UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Sector Resilience Report: Stadiums and Arenas (U) January 20, 2015, 1520 EST

(U) SCOPE

(U) The Department of Homeland Security’s Office of Cyber and Infrastructure Analysis (DHS/OCIA)1 produces Sector Resilience Reports to improve partner understanding of the interdependencies and resilience of certain sectors. This product focuses on the Commercial Facilities Sector, concentrating on the Public Assembly Subsector—Stadium and Arena Segment. Specifically, this report provides a brief overview of stadiums and arenas, and analysis of key dependencies and interdependencies. In addition, this product includes an assessment of, and best practices for improving community, system, and facility resilience. This Sector Resilience Report was produced to complement other sector-specific guidance, analysis, and academic papers on infrastructure resilience by applying data obtained from DHS site visits and assessments analyzing the resilience of critical infrastructure assets and systems.

(U) The resilience issues and best practices identified in this document may be considered by critical infrastructure partners to improve their resilience. Specific information is provided for both owners and operators of stadiums and arenas and for community risk management organizations (e.g., State or local emergency operations centers, emergency managers, public works, utility managers, and disaster relief organizations). This product was coordinated with the DHS Office of Infrastructure Protection.

(U) KEY FINDINGS

(U) DHS has conducted 176 assessments of large sporting event facilities (stadiums and arenas) since January 2011. Over 90 percent of stadiums and arenas assessed by DHS are dependent upon water, wastewater, and electric power to maintain core operations.

(U) A disruption in the supply of these key resources would severely degrade core operations by greater than 67 percent within 2 hours, without considering any backup measures.

(U) If the facility is being used as a shelter or an incident command post, disruptions to core operations could quickly result in cascading impacts to critical services, such as emergency response, emergency shelter and mass care, and public health and safety.

1 (U) In February 2014, the National Protection and Programs Directorate (NPPD) created the Office of Cyber and Infrastructure Analysis by integrating analytic resources from across NPPD including the Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) and the National Infrastructure Simulation and Analysis Center (NISAC).

1 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Stadium: Outdoor facilities where events are held for large audiences. May or may not have retractable domes.

(U) Arena: Indoor facilities where events are held for large audiences.

(U) STADIUMS AND ARENAS OVERVIEW (U) The Commercial Facilities Sector varies greatly in scope and function, encompassing entities from retail centers, hotels, and casinos to office and apartment buildings, stadiums, and arenas. Stadiums and arenas are a segment of the Commercial Facilities Sector categorized under the Public Assembly Subsector.2 They consist of facilities where large numbers of people gather to engage in sporting events, concerts, lectures, rallies, circuses, and other events. The periods of occupancy and core usages range from several hours to full-day or multiple-day events. These facilities are located in every region and state, and they range in size from high-school football stadiums to professional sports arenas with seating capacities for over 100,000 spectators. These facilities are largely unregulated in regard to physical and cyber security, and extremely diverse, and as such their individual owners and operators are responsible for planning and implementing protective resilience measures.3

(U) The number of major stadiums and arenas in the United States is estimated to be at 2,482.4

The majority of these facilities are owned and operated by local governments, local authorities, or the private sector. Some facilities are owned by individual sports teams.5 Each of these entities can have a significant impact on state and local economies, and depending on the specific facility, foster civic pride.6 To underscore the potential impact of these facilities and the events they host, the reported attendance of professional football, baseball, basketball, and hockey in the United States for the 2013–2014 athletic season totaled over 133 million attendees with combined revenues exceeding $25 billion.7,8,9,10,11

2 (U) DHS, Infrastructure Data Taxonomy Version 4, 2011. 3 (U) DHS, Commercial Facilities Sector-Specific Plan, 2010, www.dhs.gov/xlibrary/assets/nipp-ssp-commercial-facilities-2010.pdf, accessed

July 14, 2014. 4 (U) Major stadiums include those with a seating capacity of 5,000 or greater. World Stadiums, “Stadiums in the United States,” 2014,

www.worldstadiums.com/north_america/countries/united_states.shtml, accessed July 14, 2014. 5 (U) DHS, Commercial Facilities Sector-Specific Plan, Annex 8: Sports Leagues Subsector, 2010, www.dhs.gov/xlibrary/assets/nipp-ssp-

commercial-facilities-2010.pdf, accessed July 14, 2014. 6 (U) DHS, Commercial Facilities Sector-Specific Plan, 2010, www.dhs.gov/xlibrary/assets/nipp-ssp-commercial-facilities-2010.pdf, accessed

