Friday, February 19, 2010

Another Potential Dry Run

Earlier this month I reported on an incident that could have been a potential dry run for an attack on a facility in Florida. Today I want to tell you about a news report from West Virginia that could also be part of a dry run for an attack on a chemical facility. This time a suspicious package was dropped off outside of a facility near Kenova, WV. According to the article a number of agencies responded to the initial report, including HAZMAT and the FBI. Once the package was determined to be safe, it was removed from the scene for additional investigation. What is a Dry Run Now, I need to clarify something. I do not know that there are attacks planned on these two facilities and no one has told me that law enforcement agencies are particularly concerned about these two incidents. What I am saying is that a professional planning an attack needs to collect information about security response measures at a potential target. One way to do that is to conduct a relatively innocuous dry run to see how the facility reacts. A professional response to the dry run will frequently lead to the selection of an alternative target. There is no percentage in attacking a well protected target when there are so many poorly protected targets available. If there is a particular reason why the specific target has been selected, these dry runs will allow the professional to probe for the inevitable weak points in a security perimeter. For example it will allow for the measurement of response times for off-site security response forces or it will allow for the evaluation of the sensitivity to unusual occurrences just outside the perimeter. Dry runs are one of the tools available to a terrorist group to use as part of their pre-operational surveillance. From the point of view of the terrorists, a detailed surveillance plan increases the chance of the success of their attack. From the point of view of the security specialist, it provides a chance to detect a potential attack in advance. This can allow law enforcement to track down and find the terrorist cell before the facility is actually endangered. Response to a Dry Run So what does a facility do when it encounters a suspected dry run? The first thing is that one never knows if it is a dry run or an actual attack until after the incident has been properly investigated. The package in this latest incident could have contained an explosive device to allow for the penetration of the perimeter or act as a distraction for an actual penetration on another portion of the perimeter. With this in mind, the initial response is the same as it would be for any suspicious activity. There should be an initial cursory investigation by facility security. The limits of this investigation need to be thought out in advance and will be dictated by the level of training of the security team. In any case the objective of this investigation is to determine if it is obviously an attack or obviously not an attack. In those cases the facility security procedures should outline the required response. The result of most initial investigations will fall between those two extremes. This would require the notification of the authorities (certainly including the FBI in the case of high-risk facilities covered under CFATS). This will allow for a full investigation to determine if there is a potential attack in the planning stages. Incident Review After the initial incident is closed at the facility, the security team should conduct an after action review. Local law enforcement and emergency response representatives should be included in the review process. The purpose of the review is to look at the response to determine what was done correctly and what needs to be improved. This review should include a detailed debrief of all facility personnel that were involved in the incident in any way to find out exactly what they did and did not do. The purpose of the review is to fully document the incident and to determine what could have been done better. Revisions to site security procedures are almost always a result of these reviews. CFATS facilities should send a copy of their incident review to DHS Infrastructure Security Compliance Division (ISCD). Contact the Help Desk (866-323-2957) for instructions on how this should be accomplished. Any changes that are made to the Site Security Plan must be reported to ISCD. Please remember that these reports are Chemical-Terrorism Vulnerability Information (CVI) and should be marked and protected accordingly.


Red Team said...

You make a good point. Identifying a "soft target" versus a "hard target" is a priority for professionals. Conducting dry runs on sites is also a way to increase the chaos. Many groups, abroad at least, specifically target the first responders. We see this tactic in Pakistan, Afghanistan, Iraq and other high-risk/high-threat areas.

PJCoyle said...

My response to Red Team's comment can be found at:

/* Use this with templates/template-twocol.html */