"Military Style" Raid on California Power Station

I don't know what to think about this:

Around 1:00 AM on April 16, at least one individual (possibly two) entered two different manholes at the PG&E Metcalf power substation, southeast of San Jose, and cut fiber cables in the area around the substation. That knocked out some local 911 services, landline service to the substation, and cell phone service in the area, a senior U.S. intelligence official told Foreign Policy. The intruder(s) then fired more than 100 rounds from what two officials described as a high-powered rifle at several transformers in the facility. Ten transformers were damaged in one area of the facility, and three transformer banks -- or groups of transformers -- were hit in another, according to a PG&E spokesman.

The article worries that this might be a dry-run to some cyberwar-like attack, but that doesn't make sense. But it's just too complicated and weird to be a prank.

Anyone have any ideas?

Posted on January 2, 2014 at 6:40 AM • 136 Comments

Comments

JamesJanuary 2, 2014 6:58 AM

Agree with your indication of "dry run." My vote is they're testing the response to the situation. Too much effort to be vandalism, too weak to have intended serious outage. Then again, I've met some really, really, weird people in California ;-)

TRXJanuary 2, 2014 6:58 AM

If it was an episode of "Mission Impossible", it would have been a diversion to occupy police and emergency services while the IMF was busy somewhere else.

Danny MoulesJanuary 2, 2014 7:05 AM

"Agree with your indication of "dry run." My vote is they're testing the response to the situation. Too much effort to be vandalism, too weak to have intended serious outage. Then again, I've met some really, really, weird people in California ;-)"

Nope. The response will be different now that the capability has been exposed. They've have learnt nothing and shown their hand.

GruntledJanuary 2, 2014 7:08 AM

I second the "upset union members" theory. There was knowledge of what cables to cut, and where the underground equipment was. This indicates an insider likely was involved.

Whoever it was was smart enough to stand back from live transformers, and had the desire to make them un-repairable.

Ya, whoever did this REALLY didn't like the power comany.

TomJanuary 2, 2014 7:12 AM

"Whoever it was was smart enough to stand back from live transformers, and had the desire to make them un-repairable."

...but not clever enough to bring, say, a stick of dynamite.

Todd LyonsJanuary 2, 2014 7:17 AM

I consider this a case of: never attribute to malfeasance what could also be purely ignorance. My guess is that they were trying to steal copper, so they shot out the transformers to cut the power. When they cut the cables and realized it was fiber instead of copper, they bolted without actually taking anything.

Steven HalterJanuary 2, 2014 7:22 AM

Similar incidents have happened in the San Jose area before. Google "fiber optic cable cut san jose" and you will see incidents in April of 2009 and 2013. The 2013 knocked out a lot of internet connectivity.

JDJanuary 2, 2014 7:22 AM

Criminals doing a dry-run for a criminal enterprise. The fact it took out 911 could be coincidence or a clue.

Surely the real dangers are the attacks that don't come with a warning or dry run. In 911 style, they work first time.

CaseyJanuary 2, 2014 7:22 AM

To follow the diversion thought process, perhaps there was a crime that occurred in the area? Not to sound like a movie plot, but it sounds like something someone would do to make it easier to rob a building. If nobody can call 911 and a blackout causes confusion, then perhaps it gives criminals more time to perform another crime.

CWJanuary 2, 2014 7:29 AM

Another possibility would be a extortion. I guess some companies would quietly pay that attacker some thousands bucks for not having such incidents at their facilities.

George FrinkJanuary 2, 2014 7:32 AM

No, "upset union members" doesn't fit the few facts we have. It does fit the historic libel/slander of union members as bomb-throwing zealots, a slander created by business interests which in the earliest days of union organizing used the image of foreign-born, anarchist bomb-throwers to frighten workers. Now that false image is in various destructive ways part of our culture, obscuring more rational reactions. Like Bruce's.

Clive RobinsonJanuary 2, 2014 7:32 AM

    any ideas

How about "scrap metal"?

What's the cost of a hundred or so rounds of ammunition compared to the "scrap metal" value of the transformers?

It's interesting to note they cut communications fibers that in all likely hood reduced if not removed many "alarm dial out" systems.

In the UK we have had people steal cables for scrap metal value in one case I'm aware of (chatting to the BT crew doing repairs) the criminals went to a quite side road where a lot of coper phone cables ran, lifted two man hole covers, one half of the crooks tied a rope around the cables and to the back of a truck, then signaled the other half. Both then bolt cuttered their way very quickly through the cables and the truck drove off dragging a ton or so of copper out of the ground, which they then bundeled onto the truck and drove off. The same team of crooks are also being blamed for the theft of bronze artwork statues and plaques from a war memorial, and several thefts of other telephon cables and also high power cables from local railway tracks...

Years ago it used to be "lead of church roofs"...

The moral is 'if it's got value and you don't have an eye on it then in these dire financial times people will steal it'... and once they start they won't stop.

JasonJanuary 2, 2014 7:34 AM

Concur with those who don't see sophistication. No explosives and *way* too many shots fired to indicate anything other than anger, frustration, & stupidity. Disagree with speaker in article who says that, using such methods, a "few" actors could do a lot of damage. On the contrary, it would take a *lot* of actors -- an enormous conspiracy -- to shoot up (with .22's, no less) enough of our electrical grid in enough places to cause a major disruption.