July 14, 2014. 7 (U) ESPN, “Attendance Report 2013-2014 seasons for NFL, MLB, NBA, and NHL,” 2014, http://espn.go.com/nfl/attendance,

http://espn.go.com/mlb/attendance, http://espn.go.com/nba/attendance, and http://espn.go.com/nhl/attendance, accessed July 14, 2014. 8 (U) Forbes, “How the National Football League Can Reach $25 Billion in Annual Revenues,” August 17, 2013,

www.forbes.com/sites/monteburke/2013/08/17/how-the-national-football-league-can-reach-25-billion-in-annual-revenues/, accessed July 14, 2014.

9 (U) Forbes, “Major League Baseball Sees Record Revenues Exceed $8 Billion for 2013,” December 17, 2013, www.forbes.com/sites/maurybrown/2013/12/17/major-league-baseball-sees-record-revenues-exceed-8-billion-for-2013/, accessed July 14, 2014.

10 (U) Forbes, “As Stern Says Goodbye, Knicks, Lakers Set Records as NBA’s Most Valuable Teams,” January 22, 2014, www.forbes.com/sites/kurtbadenhausen/2014/01/22/as-stern-says-goodbye-knicks-lakers-set-records-as-nbas-most-valuable-teams/, accessed July 14, 2014.

11 (U) CBS Sports, “Report: NHL Revenue to Hit $3.7B; Cap Likely to Exceed $70 Million,” June 9, 2014, www.cbssports.com/nhl/eye-on- hockey/24584103/report-nhl-revenue-to-hit-37-billion-cap-likely-to-exceed-70-million, accessed July 14, 2014.

2 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) RESILIENCE (U) Resilience can be understood as the ability of an asset, system, organization, or other entity to adapt to changing conditions and withstand and rapidly recover from disruptions due to emergencies.12 The common themes shared in this Sector Resilience Report are drawn from data obtained from DHS site assessments conducted through the Enhanced Critical Infrastructure Protection (ECIP) Initiative, as well as from information 13 gleaned from industry reports and academic research. This Sector Resilience Report summarizes results from numerous infrastructure assessments that examine vulnerabilities, threats, and potential consequences from an all-hazards perspective, leading to the identification of dependencies, interdependencies, cascading effects, and resilience characteristics.14

(U) Since 1996, the critical infrastructure community has evolved from a primary focus on protective security to a greater emphasis on resilience to disruptive events.15 National policies, such as Presidential Policy Directives (PPDs) 8 and 21, highlight that collaborative engagement and information sharing with Federal agencies, private sector facility owners and operators, law enforcement, emergency response organizations, academic institutions, and other stakeholders are vital to building a more resilient nation.

(U) THREATS AND HAZARDS

(U) The Public Assembly Subsector, specifically those stadiums and arenas that host large numbers of people, faces a broad range of potential threats and hazards ranging from natural hazards to intentional physical attacks to cyberattacks. The risk to stadiums and arenas is greatest during periods of occupancy and core usage (i.e., during the event or on game day), when there are highly concentrated populations of people at the facility. Understanding the threats and hazards and their potential impacts to both the facility and the gathered assembly of people can assist these entities in proactively establishing resilience measures and mitigation strategies.

12 (U) Presidential Policy Directive 8: National Preparedness (PPD-8), March 30, 2011, Washington, DC: The White House, www.dhs.gov/presidential-policy-directive-8-national-preparedness, accessed July 14, 2014.

13 (U) The ECIP Initiative is a voluntary program in which DHS Protective Security Advisors conduct outreach with critical infrastructure facility owners and operators; provide security surveys, training, and education; and recommend protective measures. ECIP metrics provide DHS with information on the protective and resilience measures in place at facilities and enable detailed analyses of site and sector vulnerabilities. For more information, please contact PDCDOperations@hq.dhs.gov.

14 (U) DHS, Regional Resilience Assessment Program Fact Sheet, December 2013. 15 (U) The Federal Government began to examine potential threats to critical infrastructure in the 1990s as a result of incidents of domestic and

international terrorism. President Clinton issued Executive Order 13010 in 1996, which identified the Nation’s critical infrastructure sectors and established a Presidential Commission on Critical Infrastructure Protection (PCCIP) whose objective was to recommend a comprehensive national infrastructure protection policy and implementation strategy.

