be able to reach ANY remote site to check site vitals. For these reasons, the recommended solution is to use DMVPN to minimize the complexity of the IPSec tunnels. All four sites are peer -to -peer in operation, with redundant servers at two locations polling all other locations on the SCADA network. ASA5506 enioW Access Users The City of Ocoee Utility employees from time to time will need to check on the systems located at the various sites. Utilities Administration Building will act as the excess point for external communications, which will arrive via the CenturyLink MPLS connection provided by the company's Managed Office Essentials service. This service is the main backbone of the city's voice and data network. City staff will have Cisco Anyconnect clients loaded onto their laptops /tablets /etc. They will connect through the MPLS network into the ASA5506 to gain access into the SCADA network. There is also a need for a vendor in New York to have remote access, as well; they will follow the same session flow as other remote users. ASA5506 R�=1 Wastewater Util Admin Treatment Plant OF J DMVPN N _ Network Each facility may have onsite personnel using the SCADA computer or a personal computing device connected to the local wireless access point. From time to time, such a user may need to go to the Internet. The suggested solution is to inject a default route to all the sites to point their Internet access to the Wastewater Treatment Plant and, through the ASA, to the MPLS network connection at Utilities Administration. In order to keep the configurations manageable, Internet access will only be during normal network operations; i.e., when the BHN connection is available. Only critical data will be allowed to connect over the 4G backup. Should Internet access be required by a remote user when the BHN broadband connection is offline, it will be necessary for the remote user to go directly to the Internet via an alternative cellphone data connection. eSceiiaiio If a primary connection fails at any of the three branch office sites (Forest Oaks Water Plant, South Water Plant, or Maguire Booster Station), an IPSec tunnel will be established over the Verizon 4G connection to the ASA5506 at Wastewater Treatment Plant via the CenturyLink MPLS. That site's traffic will now look as if it resides at that node to the rest of the sites that are still on their primary circuit (BHN broadband). This will be done automatically via enhanced interior gateway routing protocol (EIGRP). The feasible successor route will be configured on the ASA5506 and will take over when the primary router is no longer advertised. ASA5506 Vt_stevv Ater Treat p ept Pkint_CH uL (1iit�� e._ c+}►I 11-io The scenario where the Wastewater Treatment Plant loses its connectivity to the Utilities Administration Building or to the MPLS network is obviously the worst scenario of all. It will cause all four sites to switch to their 4G backup and it will become a hub and spoke network. ASA5506 �I Wastewater ��!i Treatment Plant 10 Under this scenario, the three branch offices will not be able to communicate directly with each other. Instead, the branch sites will be required to go to the Cisco 1941W router at the Wastewater Treatment Plant and then go to the desired destination site. Remote access through the ASA will not be possible due to the loss of the required landline connectivity. Access to the SCADA network during such a failure state will require staff to be onsite at one of the four locations, but all four sites should be available. 