NCS4 2nd Edition “Best” Practices Guide

NCS4 logoThe NCS4 (National Center for Spectator Sports Safety and Security) just published the July 2014:

“Intercollegiate Athletics Safety and Security”  — 2nd Edition Best Practices Guide.

Most of the content provides brief descriptions of widely held industry standards.  Situational analysis and risk management are the common themes.  It’s obviously geared toward college football stadiums but the general fundamentals can be applied to other large venues (motor speedways, ballparks, arenas, etc.).

My specific area of concern deals with outdated emergency evacuation protocol and the prospect of an artificially generated stampede.  I found it peculiar that the word “stampede” exists nowhere in the entire 126 page document.  The closest approximations were “crowd disturbance, rioting and field encroachment.”  Let’s examine some inconsistencies within the NCS4 document.

Below are some subject headings and quotes I found relevant.

Risk and Threat Assessment/Vulnerabilities and Planning

A risk/threat analysis is one of the most important elements of a comprehensive safety and security plan.

Without the assessment one cannot effectively develop and implement a security and safety plan – Because you won’t know what you don’t know!

I agree with the exclamatory emphasis.  I’m all for developing a strategic game plan to deal with emergency situations.  But if formulating one is so critical, why is there no mention of a human stampede and its potential triggers?  Stampedes in the United States are admittedly rare.  But considering the severity of such an event, this should be a priority.

Technology Use/Implementation/Innovation/Information Management
Social Media subheading

build expertise and experience with social media platforms (Text, Twitter, Facebook, Snapchat, etc.)

Use social media to inform attendees of security, weather or other emergency issues.

While I do agree that social media forums and cellular communications can be an important tool for providing information to event attendees, they need to specifically state that under no circumstance whatsoever would you order a legitimate, real-world venue evacuation through ANY of these channels.  This is a blatant omission of negligence.

Cyber Intrusion/Attack

Develop and implement a security plan for computer and information systems hardware and software…

Many components of today’s facilities are operated via cyber programs that control the components (i.e., HVAC, lighting, PA, video boards, etc.).

It’s extremely troubling that the potential for a cyber-attack is viewed under such a one-dimensional microscope.  At face value, it would seem the NCS4 is only interested in the unlikely possibility of someone sabotaging the public address system or maybe manipulating the jumbotron feed.  While this could be cause for concern, what about all the individual cell phones?

In some football stadiums, there are 50,000 – 100,000 active cell phones.  The majority are smart phones that function as powerful individual supercomputers.  These devices can be used to transmit and receive false information.

Why is there no mention of the deliberate or accidental misuse of campus text emergency alert systems or official university facebook/twitter feeds?

What about information operation campaigns such as BADGER (bulk email messaging) and WARPARTH (mass text messaging), MINIATURE HERO (bidirectional instant messaging and acquisition of contact lists), CHANGELING (spoofed emails) and VIRAL BLITZKRIEG (a bombardment of information designed to saturate a specific location and exponentially spread panic)?

What about STINGRAY technology (a device that functions as a fake cell tower and can acquire real-time cell numbers of individuals in a specific geographic area).  What about the potential for sabotage of reverse 911 platforms and the WEA (Wireless Emergency Alert) system.

These considerations hardly scratch the surface.

Maybe I should simplify.  What about lies and hoaxes?  What about hacking?  Unless you’re living underneath a rock, isn’t there a malicious hacking incident on an almost daily basis?

Evacuation/Sheltering

Anticipate that an incident could occur that causes a non-ordered impromptu/panic mass evacuation – consider how you will respond.  This is clearly the most dangerous of situations due to panic.

The 2014 Best Practices Guide references all kinds of potential reasons for an evacuation.  It mentions incident response for severe weather, power or utility failure, active shooters, aviation incidents, structural collapse, earthquakes, hazardous materials, suspicious packages, bombs, bomb threats and even acts of terrorism (nuclear, radiological, chemical and biological weapons).

It identifies a plethora of reasons explaining WHY an evacuation could take place.  But it never broaches the subject of HOW a legitimate evacuation order is delivered.  Shouldn’t fans be made aware of the fact that the initial order to evacuate would NEVER be delivered via cellular platforms?  You use the public address system, possibly accompanied by information displayed on the jumbotron.  This is Emergency Evac 101.  Surely this supplemental piece of knowledge is warranted.

I understand how the government and private industry function with regard to litigation and plausible deniability.  I fully comprehend the scrutiny and blame game that ensues in the aftermath of a tragedy.  However, the information I’m requesting is absurdly generic in nature.

I’ll confess… it’s difficult to plan for every contingency.  It’s another thing to know about a problem and deliberately ignore it.  I’ve sent plenty of emails to the NCS4 staff and had multiple conversations with their director Lou Marciani.  I feel they’ve been adequately briefed on the prospect of an artificially generated stampede.  Their only noticeable response has been to disable my ability to leave comments on their facebook posts.  Perhaps mitigation is a viable strategy after all!  Either they believe my concerns are without merit OR they prefer to bury their heads in the sand and look the other way.  Why do I get the eerie feeling it’s the latter?

Now I’m going to try and play devil’s advocate.  There is this one oddly worded statement that addresses the unpredictability of the cyber-security issue.

In today’s world this has become a greater risk due to its potential for far reaching impacts based upon cyber systems controls over large segments of our environment.

I’m going to surmise that “far reaching impacts” could be a thinly veiled reference to action that might induce a human stampede.  “Cyber systems controls” sounds like it could imply widespread access to the internet and wireless communication platforms.  And “large segments of our environment” probably infers just about everyone and everything (human beings and machines).

The entire guide is plain spoken and relatively straightforward with the exception of that one cryptic statement.  Makes you think, doesn’t it?

In the appendix, over 100 individuals are listed as contributors to the 2014 Best Practices Guide.  You would think that just one of them would have insisted on a detailed explanation of exactly HOW you evacuate a venue.  Especially since the protocol is supposed to be uniform throughout all 50 states.  Then again, the NCS4 is part of the United States government.  I probably shouldn’t be getting my hopes up.