(U) PPD-8, National Preparedness, defines resilience as “the ability to adapt to changing conditions and withstand and rapidly recover from disruption due to emergencies.”

(U) PPD-21, Critical Infrastructure Security and Resilience, directed the Federal Government to work with critical infrastructure owners and operators and State, local, tribal, and territorial partners to strengthen the security and resilience of its critical infrastructure.

3 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) NATURAL HAZARDS

(U) Natural hazards can cause extensive, costly damage to stadiums and arenas. There are a number of examples where hurricanes, tornadoes, major flooding events, lightning, and wildfires have threatened or impacted stadiums and arenas.

(U) Fans were inside the Georgia Dome watching a Southeastern Conference basketball tournament game when an EF2 tornado (wind speed of 111 to 135 miles per hour) hit Atlanta, Georgia on March 14, 2008. The facility sustained $2.2 million in damage.16

(U) The Dallas Cowboys’ practice stadium was hit by a storm in May 2009. Approximately 70 people, including the Dallas Cowboys football team, were in the facility at the time of the storm. The strength of the storm caused the roof to collapse, seriously injuring 12 people.17

(U) The Air Force Academy’s Falcon Stadium, located in Colorado Springs, Colorado, became threatened by the 2012 Waldo Canyon Fire, which burned within 5 miles of the campus.18

(U) PHYSICAL ATTACKS

(U//FOUO) Events at stadiums and arenas have been attractive targets to malicious actors and terrorists given the expected media attention, crowd density, open public access, and protective measures that are less evident or not as stringent as at other private facilities.19 Stadiums and arenas are considered soft targets, where the general public may move freely throughout many areas within these facilities without the deterrence of highly visible security barriers.20 Many facilities now incorporate mandatory bag searches and use of a security wand to detect potentially dangerous contraband items, however, at some venues the only security measures in place consist of identification, ticket, or credential checks.

(U//FOUO) Recent and thwarted attacks overseas and in the United States demonstrate that sporting events, particularly those that are lightly protected, remain desirable targets for terrorists because of the potential for mass casualties, intense media attention, and economic and social disruption.21 A lone offender or group of violent extremists might prepare for and execute an attack on stadiums and arenas through a number of different attack methods, including:22,23,24

(U//FOUO) Utilizing small arms; (U//FOUO) Constructing and deploying improvised explosive devices;

16 (U) KentuckySports.com, “Memories of Georgia Dome Tornado Still Vivid as SEC Tournament Returns to Atlanta,” March 10, 20111, www.kentucky.com/2011/03/10/1664614/memories-of-georgia-dome-tornado.html, accessed July 14, 2014.

17 (U) ESPN, “Injuries Reported at Cowboys’ Facility” May 3, 2009, http://sports.espn.go.com/nfl/news/story?id=4127852, accessed July 14, 2014.

18 (U) CBS Sports, “Wildfire Threatens Air Force’s Falcon Stadium,” June 26, 2012, www.cbssports.com/collegefootball/eye-on-college- football/19428016/photo-wildfire-threatens-air-forces-falcon-stadium, accessed July 14, 2014.

19 (U) Federal Bureau of investigation (FBI) and DHS, Joint Special Event Threat Assessment: Super Bowl XLVIII, East Rutherford, New Jersey, January 28, 2014.

20 (U) DHS, Commercial Facilities Sector-Specific Plan, 2010, www.dhs.gov/xlibrary/assets/nipp-ssp-commercial-facilities-2010.pdf, accessed July 14, 2014.

21 (U//FOUO) DHS, Intelligence Note: Lightly Protected Sporting Events Featured in Overseas Terrorist Attacks and Plans, 2010. 22 (U) DHS, Active Shooter Preparedness, 2014, www.dhs.gov/active-shooter-preparedness, accessed September 16, 2014. 23 (U) The National Counterterrorism Center (NCTC), Counterterrorism 2014 Calendar: Methods and Tactics, 2014,

http://nctc.gov/site/technical/index4.html, accessed September 16, 2014. 24 (U) DHS, “TRIPwire: Technical Resource for Incident Prevention,” 2014, https://tripwire.dhs.gov, accessed September 16, 2014.

4 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U//FOUO) Making use of vehicles in ramming attacks; or

(U//FOUO) Using chemical or biological agents.

