​

IT’S 6 P.M. ON A BALMY SUMMER evening. Seven men sit inside a cramped hotel room just off North Dupont Highway in Dover, Delaware. Among the men are an expert in military assaults, a systems expert, and an expert in weapons of mass destruction (WMD). Three of the men are clearly orchestrating the plans; they do most of the talking. The seventh man is a trainee. He says little as he listens intently.

Six traffic lights down from the hotel sit their targets: Dover International Speedway and Dover Downs Hotel and Casino. At 9 a.m. the next day, their operation will begin. What looks like the early beginnings of the execution phase of a terrorist operation is actually anything but. The seven men in the hotel room are all either U.S. government employees or former government employees who now work as contractors.

For the next three days these men will walk every square foot of the Dover International Speedway and Dover Downs Hotel and Casino looking for vulnerabilities that terrorists could exploit to create a mass casualty event.

Security Management was granted extraordinary access to this specific exercise to learn and observe what these men do as part of the Department of Homeland Security’s (DHS) mission to protect critical infrastructure and key resources (CI/KR) in the United States.

Site Assistance Visit

Site assistance visits (SAV) are voluntary. They are usually conducted when a business requests the assistance, but sometimes a company is approached by the DHS Protective Security Coordination Division (PSCD), the group within DHS responsible for conducting SAVs.

PSCD wants private-sector owners of critical infrastructure properties to see these government teams as partners who can, through an SAV, help them assess the adequacy of security at their facilities at no charge. Over 600 SAVs have been conducted to date, says Eric Puype, chief of PSCD’s Vulnerability Assessments Branch and my guide for the time I spent observing his team comb Dover International Speedway for any gaps in its protective measures.

An SAV has three core parts: the in-brief, the walkthrough, and the out-brief.

At the in-brief, all of the stakeholders who have an interest in protecting a critical asset are brought together. At this initial meeting, the SAV team explains the process and begins by interviewing local, state, and federal law enforcement as well as the facility’s employees and managers to gain an understanding of the facility and the vulnerabilities it may contain.

The next step is the walk-through, during which SAV team members, guided by representatives from the facility, scour the structures and grounds to identify firsthand anything that may create a vulnerability to terrorist attack. Then the SAV team conducts an out-brief during which they tell the facility owner/operators about their findings. They discuss the facility’s strengths and security gaps, delineating the latter by degrees of risk and suggesting ways to plug those holes—but these suggestions are no more than that.

Because SAVs are voluntary, they create no regulatory obligation for owners or operators to act on the findings, notes Puype, who explains that the program is designed that way, because otherwise businesses would hesitate to call them in for a consultation. To increase the likelihood that recommendations will be adopted, however, SAV teams try to offer fixes that eliminate “the maximum amount of a site vulnerability,” at the lowest possible cost, according to DHS.

In addition, in developing their suggestions, SAV teams are sensitive to the facility’s business model. “We don’t want to give them protective measures that would have to make them do large capital investments or which would make them operationally obsolete,” says Puype.

What’s even more attractive to the CI/KR owner/operator is that they have ownership control of their facility report. They can distribute it to local and state stakeholders and first responders as they see fit. When a SAV team has finished its report, all the information used to create it is destroyed. The information in the report is protected under the protective critical infrastructure information (PCII) program. Anyone who violates confidentiality agreements under PCII faces legal action.

SAVs help to create a cooperative and coordinated environment between the private sector and government stakeholders. That type of environment spurs information sharing long term. At the next morning’s in-brief, I saw how this cooperative relationship was formed.

Building Trust

“Throw the report away if you want. You can wallpaper your house with it if you want,” jokes Protective Security Advisor (PSA) Raymond Hanna, the federal team leader of this SAV, and one of 85 PSAs fulfilling PSCD’s mandate across the United States and its territories. At the moment, Hanna is explaining to members of the management team from Dover Speedway and Dover Downs that the facility report generated from the SAV is not regulatory or coercive in any way. The real objective of the SAV team, of course, is to get management to see the need for the appropriate security improvements.

During the in-brief, Hanna tells assembled stakeholders exactly what his SAV team is there to do and why collaboration is vital to the process. He gets his message across in a lighthearted and gregarious manner, rather than exhibiting the button-down seriousness one might expect of a federal agent. It is a good trait for someone who is supposed to liaise among all stakeholders relevant to a particular CI/KR.

Because of his demeanor and because he spends so much time working directly with officials in the states he covers—Delaware and Maryland—Hanna is viewed more as a local than as an agent from the federal government. The result: he’s trusted. That makes it easier for him to create the necessary relationships and garner the ground-level support needed for DHS critical infrastructure protection programs to succeed.

