WEBVTT 1 00:00:00.030 --> 00:00:05.220 Scenario 1. This first scenario addresses 2 00:00:03.810 --> 00:00:06.870 possible threats to critical 3 00:00:05.220 --> 00:00:08.970 infrastructure and the importance of 4 00:00:06.870 --> 00:00:11.099 reporting SAR information that may 5 00:00:08.970 --> 00:00:13.500 relate to pre-incident surveillance 6 00:00:11.099 --> 00:00:15.389 activities. You are working with the 7 00:00:13.500 --> 00:00:17.400 operator of a critical infrastructure 8 00:00:15.389 --> 00:00:19.260 site to develop preparedness and 9 00:00:17.400 --> 00:00:21.779 mitigation plans in the event of a 10 00:00:19.260 --> 00:00:23.970 disaster at the site. The operator of the 11 00:00:21.779 --> 00:00:26.189 site casually mentions to you that an 12 00:00:23.970 --> 00:00:28.890 SUV has approached the entrance to the 13 00:00:26.189 --> 00:00:31.140 plant on several different occasions, and 14 00:00:28.890 --> 00:00:33.440 that a passenger in the vehicle appears 15 00:00:31.140 --> 00:00:35.820 to be videotaping the guard shack—documenting 16 00:00:33.440 --> 00:00:38.670 the entrance protocol for 17 00:00:35.820 --> 00:00:41.010 the facility. Neither the vehicle nor its 18 00:00:38.670 --> 00:00:43.170 occupants have tried to enter the plant, 19 00:00:41.010 --> 00:00:45.690 nor have they made any other outward 20 00:00:43.170 --> 00:00:47.850 sign of causing a problem. On one 21 00:00:45.690 --> 00:00:50.399 occasion, the security guard approached 22 00:00:47.850 --> 00:00:52.890 the SUV, and the vehicle sped off quickly. 23 00:00:50.399 --> 00:00:55.230 You recognize this is one of the 24 00:00:52.890 --> 00:00:57.870 indicators of preoperational planning 25 00:00:55.230 --> 00:00:59.760 for terrorist activity. You then work 26 00:00:57.870 --> 00:01:02.340 with the operator of the site to compile 27 00:00:59.760 --> 00:01:04.979 a report, and forward the information to 28 00:01:02.340 --> 00:01:07.710 the local law enforcement agency. You 29 00:01:04.979 --> 00:01:08.580 also let your fusion liaison officer 30 00:01:07.710 --> 00:01:11.220 (or FLO) 31 00:01:08.580 --> 00:01:12.810 know about the incident. The local law 32 00:01:11.220 --> 00:01:15.299 enforcement officer fills out a 33 00:01:12.810 --> 00:01:18.030 suspicious activity report, which he then 34 00:01:15.299 --> 00:01:20.490 forwards to both the local FBI office and 35 00:01:18.030 --> 00:01:22.920 the state fusion center. The FLO 36 00:01:20.490 --> 00:01:25.200 reports the activity to the fusion 37 00:01:22.920 --> 00:01:27.479 center, as instructed in the training 38 00:01:25.200 --> 00:01:29.909 received to become a liaison officer for 39 00:01:27.479 --> 00:01:31.799 the fusion center. The fusion center 40 00:01:29.909 --> 00:01:33.900 works with the FLO coordinator to 41 00:01:31.799 --> 00:01:35.790 determine whether any similar incidents 42 00:01:33.900 --> 00:01:37.500 have been reported at any other critical 43 00:01:35.790 --> 00:01:41.220 infrastructure sites around the region 44 00:01:37.500 --> 00:01:43.619 and statewide. Based on multiple similar 45 00:01:41.220 --> 00:01:46.200 incidents, it appears that individuals 46 00:01:43.619 --> 00:01:47.850 may be casing various sites to determine 47 00:01:46.200 --> 00:01:50.280 the number of personnel protecting the 48 00:01:47.850 --> 00:01:53.130 plants and recording the response times 49 00:01:50.280 --> 00:01:55.320 to calls for service. The fusion center 50 00:01:53.130 --> 00:01:57.689 then works with FBI partners to produce 51 00:01:55.320 --> 00:01:59.579 a bulletin about this activity that is 52 00:01:57.689 --> 00:02:01.979 sent to all the critical infrastructure 53 00:01:59.579 --> 00:02:03.509 operators in the state. Though feedback 54 00:02:01.979 --> 00:02:05.640 may not have been given to the 55 00:02:03.509 --> 00:02:07.500 originating security personnel, the 56 00:02:05.640 --> 00:02:09.660 reporting of the initial suspicious 57 00:02:07.500 --> 00:02:13.250 activity results in a statewide bulletin for all operators.