(U//FOUO) In addition, analysis of global events shows that many attacks or attempted attacks against stadiums and arenas use tactics designed to circumvent established security measures, including targeting small, nonprofessional sporting events, and targeting spectators as they enter or exit venues.25,26 For example, on September 19, 2010, an individual placed a backpack that he thought contained a powerful explosive device into a curbside trash container on a crowded street near Wrigley Field in Chicago, Illinois. The device was inert and did not cause any harm.27

(U) CYBERATTACKS (U) Computer network infrastructure systems at stadiums and arenas are utilized for day-to-day operations such as ticketing; reservations; property management; communications; controlling heating, ventilation, and air conditioning (HVAC) systems; elevator and escalator controls; lighting; warning and alert systems; and closed-circuit television (CCTV).28,29 Used for monitoring and system control during an event, CCTV, HVAC, and network systems are essential for the safety of all attendees and staff. Despite the lack of significant cyberattacks against major stadium and arena facilities in the United States, the threat of cyberattacks, cybercrime, or disruption to key supporting IT or Communications Sector infrastructure still remains. DHS provides a number of recommended cybersecurity best practices that may help stadium and arena owners and operators better protect and mitigate against cyberattacks.30,31

(U) DEPENDENCIES AND POTENTIAL IMPACTS (U) The resilience of a community or region is a function of the resilience of its subsystems, including its critical infrastructure, economy, civil society, and governance (including emergency services). Characterizing a region’s resilience can be a complex task due to the dependencies and interdependencies that exist within infrastructure systems and the regions they serve. The loss of a stadium or arena facility may not just be an inconvenience for attendees and ticket holders; its impacts could quickly cascade into other important services, particularly emergency services, which may use the facility as an emergency shelter or command post. Understanding these dependencies is an important key to building and maintaining resilient public assembly facilities.

(U) DHS has conducted 176 assessments of large sporting event facilities since January 2011. More than 90 percent of stadiums and arenas assessed are dependent upon water, wastewater, and electric power for core operations. A disruption in the supply of most of these key resources

25 (U) DHS, “TRIPwire: Technical Resource for Incident Prevention,” 2014, https://tripwire.dhs.gov, accessed September 16, 2014. 26 (U//FOUO) National Counterterrorism Center, DHS, and FBI, Joint First Responder’s Toolbox Report: Complex Operating Environment for

First Responders – Stadiums and Arenas, 2014. 27 (U) NBC Chicago, “Would-Be Chicago Backpack Bomber Gets 23 Years,” May 31, 2013, www.nbcchicago.com/news/local/Would-Be-

Chicago-Backpack-Bomber-To-Be-Sentenced-209486041.html, accessed July 14, 2014. 28 (U) For more in-depth information about cyberdependencies within the Commercial Facilities Sector, please contact OCIA at

OCIA@hq.dhs.gov to request a copy of the Critical Infrastructure Security and Resilience Note: Commercial Facilities Sector Cyberdependencies (forthcoming).

29 (U) DHS, Commercial Facilities Sector-Specific Plan, 2010, www.dhs.gov/xlibrary/assets/nipp-ssp-commercial-facilities-2010.pdf, accessed July 14, 2014.

30 (U) DHS-OCIA, IP Note: Mitigating Cyber-Physical Impacts at Commercial Facilities,” June 24, 2013. 31 (U) DHS Control Systems Security Program, Common Cybersecurity Vulnerabilities in Industrial Control Systems, May 2011.

5 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

would severely degrade core operations (greater than 67 percent on average) within 2 hours without considering any backup measures.

(U) The following sections will discuss the dependencies of stadiums and arenas on other utilities—particularly electric power, water and wastewater, communications, and IT—followed by a brief discussion on the potential impacts to other sectors from the loss of stadium or arena functionality. The term “dependency,” as defined when collecting information as part of an ECIP Security Survey, is the reliance of a facility on an outside or external utility or service to carry out its core operations (i.e., the activities that enable the production of key goods or services). Core operations are specific to an asset or facility, and may include domestic uses (e.g., potable water), security operations (e.g., electric power for CCTV, scanners, sensors), or environmental controls (e.g., heating, ventilation, and air conditioning). The degradation in service (i.e., one or more of those core operations) captures how soon and to what extent a facility will be affected if the source is lost. DHS partners work with State and local agencies and the private sector, through the ECIP Initiative, to conduct voluntary assessments of a large number of critical infrastructure facilities. DHS data analyses from the ECIP Initiative were analyzed to determine the potential dependencies and resilience of stadiums and arenas.32

32 (U) DHS site assessments are voluntary and may not be representative of the entire sector. The information and data collected from these assessments through the IST are often protected as For Official Use Only or as Protected Critical Infrastructure Information; the information provided in this document has been sanitized to remove any facility, system, or regional references.