11 NETWORK DIAGRAMS AND TOPOLOGY City of Ocoee Utilities SCADA Network IP Camera s °' k Il WAPde Integrated Rower ®e SCADA Verizon OServer BHN Cable Modem Forest Oaks water Plant Internet Power South Water Plant _ Sensor External IP Camera ® Outside Thermometer _ WAP lljfpk1,Rjorn Alert 12ERF Verizon I✓�A� II a SCADA \dtran Router \(/ A p _ Thin Client Cisco 1941 W- A- N- SEC/K9 Century-ink Integrated Rower MPLS Network oo ® ®M verlZO�, / Utilities / PLC Administration wastewater Treatment Plant Maguire Booster Station Power Sensor Outside ® IP Camera WAP External y� Thermometer Verizon 4� Water A 0 It Sensor Integrated I Integrated Rower SCADA SCADA Thin Client 0 OServer �` i�BHN Cable BHN Cable Modem Modern BY J.A. Forest Oaks Water Plant, South Water Plant, and Maguire Booster Station The Forest Oaks and South water plants, along with the Maguire Booster Station, will have identical set- ups and configurations. The only major difference is the operational fact that the water plants will have SCADA server nodes while the Maguire Booster Station has a client node. All three sites will need to have the environmentals deployed, as well as the rack equipment built and installed. The Cisco router will need to be unpacked and setup per Cisco standards. As part of the installation, (1) EHWIC 4 -port Ethernet card, POE power supply, and (1) Verizon EHWIC Verizon LTE card will need to be installed. All external wireless antennas are to be connected to their appropriate ports on the router, as well. Once the physical equipment has been installed and powered up, the router configuration can start. Again, all three routers need to be configured exactly the same except with their own LAN IP addresses (provided by the City) and WAN IP addresses (provided by BHN and Verizon). 12 Ad an Switch Fiber Note: Adtran units are on the secure CenturyLink Managed Office Network Outside 0 Adtran Switch Cisco ASA 5506 WAP Desktop Outside WAP Inside Computers ff_� Outside BHN Cable Modem Forest Oaks water Plant Internet Power South Water Plant _ Sensor External IP Camera ® Outside Thermometer _ WAP lljfpk1,Rjorn Alert 12ERF Verizon I✓�A� II a SCADA \dtran Router \(/ A p _ Thin Client Cisco 1941 W- A- N- SEC/K9 Century-ink Integrated Rower MPLS Network oo ® ®M verlZO�, / Utilities / PLC Administration wastewater Treatment Plant Maguire Booster Station Power Sensor Outside ® IP Camera WAP External y� Thermometer Verizon 4� Water A 0 It Sensor Integrated I Integrated Rower SCADA SCADA Thin Client 0 OServer �` i�BHN Cable BHN Cable Modem Modern BY J.A. Forest Oaks Water Plant, South Water Plant, and Maguire Booster Station The Forest Oaks and South water plants, along with the Maguire Booster Station, will have identical set- ups and configurations. The only major difference is the operational fact that the water plants will have SCADA server nodes while the Maguire Booster Station has a client node. All three sites will need to have the environmentals deployed, as well as the rack equipment built and installed. The Cisco router will need to be unpacked and setup per Cisco standards. As part of the installation, (1) EHWIC 4 -port Ethernet card, POE power supply, and (1) Verizon EHWIC Verizon LTE card will need to be installed. All external wireless antennas are to be connected to their appropriate ports on the router, as well. Once the physical equipment has been installed and powered up, the router configuration can start. Again, all three routers need to be configured exactly the same except with their own LAN IP addresses (provided by the City) and WAN IP addresses (provided by BHN and Verizon). 12 Pov Sen: Exter Thermome Wa Sen, P Router Configuration: 1) The SCADA equipment, IP Camera, and Wireless Antenna will all use static private IP addresses. It is recommended that they use IP addresses from the lower numbers (i.e., xxx.xxx.xxx.1 -99). 2) Configure dynamic host configuration protocol (DHCP) for all resources accessing the local network through a Wi -Fi connection. It is recommended to use a pool of IP addresses starting at 100 that should be limited to 25 resources. (i.e., xxx.xxx.xxx.100 -125). 3) Configure the WiFi with a non - broadcast SSID of "CoOSCADA," or anything else suggested by the city. Use, at a minimum, WPA2 encryption with a strong passphrase key. Please provide the city IT staff with the final SSID and key: • SSID: • Passphrase Key: 4) Configure two WAN virtual routing and forwarding (VRF) tables, one for BHN and one for Verizon. This is needed to keep the DMVPN network separate from the point to point IPSEC tunnel. a. The BHN WAN connection will support the DMVPN network. This will be the primary. Only when this fails should the Verizon network take over. b. Configure EIGRP for the primary connection. c. The router should use Internet Protocol service level agreement (IPSLA) to monitor the health of the BHN network. When it shows a failure, the router should "make a call' over the Verizon interface. 