Site Assistance Visit
Site assistance visits (SAV) are voluntary. They are usually conducted when a business requests the assistance, but sometimes a company is approached by the DHS Protective Security Coordination Division (PSCD), the group within DHS responsible for conducting SAVs.
PSCD wants private-sector owners of critical infrastructure properties to see these government teams as partners who can, through an SAV, help them assess the adequacy of security at their facilities at no charge. Over 600 SAVs have been conducted to date, says Eric Puype, chief of PSCD’s Vulnerability Assessments Branch and my guide for the time I spent observing his team comb Dover International Speedway for any gaps in its protective measures.
An SAV has three core parts: the in-brief, the walk-through, and the out-brief.
At the in-brief, all of the stakeholders who have an interest in protecting a critical asset are brought together. At this initial meeting, the SAV team explains the process and begins by interviewing local, state, and federal law enforcement as well as the facility’s employees and managers to gain an understanding of the facility and the vulnerabilities it may contain.
The next step is the walk-through, during which SAV team members, guided by representatives from the facility, scour the structures and grounds to identify firsthand anything that may create a vulnerability to terrorist attack. Then the SAV team conducts an out-brief during which they tell the facility owner/operators about their findings. They discuss the facility’s strengths and security gaps, delineating the latter by degrees of risk and suggesting ways to plug those holes—but these suggestions are no more than that.
Because SAVs are voluntary, they create no regulatory obligation for owners or operators to act on the findings, notes Puype, who explains that the program is designed that way, because otherwise businesses would hesitate to call them in for a consultation. To increase the likelihood that recommendations will be adopted, however, SAV teams try to offer fixes that eliminate “the maximum amount of a site vulnerability,” at the lowest possible cost, according to DHS.
In addition, in developing their suggestions, SAV teams are sensitive to the facility’s business model. “We don’t want to give them protective measures that would have to make them do large capital investments or which would make them operationally obsolete,” says Puype.
What’s even more attractive to the CI/KR owner/operator is that they have ownership control of their facility report. They can distribute it to local and state stakeholders and first responders as they see fit. When a SAV team has finished its report, all the information used to create it is destroyed. The information in the report is protected under the protective critical infrastructure information (PCII) program. Anyone who violates confidentiality agreements under PCII faces legal action.
SAVs help to create a cooperative and coordinated environment between the private sector and government stakeholders. That type of environment spurs information sharing long term. At the next morning’s in-brief, I saw how this cooperative relationship was formed.
“Throw the report away if you want. You can wallpaper your house with it if you want,” jokes Protective Security Advisor (PSA) Raymond Hanna, the federal team leader of this SAV, and one of 85 PSAs fulfilling PSCD’s mandate across the United States and its territories. At the moment, Hanna is explaining to members of the management team from Dover Speedway and Dover Downs that the facility report generated from the SAV is not regulatory or coercive in any way. The real objective of the SAV team, of course, is to get management to see the need for the appropriate security improvements.
During the in-brief, Hanna tells assembled stakeholders exactly what his SAV team is there to do and why collaboration is vital to the process. He gets his message across in a lighthearted and gregarious manner, rather than exhibiting the button-down seriousness one might expect of a federal agent. It is a good trait for someone who is supposed to liaise among all stakeholders relevant to a particular CI/KR.
Because of his demeanor and because he spends so much time working directly with officials in the states he covers—Delaware and Maryland—Hanna is viewed more as a local than as an agent from the federal government. The result: he’s trusted. That makes it easier for him to create the necessary relationships and garner the ground-level support needed for DHS critical infrastructure protection programs to succeed.
Buy-in. Around the table sit representatives from the Dover Police Department; Dover Emergency Management Service; Dover Fire Department; Delaware State Police as well as its bomb squad; Delaware Intelligence and Analysis Center (DIAC), the state’s fusion center; Delaware Department of Transportation; Delaware Department of Emergency Management; Delaware’s Department of Natural Resources; the Federal Bureau of Investigation (FBI); and the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF)—plus Delaware’s Homeland Security Secretary David B. Mitchell, Esq.