(U) Data Collection and Levels of Facility Degradation

(U) The ECIP Initiative collects data through the Infrastructure Survey Tool (IST), a secure Web-based tool that provides the ability to collect, process, and analyze survey data in near–real time. Data collected during site visits are consolidated in the IST and compared against established values and weights and data on similar facilities, which enables DHS to develop metrics; conduct sector-by- sector and cross-sector vulnerability comparisons; identify security gaps and trends across critical infrastructure sectors and subsectors; and establish sector baselines for security and resilience scores.

(U) The term “dependency,” as used in the IST and reported here, is defined as the reliance of a facility on an outside and external utility or service to carry out its “core operations.”

(U) Degradation addresses how soon a facility will be affected if the source is lost, and to what extent it will be affected. Data on degradation are gathered in the IST exclusively from other related conditions: 0 percent degradation, 1–33 percent degradation, 34–66 percent degradation, 67– 99 percent degradation, or 100 percent degradation.

(U) Data are also collected on the existence of backup generation, duration of backup generation without refueling, and recovery time after external infrastructure service is restored.

6 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) STADIUM AND ARENAS DEPENDENCIES

(U) The inner circle in Figure 1 depicts the percentage of stadiums and arenas that received DHS assessments and that are dependent upon external goods and services. The outer ring depicts the percentage by which core stadium and arena capabilities are degraded and the time to impact without considering backup measures. In addition, Table 1 provides statistics on common recovery mechanisms for stadiums and arenas.

(U) Note: This data represents a majority of stadiums and arenas (60 percent or greater) that are dependent on the external product or service.

(U) FIGURE 1—Percent of assessed stadiums and arenas dependent upon external products and services and their degradation from their loss (courtesy of DHS and Argonne National Laboratory)

7 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) ELECTRIC POWER

(U) Stadiums and arenas rely on electric power for core operations such as support for security operations. In the case of an electric power failure, these facilities generally have an immediate (100 percent) degradation when not considering their backup capability. Although approximately 85 percent of the facilities have an alternate or backup source of electric power, it is generally intended for short-term, life-safety purposes. Most facilities do not have a contingency or business continuity plan with their provider (39 percent) nor do they have a provider priority plan (34 percent). While loss of electric power may be an inconvenience on game day (i.e., stopping the game), the impacts can be far more severe when the facility is being used as a shelter or command post and is required to sustain operations for prolonged periods with limited resources.

(U) WATER AND WASTEWATER TREATMENT

(U) Stadiums and arenas rely on water and wastewater treatment primarily for domestic purposes (e.g., potable water). In general, in the event of an outage, the facilities will have 67 to 99 percent degradation after 2 hours. Even though there is such a large degradation, the facilities generally do not have a backup or alternative. This can have critical life-threatening impacts when the facility is used as a shelter or command post. It can have economic consequences if regulations require the facility to shut down in the event of a potable water loss during “game day.”

(U) COMMUNICATIONS AND IT

(U) Over three-quarters of stadiums and arenas rely on communications; however, the presence of backups can almost completely mitigate the impact of a loss of communications over an indefinite time period. This suggests that communications systems are some of the more resilient systems within these types of venues. The presence of robust communications is especially important in the event of an emergency, and when the asset is being used as a shelter or command post. IT services are also generally required for business purposes, although 34 percent of the facilities also have a network for supervisory control. Less than half of the facilities that require IT have a backup or alternate, although existing backups can eliminate the degradation of the facility indefinitely.

8 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) TABLE 1—Stadiums and arenas dependencies and recovery mechanisms

Utility Provider Type

Dependent upon External Utility

Provider (%)

Backup or Alternate Utility

Source (%)

Contingency Plan with

Provider (%)

Priority Restoration Plan

with Provider (%)

Electric Power 100 85 39 34

Water 93 2 26 21

Wastewater Treatment 91 4 19 19

Communications 78 68 36 29

Information Technology 68 41 44 41

(U) IMPACTS TO CRITICAL INFRASTRUCTURE FROM LOSS OF STADIUMS OR ARENAS

(U) Stadiums and arenas can be called upon to support the Emergency Services Sector and the Healthcare and Public Health Sector. Communities, law enforcement, and first responders depend on stadiums and arenas for use as emergency mega-shelters.33 Other times, they are used as staging grounds for command posts or may be designated as public assembly areas for medical countermeasure dispensing. If the facility is being used as a shelter or a command post, impacts to the facility could result in cascading impacts to public health and safety, especially during a natural disaster. For example, in August 2005, the Superdome stadium in New Orleans, Louisiana, became home to approximately 20,000 displaced people seeking shelter from Hurricane Katrina. The violent storm caused significant roof damage, power outages, and dangerous flooding that ultimately trapped the people inside for days in a dangerous environment with no running water, no power or backup power, and insufficient amounts of food and water, thus endangering the health and safety of the people that were seeking shelter.