Buy-in. Around the table sit representatives from the Dover Police Department; Dover Emergency Management Service; Dover Fire Department; Delaware State Police as well as its bomb squad; Delaware Intelligence and Analysis Center (DIAC), the state’s fusion center; Delaware Department of Transportation; Delaware Department of Emergency Management; Delaware’s Department of Natural Resources; the Federal Bureau of Investigation (FBI); and the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF)—plus Delaware’s Homeland Security Secretary David B. Mitchell, Esq.

This attendance isn’t just a product of Hanna’s communication and management skills, it’s a product of how important Dover International Speedway and Dover Downs are to the city of Dover and the state of Delaware. Two times a year, the speedway hosts NASCAR weekends. During Sunday’s big race, 140,000 fans pack into the speedway’s stands. Surrounding that one-mile track, known adoringly as “The Monster Mile,” is a population almost four times the size of the city itself. The combined taxes paid each year by the hotel and casino account for 7 percent of the state’s revenue.

Everyone in the room understands the importance of reducing the risk to this vital asset. “An attack could be nasty,” says Lee Ford, security director for Dover Downs. “To recover from such a thing would take years and years.”

Subject-matter experts. After explaining the purpose of the SAV, Hanna introduces the four subject matter experts (SMEs) from the hotel room. Typically ex-military or elite law enforcement, SMEs make up the core of the SAV team. They think like the enemy to spot vulnerabilities that might be exploited. The team doing the SAV at the speedway is mostly composed of West Virginia National Guardsmen specially trained in risk assessment. DHS leverages similar teams across the country.

One by one, they address the seated stakeholders. Brian Gazaway is the National Guard team leader. He manages the SAV team, makes sure that they stay on deadline, and ultimately decides what goes in the facility report.

Mike Morral is the assault planner. Morral says he asks himself the same question during every SAV: “If I were a terrorist, how would I attack?”

Based on what he observes and is told by local and state law enforcement and facility personnel, he prods for physical vulnerabilities that terrorists could use to their advantage, such as a lack of bollards at an entrance or perimeter protection.

Roger Queen is the systems analyst. By speaking with the same stakeholders as Morral as well as the facility’s IT, telecommunications, and engineering employees, he tries to identify any single points of failure in a facility’s industrial control system. For instance, a facility with only one power line is vulnerable to having power cut if that line is severed.

Queen also concerns himself with a facility’s cybersecurity, because, as Pupye notes, a terrorist doesn’t “have to go necessarily in through the gate.” What matters most to Queen is redundancy: the ability of the systems to keep running after an attack.

Tom Calhoun is the WMD specialist. He is the only one of the SMEs not affiliated with the West Virginia National Guard. A Navy man of 22 years, Calhoun is a contractor from A-T Solutions, a counterterrorism company employed by PSCD’s Office of Bombing and Prevention branch. He works together with the assault planner to identify chemical, biological, radiological, nuclear, and explosive (CBRNE) vulnerabilities.

Calhoun’s main concern is protecting a facility from vehicle-borne and human-borne improvised explosive devices (IEDs), such as those used by insurgents in Iraq. Another worry of his is terrorists slipping toxins into the heating, ventilation, and air conditioning (HVAC) system of a facility.

Backgrounder. During the in-brief, the federal team leader will share with the assembled stakeholders a background research paper on the facility. Analysts at Argonne National Laboratory generate these reports for each SAV by using open source information.

When owner/operators request an SAV of their facility, PSCD requests the backgrounder from Argonne. To obtain the report once it is completed, team members can log in to Argonne’s Linked Encrypted Network (LENs). The report ensures that the team isn’t starting cold with no knowledge of the site when it arrives to do the vulnerability assessment.

For the owner/operators of the subject facility, getting one of those backgrounders is an added bonus of working with the PSCD. Puype was surprised when owner/operators wanted to keep these reports.

While the information all comes from publicly available sources, facility personnel often indicate that they learn vital details from it, such as where they get their power and gas. “They’re like ‘Wow, I didn’t really know about this,’” says Puype.

Stakeholder interviews. The SMEs then interview the available stakeholders to get firsthand information about the facility, including what first responders can be counted on to do. Team members try to work their way down the security chain as best they can, from the security director down to the front-line employee.

“Lots of times, the best information comes from the guys no one listens to,” notes Morral. This process helps make the facility report as comprehensive as possible. After the interviews are conducted, the team prepares for the walk-through.