This attendance isn’t just a product of Hanna’s communication and management skills, it’s a product of how important Dover International Speedway and Dover Downs are to the city of Dover and the state of Delaware. Two times a year, the speedway hosts NASCAR weekends. During Sunday’s big race, 140,000 fans pack into the speedway’s stands. Surrounding that one-mile track, known adoringly as “The Monster Mile,” is a population almost four times the size of the city itself. The combined taxes paid each year by the hotel and casino account for 7 percent of the state’s revenue.
Everyone in the room understands the importance of reducing the risk to this vital asset. “An attack could be nasty,” says Lee Ford, security director for Dover Downs. “To recover from such a thing would take years and years.”
Subject-matter experts. After explaining the purpose of the SAV, Hanna introduces the four subject-matter experts (SMEs) from the hotel room. Typically ex-military or elite law enforcement, SMEs make up the core of the SAV team. They think like the enemy to spot vulnerabilities that might be exploited. The team doing the SAV at the speedway is mostly composed of West Virginia National Guardsmen specially trained in risk assessment. DHS leverages similar teams across the country.
One by one, they address the seated stakeholders. Brian Gazaway is the National Guard team leader. He manages the SAV team, makes sure that they stay on deadline, and ultimately decides what goes in the facility report.
Mike Morral is the assault planner. Morral says he asks himself the same question during every SAV: “If I were a terrorist, how would I attack?”
Based on what he observes and is told by local and state law enforcement and facility personnel, he prods for physical vulnerabilities that terrorists could use to their advantage, such as a lack of bollards at an entrance or perimeter protection.
Roger Queen is the systems analyst. By speaking with the same stakeholders as Morral as well as the facility’s IT, telecommunications, and engineering employees, he tries to identify any single points of failure in a facility’s industrial control system. For instance, a facility with only one power line is vulnerable to having power cut if that line is severed.
Queen also concerns himself with a facility’s cybersecurity, because, as Pupye notes, a terrorist doesn’t “have to go necessarily in through the gate.” What matters most to Queen is redundancy: the ability of the systems to keep running after an attack.
Tom Calhoun is the WMD specialist. He is the only one of the SMEs not affiliated with the West Virginia National Guard. A Navy man of 22 years, Calhoun is a contractor from A-T Solutions, a counterterrorism company employed by PSCD’s Office of Bombing and Prevention branch. He works together with the assault planner to identify chemical, biological, radiological, nuclear, and explosive (CBRNE) vulnerabilities.
Calhoun’s main concern is protecting a facility from vehicle-borne and human-borne improvised explosive devices (IEDs), such as those used by insurgents in Iraq. Another worry of his is terrorists slipping toxins into the heating, ventilation, and air conditioning (HVAC) system of a facility.
Backgrounder. During the in-brief, the federal team leader will share with the assembled stakeholders a background research paper on the facility. Analysts at Argonne National Laboratory generate these reports for each SAV by using open source information.
When owner/operators request an SAV of their facility, PSCD requests the backgrounder from Argonne. To obtain the report once it is completed, team members can log in to Argonne’s Linked Encrypted Network (LENs). The report ensures that the team isn’t starting cold with no knowledge of the site when it arrives to do the vulnerability assessment.
For the owner/operators of the subject facility, getting one of those backgrounders is an added bonus of working with the PSCD. Puype was surprised when owner/operators wanted to keep these reports.
While the information all comes from publicly available sources, facility personnel often indicate that they learn vital details from it, such as where they get their power and gas. “They’re like ‘Wow, I didn’t really know about this,’” says Puype.
Stakeholder interviews. The SMEs then interview the available stakeholders to get firsthand information about the facility, including what first responders can be counted on to do. Team members try to work their way down the security chain as best they can, from the security director down to the front-line employee.
“Lots of times, the best information comes from the guys no one listens to,” notes Morral. This process helps make the facility report as comprehensive as possible. After the interviews are conducted, the team prepares for the walk-through.