(U) RESILIENCE ISSUES AND BEST PRACTICES

(U) The examples mentioned above of natural disasters and of physical and cyber threats to stadiums and arenas demonstrate some of the continuing challenges public assembly venues face. Owners and operators recognize that the desired outcome is to reduce the risk profile by preventing, deterring, and mitigating potential threats; reducing vulnerability to an attack or other disaster; minimizing consequences; and enabling timely, efficient response and restoration in any post-event situation, whether that is a terrorist attack, natural disaster, or other incident.34 None of these venues are immune to violent attacks or natural hazards. In order to mitigate the risk of loss of life and physical and economic damage, a process that addresses protection, prevention,

33 (U) Federal Emergency Management Agency (FEMA), “National Disaster Housing Strategy,” January 16, 2009, www.fema.gov/pdf/emergency/disasterhousing/NDHS-core.pdf, accessed June 26, 2014.

34 (U) DHS, Commercial Facilities Sector Specific Plan, 2010, www.dhs.gov/xlibrary/assets/nipp-ssp-commercial-facilities-2010.pdf, accessed July 14, 2014.

9 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

and preparedness is needed to detect security vulnerabilities and implement corrective actions to reduce risk and remain resilient. These activities may include deploying equipment, new technologies, and additional personnel; conducting a threat assessment and risk assessment; conduct awareness and threat-specific training; and executing policies and procedures designed to protect a facility against threats.35

(U) Table 2 presents resilience issues and best practices that may be considered by critical infrastructure partners in each sector to improve their resilience at three levels: Public assembly provider systems or facilities; community risk management organizations (e.g., State or local emergency operations centers, emergency managers, public works, utility managers, and disaster relief organizations); and any critical infrastructure asset or system that depends on the Public Assembly Subsector (Stadiums and Arenas Segment). The issues and best practices listed in Table 2 were identified by analyzing DHS site assessment data regarding vulnerabilities and options for consideration, as well as review of applicable Regional Resiliency Assessment Program (RRAP) key findings and general literature reviews.36,37 See the Appendix for supporting resources and references.

(U) TABLE 2—Resilience issues and best practices

(U) Secure all utility manholes either with a permanent locking mechanism or by tack welding lids to

mitigate possible unauthorized access. (U) Explore with the service provider the feasibility of having an additional utility line provide service to

the facility in a separate geographic location. (U) Create more than one demarcation point within a facility to disperse critical components and

eliminate single points of failure.

(U) Install protective measures, such as bollards, fencing, or electronic security measures, around

equipment that is at risk of sabotage or accidents and, if necessary, install fire and blast walls to protect adjacent equipment.

(U) Harden or relocate at-risk critical equipment to prepare for region-specific common natural disasters such as flooding or tornados.

(U) Develop, train, and test a business continuity plan to enable personnel to respond quickly to potential

disasters, increasing the likelihood of quicker restoration of core operations.

o (U) DHS and FEMA provide resources for business continuity planning at

35 (U) DHS, Commercial Facilities Sector Specific Plan, 2010, www.dhs.gov/xlibrary/assets/nipp-ssp-commercial-facilities-2010.pdf, accessed July 14, 2014.

36 (U) The RRAP evaluates critical infrastructure on a regional level to examine vulnerabilities, threats, and potential consequences from an all- hazards perspective, identifying dependencies, interdependencies, cascading effects, resilience characteristics, and gaps. RRAP projects are voluntary and non-regulatory; they rely on engagement and information sharing with Federal agencies, private sector facility owners and operators, law enforcement, emergency response organizations, academic institutions, and other stakeholders. For more information, please email resilience@dhs.gov or visit www.dhs.gov/regional-resiliency-assessment-program.