Common Vulnerabilities

The team has also gathered knowledge about vulnerabilities at similar sites by studying previous SAV Common Vulnerability (CV) reports. Members will see whether this site reveals other weaknesses that should be added to the CV report for this type of facility.

Puype describes it as a cycle, whereby each SAV adds to the knowledge base contained in the CVs. “By doing more and more of these, you’re getting a greater pool and a greater understanding,” he says.

CV reports, which do not name individual facilities, are meant to become a tool for the private sector. For Puype, the goal is to have a security director at a critical facility anywhere in the country be able to read the relevant CV and begin independently to ascertain and address his own facility’s vulnerabilities.

Walk-through

Drawing on knowledge gained from the CV and on what they have learned about the facility from the backgrounder and interviews with stakeholders, the team can surmise many of the vulnerabilities that likely exist at the site. Team members will be on the lookout for these and other exposures as they conduct the walk-through of the facility.

During the walk around Dover Speedway, the SAV team quietly discusses vulnerabilities that they find, careful to do so outside of my earshot. They take seriously their commitment to safeguard any vulnerabilities they discover and understand that “loose lips sink ships.”

Murder Board

After the walk-through, Gazaway and his team will meet back in a hotel room to discuss what they observed. They will list vulnerabilities they found as well as commendable items. Normally, according to Gazaway, the commendable items far outnumber the vulnerabilities. Nevertheless, it’s the vulnerabilities that they’re here for, so they set up a “murder board,” an old Army term whereby a committee of questioners helps someone prepare for a difficult oral exam.

“This process is used to meld each discipline’s expertise into a better overall understanding and to reach consensus as to what will be addressed in the out-brief and the final report,” says Gazaway.

To work toward consensus, they list all the vulnerabilities found during the walk-through and decide which are the most pressing concerns. As Morral points out, the whole point of the SAV is to give options for consideration that, if adopted by the owner/operator, will lead terrorists to choose another, easier target.

Afterwards, Gazaway, as team leader, will make the ultimate cut in deciding which vulnerabilities are critical and which are not. What’s considered critical will be presented to the facility at the next morning’s out-brief.

Out-briefing

During the out-brief, the SAV team meets with the owner/operator representative, normally the security director, to go over general and preliminary findings. Puype says there isn’t much detail provided during the out-brief, because the team members still need to immerse themselves in their findings, analyze them, and then write their section of the facility report. Nonetheless, the out-brief prepares owner/operators for what they will see in the final facility report so that there will be no big surprise, he says.

At some facilities, the SAV may not reveal new information about vulnerabilities but it can show security’s return on investment to executives. That was the case at the speedway, says Security Director Ed Klima.

“When you do something like this, it helps validate existing concerns,” he says. “It helps sell certain things to senior management from a budgetary standpoint.”

Because of the security risks, both DHS and Dover Speedway asked Security Management not to publish details about specific vulnerabilities that terrorists might exploit. But Klima did tell me one of the options for consideration that validated a concern of his. The SAV team noticed that the Joint Operations Center (JOC), where first responders and other stakeholders gather to run security for the track during race weekend, had virtually no perimeter protection. Klima knew this, but it gave him independent confirmation of the vulnerability to bring to his boss. After the out-brief, Klima had fencing erected around the JOC before the year’s second NASCAR race in September 2008.

Suggestions for reducing exposures range from no-cost to high-cost. “We give a wide range of options to allow the facility to make the most effective investments into security enhancements,” says Puype.

After the out-brief, the team travels back to its headquarters to start working on the facility report. Each SME will be given a particular portion of the report to write, which is then integrated by Argonne National Laboratory using its encrypted network, LENS. The report is given PCII status.

Within two to three weeks of when Argonne okays the report, it is sent to the owner/operator to vet for any inaccuracies. The facility has 14 days to review the report and correct whatever is wrong.

Once the report is returned by the owner/operator, the appropriate changes are made and the report is finalized. The PSCD then sends the final facility report back to the owner/operator and distributes it to the state, local, or private agencies the owner/operator wants to receive it.

Those with access to the report create an Information Sharing and Analysis Organization (ISAO) that can gather, analyze, and share PCII within the network in an effort to protect critical infrastructure from attack. Anyone who divulges PCII outside the ISAO can be held liable, which could result in that party being fined or imprisoned if convicted. Government employees convicted of divulging PCII-protected information can lose their jobs.

Dover is just one of the many SAVs being conducted annually around the country. As this case illustrates, these homeland security efforts are progressing quietly behind the scenes. With each SAV, a broader knowledge base is built to help government and the private sector better secure U.S. infrastructure.

Matthew Harwood is an associate editor at Security Management.