13 d. Configure two IPSec tunnels on the Verizon connection, one to the Utilities Administration ASA (Primary) and one to the Wastewater Treatment Plant's 1941W interface. 5) Configure an access control list for inbound traffic that is outside of the tunnel. For inbound, do not allow any traffic originating from the Internet. W�tstew;iter Treatment Plant Cisco 1941 Rooter The Wastewater Treatment Plant's Cisco 1941W router will need to have the same environmentals and physical construction completed as for the branches. In addition, this router will sit in a DMZ of sorts within the CenturyLink network. When BHN service is lost, this router will act as the hub for the DMVPN network. It is also important that CenturyLink provides a /29 Public IP address block. This block will be used on the CenturyLink Adtran WAN router, the Cisco 1941W router, and the Cisco ASA 5506. It should be noted that the existing CenturyLink Adtran router will need to have the LAN interface changed to allow for sub - interfaces. One will be for the existing LAN network and the other will be the "DMZ" Public IP network (highlighted in RED). The Cisco 1941W will have one inside port and one port in the DMZ. The same configuration should be provided for the ASA 5506. 14 Router Configuration: 1) The SCADA equipment, IP Camera, and Wireless Antenna will all use static private IP addresses. It is recommended that they use IP addresses from the lower numbers (i.e., xxx.xxx.xxx.1 -99). 2) Configure DHCP for all resources accessing the Wi -Fi local network. It is recommended to use a pool of IP addresses starting at 100 and should be limited to 25 resources. (i.e., xxx.xxx.xxx.100- 125). 3) Configure the Wi -Fi with a non - broadcast SSID of "CoOSCADA," or anything else suggested by the city. Use at a minimum WPA2 encryption with a strong passphrase key. Please provide the city IT staff with the final SSID and key: • SSID: • Passphrase Key: 4) Configure two WAN VRFs, one for CenturyLink and one for Verizon. This is needed to keep the DMVPN network separate from the point to point IPSec tunnel. a. The CenturyLink WAN connection will support the DMVPN network; this will be the primary. This device will be the hub connection for the network when BHN service is lost. b. Configure EIGRP for the primary connection. The ASA will need to participate in EIGRP or static IP addresses can be used with a very high administrative cost and then redistributed into EIGRP. c. The router should use IPSLA to monitor the health of the CenturyLink network. When it shows a failure, the router should "make a call" over the Verizon interface. d. Configure the head end for the IPSec tunnels so that all of the other sites can connect via their Verizon connection. ASA Configtivation: 1) Configure the ASA to handle the Anyconnect remote access users. Once completed, please provide the City Of Ocoee IT staff with the pcf file. 2) Configure the IPSEC tunnels for the other sites to terminate their Verizon connections. a. Be sure to check the IP routing to allow this site out to the Cisco 1941W router. The site that is down should have its routes appear to be local to hub by the other sites. It will need to route through the DMVPN network and not directly to CenturyLink. 3) Configure EIGRP or static routes to ensure that if a site goes down that they are still able to get to the rest of the network. 4) Apply all appropriate safeguards and access lists needed by the City to keep SCADA and city data as separate as possible. 