37 (U) The degradation and recovery information and data from the RRAP and IST are often protected as FOUO or as PCII. The information in Table 2 has been sanitized to remove any facility, system, or regional references.

(U) In general, stadiums and arenas lack business continuity plans

(U) Critical utility equipment has limited or no protection against manmade and natural disasters

(U) FOR PUBLIC ASSEMBLY PROVIDER SYSTEMS OR FACILITIES (U) Utility lines, including electric power, communication, and IT lines, are often vulnerable to manmade or natural disasters due to collocation or the lack of physical protection

10 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

www.ready.gov/business. (U) Communicate plans to all personnel, and conduct frequent training and exercise (especially with first

responders). (U) Exercise plans with local first responders to ensure familiarity with the facility and its emergency

procedures in the event of an actual incident.

(U) Establish a written cybersecurity policy that encompasses critical items such as privacy, data

security, network security, email policies, employee responsibilities, incident response and reporting, and policy development and management guidelines.

(U) Review guides to assist in the development of cybersecurity plans (i.e., www.transition.fcc.gov/cyber/cyberplanner.pdf).

(U) Tailor cybersecurity policies and configurations for the SCADA network in accordance with guidelines established in formal cybersecurity guidance such as NIST Special Publications 800-series, ISO/IEC 27001, CoBIT, ITIL (http://csrc.nist.gov/publications/PubsSPs.html).

(U) Arrange a cybersecurity assessment, many of which are available from Government sources or with a third-party private provider at no cost to the facility. The DHS Office of Cybersecurity and Communications (CS&C) conducts voluntary cybersecurity assessments to evaluate operational resilience and cybersecurity capabilities within all 16 critical infrastructure sectors as well as state, local, tribal, and territorial governments. For more information visit www.us-cert.gov/ccubedvp/self-service-crr or contact the program directly at CSE@hq.DHS.gov.

(U) Stadiums and arenas should create emergency action charts and post them throughout the facilities

for quick reference of actions to take during emergency situations. (U) Stadiums and arenas should clearly identify and communicate egress routes in the event of a mass

evacuation. (U) Stadiums and arenas should clearly identify shelter-in-place locations in the event of a disaster in

which evacuation is not an option.

(U) Stadiums and arenas should make customers aware of typical troubling actions or suspicious items

to look for and provide details on the “See Something, Say Something™” campaign.

(U) Community risk-management entities should work with commercial facilities to develop and

coordinate shelter-in-place plans and evacuation plans to make sure venues are prepared for such events.

(U) The planning teams should also develop an emergency action plan that includes lists of local suppliers for bedding, food, water, fuel, emergency medical supplies, portable lighting, and portable sanitary facilities.

(U) Community risk-management entities can work together to develop an Urban Design and Critical

(U) Urban planning, design, and development do not always include security considerations

(U) FOR COMMUNITY RISK-MANAGEMENT ENTITIES

(U) Venues are not always well equipped to provide prolonged shelter during or following an attack or natural hazard

(U) Stadium and arena customers may not be aware of their importance in defense of an intentional attack at public assembly facilities

(U) Customers need to be informed of evacuation and shelter procedures

(U) Some facilities lack written cybersecurity plans and have not had cybersecurity assessments conducted

11 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

Infrastructure Plan that outlines actions to implement enhanced security measures based on identified vulnerabilities (consult the FEMA Security Risk Management Series publications to assist with development of a plan: www.fema.gov/what-mitigation/security-risk-management-series-publications).

(U) Community risk-management entities should incorporate security and resilience measures into on- going development projects.

(U) Local emergency management agencies should maintain awareness of area public assembly

schedules. Venues should develop procedures to implement additional security measures during threat alerts or when credible, specific, or impending terrorist threats have been made; incorporate staging areas into the planning.

(U) Local law enforcement and emergency management agencies can work with facility owners and operators to develop a threat incident response matrix, including actions to be taken in the event of facility or road closures, hazmat reroutes, active shooters, natural disasters, etc.

(U) Governmental agencies should ensure that emergency operations centers have identified critical

equipment and determined the emergency backup capabilities, such as fuel needs, needed to support command posts and shelters (i.e., active contract agreement for fuel replenishment).

(U) State and local emergency plans should include provisions for the distribution of potable water to priority government and privately owned critical infrastructure and lifeline sector customers following a disaster.

(U) Public works and utility companies should work with stadiums and arenas to determine minimum

utility requirements for core operations needed to sustain operations as a command post or shelter.

