Dover Speedway Plays It Safe

By Matthew Harwood

Common Vulnerabilities

The team has also gathered knowledge about vulnerabilities at similar sites by studying previous SAV Common Vulnerability (CV) reports. Members will see whether this site reveals other weaknesses that should be added to the CV report for this type of facility.

Puype describes it as a cycle, whereby each SAV adds to the knowledge base contained in the CVs. “By doing more and more of these, you’re getting a greater pool and a greater understanding,” he says.

CV reports, which do not name individual facilities, are meant to become a tool for the private sector. For Puype, the goal is to have a security director at a critical facility anywhere in the country be able to read the relevant CV and begin independently to ascertain and address his own facility’s vulnerabilities.


Drawing on knowledge gained from the CV and on what they have learned about the facility from the backgrounder and interviews with stakeholders, the team can surmise many of the vulnerabilities that likely exist at the site. Team members will be on the lookout for these and other exposures as they conduct the walk-through of the facility.

During the walk around Dover Speedway, the SAV team quietly discusses vulnerabilities that they find, careful to do so outside of my earshot. They take seriously their commitment to safeguard any vulnerabilities they discover and understand that “loose lips sink ships.”

Murder Board

After the walk-through, Gazaway and his team will meet back in a hotel room to discuss what they observed. They will list vulnerabilities they found as well as commendable items. Normally, according to Gazaway, the commendable items far outnumber the vulnerabilities. Nevertheless, it’s the vulnerabilities that they’re here for, so they set up a “murder board, ” an old Army term whereby a committee of questioners helps someone prepare for a difficult oral exam. 

“This process is used to meld each discipline’s expertise into a better overall understanding and to reach consensus as to what will be addressed in the out-brief and the final report,” says Gazaway.

To work toward consensus, they list all the vulnerabilities found during the walk-through and decide which are the most pressing concerns. As Morral points out, the whole point of the SAV is to give options for consideration that, if adopted by the owner/operator, will lead terrorists to choose another, easier target.

Afterwards, Gazaway, as team leader, will make the ultimate cut in deciding which vulnerabilities are critical and which are not. What’s considered critical will be presented to the facility at the next morning’s out-brief.


During the out-brief, the SAV team meets with the owner/operator representative, normally the security director, to go over general and preliminary findings. Puype says there isn’t much detail provided during the out-brief, because the team members still need to immerse themselves in their findings, analyze them, and then write their section of the facility report. Nonetheless, the out-brief prepares owner/operators for what they will see in the final facility report so that there will be no big surprise, he says.

At some facilities, the SAV may not reveal new information about vulnerabilities but it can show security’s return on investment to executives. That was the case at the speedway, says Security Director Ed Klima.

“When you do something like this, it helps validate existing concerns,” he says. “It helps sell certain things to senior management from a budgetary standpoint.”

Because of the security risks, both DHS and Dover Speedway asked Security Management not to publish details about specific vulnerabilities that terrorists might exploit. But Klima did tell me one of the options for consideration that validated a concern of his. The SAV team noticed that the Joint Operations Center (JOC), where first responders and other stakeholders gather to run security for the track during race weekend, had virtually no perimeter protection. Klima knew this, but it gave him independent confirmation of the vulnerability to bring to his boss. After the out-brief, Klima had fencing erected around the JOC before the year’s second NASCAR race in September 2008.

Suggestions for reducing exposures range from no-cost to high-cost. “We give a wide range of options to allow the facility to make the most effective investments into security enhancements,” says Puype.

After the out-brief, the team travels back to its headquarters to start working on the facility report. Each SME will be given a particular portion of the report to write, which is then integrated by Argonne National Laboratory using its encrypted network, LENS. The report is given PCII status.

Within two to three weeks of when Argonne okays the report, it is sent to the owner/operator to vet for any inaccuracies. The facility has 14 days to review the report and correct whatever is wrong.

Once the report is returned by the owner/operator, the appropriate changes are made and the report is finalized. The PSCD then sends the final facility report back to the owner/operator and distributes it to the state, local, or private agencies the owner/operator wants to receive it.

Those with access to the report create an Information Sharing and Analysis Organization (ISAO) that can gather, analyze, and share PCII within the network in an effort to protect critical infrastructure from attack. Anyone who divulges PCII outside the ISAO can be held liable, which could result in that party being fined or imprisoned if convicted. Government employees convicted of divulging PCII-protected information can lose their jobs. 

Dover is just one of the many SAVs being conducted annually around the country. As this case illustrates, these homeland security efforts are progressing quietly behind the scenes. With each SAV, a broader knowledge base is built to help government and the private sector better secure U.S. infrastructure.

Matthew Harwood is an associate editor at Security Management.



DHS Responds

Ms. Sherry Harowitz
Security Management Online
1625 Prince Street
Alexandria, VA 22314

Dear Ms. Harowitz:

Matthew Harwood’s article, “Dover Speedway Plays It Safe,” (Security Management Online, June 2009) does a commendable job of highlighting the role that a vigorous and voluntary public-private partnership plays in ensuring the security of the Nation’s critical infrastructure and key resources (CIKR). Collaborative efforts such as the Site Assistance Visit (SAV) described in the article help CIKR owners and operators implement site security and incident response measures that are truly effective.

Mr. Harwood correctly identifies the Protected Critical Infrastructure Information (PCII) Program as an essential tool for facilitating information-sharing partnerships. SAVs are just one of many government data-collection processes that integrate PCII protections.

The PCII Program protects critical infrastructure information that is voluntarily shared with the government for homeland security purposes. Typically, information shared with the Federal government becomes public record, accessible through public disclosure laws. Designation of such information as PCII, however, ensures that it will be protected from public disclosure and will not be used in civil litigation or for regulatory purposes. Its unauthorized disclosure, as Mr. Harwood noted, is prohibited and punishable by law.

To date, however, public disclosure of PCII has not been an issue, since PCII Program safeguards ensure that only trained and authorized individuals, with a verifiable need-to-know, have access to PCII and use it exclusively for homeland security purposes.

Private sector CIKR owners and operators can learn more about the benefits of the PCII Program by visiting our Web page at, by calling (202) 360-3023, or by e-mailing


Laura Kimberly
PCII Program Manager
Office of Infrastructure Protection
U.S. Department of Homeland Security


The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.