15 Power Sensor External Thermometer Water Sensor IP Camera Outside ,:u WAP AVTECH Room Alert '12ER I PLC -,Q� BHN Cable Modem F o vos`� Oaks Watev Plant Power South I/flater Plant Sensor IQ)-- External IP Camera Os Outside Thermometer m WAP LAVTECH Room Alert 12ER Verizon Sensor Water Cisco 1941W -A -I\ Integrated Router �'— SCADA ii Server I Adtran Switch I Outside WAP hlternet Desktop Computers Note: Adtran units are on the secure Fiber Centuryl-ink Managed Office Network. Adtran Switch Cisco ASA 5506 Outside Inside WAP Fy=j Outside m SCADA . Adtran Router Thin Client � O I Cisco 1941W -A -N- SEC /1<9 C Integrated Router (� �. Verizon , Utilities / PLC Administration Wastowaku Treatment E� n� E`Iaquive Booster Stad n Power OSensor Outside IP Carnes WAP External Thermometer AVTECI I Room Alert 12ER Verizon Wafter Sensor jCisco 1941W- A- N- SEC /I<9 Integrated Router \U BI -IN Cable I BHN Cable PLC � Modem Modem SCADA it Thin Client N By J.A. Butler 05/26/2015 Cisco 194'IW- A- N- SEC /I<9 Integrated Pouter ®® E=L--j D SCADA OServer "\ V rizon PLC -,Q� BHN Cable Modem F o vos`� Oaks Watev Plant Power South I/flater Plant Sensor IQ)-- External IP Camera Os Outside Thermometer m WAP LAVTECH Room Alert 12ER Verizon Sensor Water Cisco 1941W -A -I\ Integrated Router �'— SCADA ii Server I Adtran Switch I Outside WAP hlternet Desktop Computers Note: Adtran units are on the secure Fiber Centuryl-ink Managed Office Network. Adtran Switch Cisco ASA 5506 Outside Inside WAP Fy=j Outside m SCADA . Adtran Router Thin Client � O I Cisco 1941W -A -N- SEC /1<9 C Integrated Router (� �. Verizon , Utilities / PLC Administration Wastowaku Treatment E� n� E`Iaquive Booster Stad n Power OSensor Outside IP Carnes WAP External Thermometer AVTECI I Room Alert 12ER Verizon Wafter Sensor jCisco 1941W- A- N- SEC /I<9 Integrated Router \U BI -IN Cable I BHN Cable PLC � Modem Modem SCADA it Thin Client N By J.A. Butler 05/26/2015 Line Number Item Name 1.0 ASA550 lte on services 8GE AC Service I Lead I Included Duration Time Item 14 days No 1 1.0.1 CON - SNT- ASA5506K SMARTNET 8X5XNBD ASA 5506 -X with FirePOWER services 8GE v2/Amonth(s) 4 N/A No days Yes 1 1.1 ASA5506 -SSD ASA 5506 -X SSD N/A 14 days Yes 1 1.2 SF- ASA- FP5.4.1 -K9 Cisco FirePOWER Software v5.4.1 for ASA 5500 -X N/A 14 days Yes 1 1.3 ASA5506- CTRL -LIC Cisco ASA5506 Control License N/A 14 days Yes 1 1.4 SF- ASA- K- 9.4 -K8 ASA 9.4 Software image for ASA 5506/5508/5516 series N/A 14 days No 1 1.5 CAB -AC AC Power Cord (North America) C13 NEMA 5 -15P 2.1 m N/A 14 days Yes 1 1.6 ASA5500- ENCR -K9 ASA 5500 Strong Encryption License (3DES /AES) N/A 14 days Yes 1 1.7 ASA5506- PWR -AC ASA 5506 -X Power Adaptor SubTotal 2.0 L -AC- PLS -P -G Cisco AnyConnect Plus Perpetual License Group N/A 2 days No 1 2.0.1 CON - SAU - LACPLSPG SW APP SUPP + UPGR Cisco AnyConnect Plus Perpetual License 2 Gays No No 1 1 2.1 AC- PLS- P -25 -S Cisco AnyConnect 25 User Plus Perpetual License 11v2/Amonth(s) / 2 d No 1 2.1.0.1 CON - SAU- ACPL25 SW APP SUPP + UPGR Cisco AnyConnect 25 month(s) 2 days Yes 99999 2.2 L- AC- PLS -P -25 Cisco AnyConnect 25 User Plus Perpetual (ASA License Key) N/A SubTotal Cisco 1941 Router w/ 802.11 a /b /g /n FCC Compliant WLAN ISM N/A 0 days No 4 3.0 CISCO1941W -A/K9 SMARTNET 8X5XNBD Cisco 1941 Router w/ 802.11 a /b /g /n FCC N/A 4 3.0.1 CON -SNT -1941 WA AC Power Cord (North America) C13 NEMA 5 -15P 2.1m v2/Amonth(s) ays No 4 3.1 CAB -AC N/A 0 days Yes 4 3.2 PWR- 1941 -AC Cisco 1941 AC Power Supply N/A 0 day s Yes 4 3.3 ISR- CCP -EXP Cisco Config Pro Express on Router Flash N/A 0 days Yes 4 3.4 S801W7K9- 12421JA Cisco 801 Series IOS WIRELESS LAN N/A 0 days Yes 4 3.5 MEM -CF -256MB 256MB Compact Flash for Cisco 1900 2900 3900 ISR 0 days Yes 4 3.6 MEM- 1900- 512MB -DEF 512MB Default DRAM for Cisco 1941 ISR N/A 0 days Yes 4 3.7 S801RK9W- 12421JA Cisco 801 Series IOS WIRELESS LAN LWAPP RECOVERY N/A Yes 4 3.8 SL- 19- IPB -K9 IP Base License for Cisco 1900 N/A N/A 0 days 0 days Yes 4 3.9 S190UK9- 15403M Cisco 1900 IOS UNIVERSAL N/A 0 days No 4 3.10 SL -19- SEC -K9 Security License for Cisco 1900 N/A 0 days No 4 3.11 EHWIC -4ESG Four port 10/100/1000 Ethernet switch interface card 0 days No 4 3.12 EHWIC -4G -LTE -V 4G LTE EHWIC for Verizon 700 MHz Band 13 / CDMA Rev A N/A Yes 8 3.13 4G- LTE - ANTM -D 4G LTE articulating dipole antenna 700MHz- 2600MHz bands N/A 0 days Yes 8 3.14 4G- AE010 -R Single Unit antenna Extension Base (10 foot cable included) N/A 0 days SubTotal gset Total