(U) Facilities sometimes lack sufficient backup for the critical utilities required to sustain full operations, which could jeopardize the function of the facility as a command post or shelter

(U) There is a lack of utility restoration prioritization for critical government response agencies and for privately owned critical infrastructure needed for response, including stadiums and arenas used for command posts or shelters

(U) Stadiums and arenas may not be adequately prepared for or informed of local response procedures and activities across a variety of threats and hazards targeting public assembly areas

12 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) APPENDIX (U) RESILIENCE ISSUES AND BEST PRACTICES: REFERENCES AND

RESOURCES

(U) The following references provide the reader with more in-depth information on the Public Assembly Subsector, including vulnerabilities, gaps, resilience technology, and other sector- specific guidance.

(U) Argonne National Laboratory

(U) Resilience: Theory and Applications, www.dis.anl.gov/pubs/72218.pdf.

(U) Athletic Business

(U) Athletic Business, The Leading Resource for Athletic, Fitness & Recreation Professionals, Safety & Security Section, www.athleticbusiness.com/safety-security.html.

(U) DHS (U) Commercial Facilities Sector Snapshot,

www.dhs.gov/xlibrary/assets/nipp_snapshot_commercialfacilities.pdf.

(U) Commercial Facilities Sector Specific Plan, an Annex to the National Infrastructure Protection Plan, www.dhs.gov/xlibrary/assets/nipp-ssp-commercial-facilities-2010.

(U) Evacuation Planning Guides, www.dhs.gov/publication/evacuation-planning- guides.

(U) “If You See Something, Say Something™” Public Awareness Campaign, www.dhs.gov/if-you-see-something-say-something.

(U) National Infrastructure Protection Plan 2013, Partnering for Critical Infrastructure Security and Resilience, www.dhs.gov/national-infrastructure-protection-plan.

(U) Presidential Policy Directive 8: National Preparedness (PPD-8), www.dhs.gov/presidential-policy-directive-8-national-preparedness.

(U) Preventing Terrorism Initiatives, www.dhs.gov/preventing-terrorism. (U) Publication, SportEvac: Choreographing a Stadium Stampede,

www.dhs.gov/sportevac-choreographing-stadium-stampede.

(U) The Critical Infrastructure Cyber Community (C3) Voluntary Program helps critical infrastructure sectors and organizations reduce and manage their cyber-risk by connecting them to existing cyber-risk-management capabilities provided by DHS, other U.S. Government organizations, and the private sector. At the time of launch in February 2014, available resources primarily consisted of DHS programs, which will grow to include cross-sector, industry, and state and local resources. Available at www.us- cert.gov/ccubedvp.

(U) Understanding the Commercial Facilities Sector, http://training.fema.gov/EMIWeb/IS/IS860b/CIRC/comFac1.htm.

13 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) FEMA

(U) Security Risk Management Publications, www.fema.gov/what-mitigation/security- risk-management-series-publications.

(U) National Disaster Housing Strategy, www.fema.gov/pdf/emergency/disasterhousing/NDHS-core.pdf.

(U) International Association of Venue Managers Safety Council (U) Mega-Shelter Planning Guide: A Resource and Best Practices Reference Guide,

www.fema.gov/pdf/emergency/disasterhousing/mspg.pdf.

(U) National Center for Spectator Sports Safety and Security

(U) National Center for Spectator Sports Safety and Security, www.ncs4.com.

(U) Stadium Managers Association

(U) Home page, www.stadiummanagers.org.

(U) University of Colorado

(U) Lightning Safety and Outdoor Stadiums, http://sciencepolicy.colorado.edu/admin/publication_files/resource-1740-2005.27.pdf.

The Office of Cyber and Infrastructure Analysis (OCIA) produces Sector Resilience Reports to improve partner and stakeholder understanding of the interdependencies and resilience of certain aspects of specific sectors. The information is provided to support the activities of the Department, and to inform federal, state, local, and private-sector partner strategies designed to deter, prevent, preempt, and respond to all-hazards disruptions to infrastructure in the United States. For more information, contact OCIA@hq.dhs.gov or visit www.dhs.gov/office-cyber-infrastructure-analysis.

WARNING: This document is FOR OFFICIAL USE ONLY (FOUO). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information. This information shall not be distributed beyond the original addressees without prior authorization of the originator.

14 UNCLASSIFIED//FOR OFFICIAL USE ONLY

Form # 57cb56de-9bb9-4877-9b63-7523e3c3caf8