Tampa tests software to spot security risks

City of Tampa, Fla.

Tampa, Fla., could serve as a model for how municipalities can better protect critical physical and information assets while sharing emergency and threat analysis information with states and the federal government.

The city, with a population of more than 300,000, is home to a major tourist attraction and draws more than 2 million visitors a year. It has the seventh largest port in the nation. MacDill Air Force Base, which houses U.S. Central Command and U.S. Special Operations Command, is next door. And Crystal River Nuclear Plant lies just to the north.

Although information sharing with utility, port authority, Air Force and other officials improved after the Sept. 11, 2001, terrorist attacks, Tampa still lacked a basic risk management plan to maximize protection of its physical assets, said Bennie Holder, a former Tampa police chief who retired this fall.

"We did not have a centralized database where we could go to and pull up a critical infrastructure that we thought perhaps needed to be looked at in case of a terrorist threat," he said.

Tampa officials scoured the landscape for available technologies that assess potential threats and manage assets. Their search led them in late 2001 to a product called Site Profiler, which Digital Sandbox Inc. was in the early stages of developing. Federal agencies were planning to test the software program with other public-sector organizations, most notably the Port Authority of New York and New Jersey, but not with cities.

During discussions with officials at the Justice Department, Tampa officials submitted a proposal to become a test bed for the technology and one year ago was awarded $300,000 to test it.

"I think Tampa has, fortunately or unfortunately, everything that you can look for if you wanted to see how you can set up a defense, so to speak, against terrorism," Holder said.

Founded in 1998 with an initial $5 million investment from the Defense Department, Digital Sandbox of Reston, Va., has put five years of research and development into its product. In addition to the Port Authority, New Jersey state police and some federal agencies are testing or using the system. The company plans to market the product to the commercial sector early next year.

Bryan Ware, the company's chief executive officer and director of technology, said the system links disparate and real-time information from various sources for a holistic, and somewhat predictive, strategy on potential risks. It also allows municipalities or agencies to select countermeasures, develop plans and monitor their readiness.

"It's one thing to know what your problems are; it's another thing to suggest or implement an executable solution," he said. "The general concept for information sharing is, 'Let's connect all these people and exchange all this information they have.' Hypothetically, if that happened, you'd have so much information, you just can't read it."

The system's underlying algorithms and analytics help determine the highest threats, most critical assets and most vulnerable assets by continuously analyzing data from multiple sources.

Anthony Beverina, Digital Sandbox's chief operating officer, said the system provides officials with the ability to explore what-if scenarios on risk mitigation options and also develop more structured plans to respond to increasing threat levels.

Although there are no standards for measuring risks, Site Profiler accounts for different terminologies to describe threats and vulnerabilities, Ware said. The result is greater awareness and operational readiness for stakeholders.

"We put the right information in front of executives so they can make the right decisions," he said.

Richard Jacques, a senior program manager with Justice, said the Homeland Security Department's Office for Domestic Preparedness, to which he's been detailed, is evaluating Site Profiler at the Port Authority. Authority officials began training with the software this fall.

"When you have an infrastructure such as that of a port, where you have airports, commuter train systems, shipping, bridges and tunnels, and so forth, they are obviously potential targets for critical incidents," he said. "Basically, our interest is finding technology that can enable an organization, such as a port authority, to examine their assets from the standpoint of risk and vulnerability. In other words, which of these assets are most likely to have the greatest likelihood of an attack?"

Various data sources will feed information into the system, enabling the port authority to look at its existing resources to better focus attention on the proper security and responses.

In evaluating various technologies, officials will provide an impartial review of capabilities and report their findings. In general, evaluation criteria include interfacing with existing legacy systems; amount of user training required; installation, maintenance and upgrade costs; and interoperability, among other things, said Jacques, who added that the agency is planning to evaluate similar software systems, too.

***

Site profiling

Digital Sandbox Inc.'s Site Profiler risk management software suite has three components:

* Assessor — Software that enables assessment teams to capture information and data to analyze risks to facilities.

* Enterprise Server — A Web-based system that gives emergency and operations managers a holistic view of their security information. Users can mine data generated by assessment teams, enter and distribute threat information, and track historical incidents.

* Blast Effects Model — A tool that creates 3-D models of facilities or cities, including buildings, areas and natural features. Assessors can use tools that simulate the impact of blasts and weapons of mass destruction to analyze threat scenarios.