The team has also gathered knowledge about vulnerabilities at similar sites by studying previous SAV Common Vulnerability (CV) reports. Members will see whether this site reveals other weaknesses that should be added to the CV report for this type of facility.
Puype describes it as a cycle, whereby each SAV adds to the knowledge base contained in the CVs. “By doing more and more of these, you’re getting a greater pool and a greater understanding,” he says.
CV reports, which do not name individual facilities, are meant to become a tool for the private sector. For Puype, the goal is to have a security director at a critical facility anywhere in the country be able to read the relevant CV and begin independently to ascertain and address his own facility’s vulnerabilities.
Drawing on knowledge gained from the CV and on what they have learned about the facility from the backgrounder and interviews with stakeholders, the team can surmise many of the vulnerabilities that likely exist at the site. Team members will be on the lookout for these and other exposures as they conduct the walk-through of the facility.
During the walk around Dover Speedway, the SAV team quietly discusses vulnerabilities that they find, careful to do so outside of my earshot. They take seriously their commitment to safeguard any vulnerabilities they discover and understand that “loose lips sink ships.”
After the walk-through, Gazaway and his team will meet back in a hotel room to discuss what they observed. They will list vulnerabilities they found as well as commendable items. Normally, according to Gazaway, the commendable items far outnumber the vulnerabilities. Nevertheless, it’s the vulnerabilities that they’re here for, so they set up a “murder board, ” an old Army term whereby a committee of questioners helps someone prepare for a difficult oral exam.
“This process is used to meld each discipline’s expertise into a better overall understanding and to reach consensus as to what will be addressed in the out-brief and the final report,” says Gazaway.
To work toward consensus, they list all the vulnerabilities found during the walk-through and decide which are the most pressing concerns. As Morral points out, the whole point of the SAV is to give options for consideration that, if adopted by the owner/operator, will lead terrorists to choose another, easier target.
Afterwards, Gazaway, as team leader, will make the ultimate cut in deciding which vulnerabilities are critical and which are not. What’s considered critical will be presented to the facility at the next morning’s out-brief.
During the out-brief, the SAV team meets with the owner/operator representative, normally the security director, to go over general and preliminary findings. Puype says there isn’t much detail provided during the out-brief, because the team members still need to immerse themselves in their findings, analyze them, and then write their section of the facility report. Nonetheless, the out-brief prepares owner/operators for what they will see in the final facility report so that there will be no big surprise, he says.
At some facilities, the SAV may not reveal new information about vulnerabilities but it can show security’s return on investment to executives. That was the case at the speedway, says Security Director Ed Klima.
“When you do something like this, it helps validate existing concerns,” he says. “It helps sell certain things to senior management from a budgetary standpoint.”
Because of the security risks, both DHS and Dover Speedway asked Security Management not to publish details about specific vulnerabilities that terrorists might exploit. But Klima did tell me one of the options for consideration that validated a concern of his. The SAV team noticed that the Joint Operations Center (JOC), where first responders and other stakeholders gather to run security for the track during race weekend, had virtually no perimeter protection. Klima knew this, but it gave him independent confirmation of the vulnerability to bring to his boss. After the out-brief, Klima had fencing erected around the JOC before the year’s second NASCAR race in September 2008.
Suggestions for reducing exposures range from no-cost to high-cost. “We give a wide range of options to allow the facility to make the most effective investments into security enhancements,” says Puype.
After the out-brief, the team travels back to its headquarters to start working on the facility report. Each SME will be given a particular portion of the report to write, which is then integrated by Argonne National Laboratory using its encrypted network, LENS. The report is given PCII status.
Within two to three weeks of when Argonne okays the report, it is sent to the owner/operator to vet for any inaccuracies. The facility has 14 days to review the report and correct whatever is wrong.
Once the report is returned by the owner/operator, the appropriate changes are made and the report is finalized. The PSCD then sends the final facility report back to the owner/operator and distributes it to the state, local, or private agencies the owner/operator wants to receive it.
Those with access to the report create an Information Sharing and Analysis Organization (ISAO) that can gather, analyze, and share PCII within the network in an effort to protect critical infrastructure from attack. Anyone who divulges PCII outside the ISAO can be held liable, which could result in that party being fined or imprisoned if convicted. Government employees convicted of divulging PCII-protected information can lose their jobs.
Dover is just one of the many SAVs being conducted annually around the country. As this case illustrates, these homeland security efforts are progressing quietly behind the scenes. With each SAV, a broader knowledge base is built to help government and the private sector better secure U.S. infrastructure.
Matthew Harwood is an associate editor at Security Management.