Suspicious Activity Reporting (SAR): Breach/Attempted Intrusion
- 1 page
- For Official Use Only
- August 3, 2012
(U//FOUO) Terrorists may attempt to breach secured perimeters or gain unauthorized access to facilities, sensitive locations, or restricted areas for preoperational activity or to conduct an attack. Timothy McVeigh breached a locked storage shed at a Kansas rock quarry with a battery-operated drill and stole explosives that were later used in the 1995 Oklahoma City bombing. Attempts at intrusion could take the form of trespassing, forced entry, or impersonation of authorized personnel and could possibly involve the assistance of knowledgeable ‘insiders.”
(U//FOUO) The following SAR incidents from the NSI shared space demonstrate the types of intrusive behaviors terrorists might exhibit during preoperational stages or actual attacks. While none were ultimately linked to terrorist activity, they are cited as relevant examples for awareness and training purposes:
— (U//FOUO) An intruder entered a fire station through a door secured with coded entry; it is unknown how the intruder gained access. Video surveillance captured images of the intruder talking on a cellular phone while receiving what appeared to be instructions. The intruder stole a fire “turnout” coat and pants, boots, helmet, and eye protection.
— (U//FOUO) A man dressed in black and wearing a headlamp was seen trying to use a tool to open a manhole cover late at night. The manhole covers in the area are typically used only by water, telephone, or sewer utilities personnel.
— (U//FOUO) The compound fence surrounding a dam powerhouse was cut twice during evening or overnight hours in a 30-day time period. The fence was cut from the bottom up and spread apart to allow a person to crawl through.
(U) Possible Indicators of Breach/Attempted Intrusion
(U//FOUO) The following can indicate suspicious breach/attempted intrusion activity, but context should be carefully considered in order to rule out legitimate, non suspicious activities. Depending on the context—time, location, personal behaviors, and other indicators—suspicious activities should be reported to appropriate authorities.
— (U//FOUO) Presence of unauthorized individuals or vehicles in a restricted area or location.
— (U//FOUO) Evidence of breached security perimeters, such as cut/damaged/removed locks or fencing.
— (U//FOUO) Indications that unauthorized individuals attempt to follow, or piggyback employees or vehicles secured control access points.
— (U//FOUO) Unauthorized individuals apparently trying to access secure or restricted areas and exhibiting suspicious behavior, such as entering during an unusual time of day, 0r obviously trying to avoid detection.
— (U//FOUO) Personnel who deviate from protocols or lack tho correct uniform or identification.
Related Material From the Archive:
- (U//FOUO) DHS-FBI Suspicious Activity Reporting Bulletin: Aviation Flyovers
- (U//FOUO) DHS-FBI Suspicious Activity Reporting Bulletin: Terrorists Eliciting Information
- Suspicious Activity Reporting Line Officer Training Video
- DHS Suspicious Activity Reporting Selection Standards
- (U//FOUO) Indiana Fusion Center: Suspicious Activity Involving Emergency Services and Hospitals
- (U//FOUO) New Jersey Suspicious Activity Reporting Brief
- DHS Retail Sector Suspicious Activity Reporting Video
- (U//FOUO) FBI VoIP Server Intrusions in North Carolina Banks and Businesses