If anything, the response to the incident is more telling than the incident itself.

The Desert GateJanuary 2, 2014 7:52 AM

Someone look at a map and see what other valuable targets there are in the area that no power/no emergency services would help take out. And stop speculating.

CallMeLateForSupperJanuary 2, 2014 8:05 AM

Lessee.... this incident occurred what?... 8-9 months ago, and the who and why are still unknown? What were NSA contractors "targeting" in the mean time? Apparently they didn't toss any actionable evidence over the wall to the FBI. Or, possibly, the FBI has trouble connecting dots. Nah, that couldn't be it.

bkd69January 2, 2014 8:09 AM

I'm sorry. How much of the reported damage is sourced from PG&E directly, and how much from the [senior U.S. intelligence official|liar]? It's hard to tell from the article.

More credible is the FBI's assertion that they have no indication that this has any terrorist indicators.

Given the scope of domestic surveillance, this strikes me as eminently credible.

MusashiJanuary 2, 2014 8:21 AM

I think they've been getting ideas from your "Movie-Plot Threat" thread...
It sounds like the beginning of a crappy Michael Bay movie...

ClyphJanuary 2, 2014 8:31 AM

Occam's Razor: the simplest explanation is probably the correct one.

Hanlon's Razor: never assume malice when stupidity will adequately explain the situation.

Applying both principles, the most likely explanation is a botched scrap metal theft. Shoot out the transformers to kill the power, then steal the now-dead cables... sounds like a simple plan, only they're too stupid to tell the difference between fiber data cables and copper power lines.

Brian M.January 2, 2014 8:36 AM

Simplest explanation: rednecks.

Juvenile delinquents too old to be legally juveniles, who got bored with WOW and COD, and decided to have themselves some fun. They crawled down a manhole, chopped some labeled cables, and then shot up a power station.

This wasn't about scrap metal, just boredom.

I ride the bus, and I hear similar things from various none-too-bright passengers. "They said he died from blunt-force trauma from that truck's bumper, so you know he gotta been testing out that engine's 10K red line." (The deceased in question was also driving a car with one of the front brakes disabled, due to previous misassembly of the parts.)

NobodySpecialJanuary 2, 2014 8:53 AM

Surely if it was a military-style raid they would have hit a Canadian power plant by accident and then blown up a wedding on the way home

Snarki, child of LokiJanuary 2, 2014 9:00 AM

I blame Bruce.

The annual "Movie Plot Contest" has gotten WAY too competitive!

ericaJanuary 2, 2014 9:02 AM

"scrap metal"

It seems likely that terrorists have successfully used dark propaganda to insert the meme into criminal gangs that it is profitable to destroy infrastructure to acquire scrap metal.

Part of this inception-style scheme must have been to influence the commodities' markets to raise the scrap value of metal.

This scary level of terrorist success is further proof that deterring them from boarding planes will inevitably lead them to evolve ground-level plans.

It may be by now that not only have the terrorists won, but we have no leverage left. Our only option is unconditional surrender.

Christopher January 2, 2014 9:05 AM

Wellinghoff massively underestimates the mitigation cost of his metal plating: There are thousands of substations that provide power to critical systems. The cost of plating them even with plastic would go into the billions--easily.

John JacobsJanuary 2, 2014 9:24 AM

Occurred ~5 miles from my house in south San Jose. Was cycling past the station that afternoon. Lots of police, road blocked off, etc.

I vote against burglary for copper. Why? Use of firearms. The San Jose PD has an abyssmal rate of crime solving in 2013 (http://www.mercurynews.com/pensions/ci_24737175/san-jose-crime-rate-surpasses-u-s-average-arrests-plummet), so there's almost no reason to bring a weapon. The substation is also about 1 mile from the local outdoor shooting/gun range. My vote is for a combination of boredom and run of the mill vandalism. "Hey, let's see what happens if we shoot this!"

EadwacerJanuary 2, 2014 9:30 AM

Concur with those who say rage against the system, by
1. disgruntled (ex) employee.
2. disgruntled homeowner, who just had his power cut off, or his front yard dug up
3. rabid environmentalist, angered by the Metcalf thermal power station across the street.
4. voice-inspired person, who's next step is to go drive the British out of France.

Too many shots to too little effect. One hears of transformer fires frequently. Shooter couldn't start a fire, or didn't think of it. How high powered the rifle was remains to be seen. Big enough to penetrate a transformer.

Google Earth shows Metcalf sub is a big sprawling affair, with a little-used country road running behind it. Other side is freeway. Guy drives up, opens a couple of unsecured manholes, cuts random cables. Jumps back in car, drives along the perimiter fence, blazing away at anything solid.

When I was living in CA, PG&E had problems with people shooting out transformers all the time. This was just a little bigger incident.

VickiJanuary 2, 2014 9:32 AM

Anti-government self-styled "militias" that think that if they can successfully attack a few government or other infrastructure buildings, everyone else who they assume agrees with them will spontaneously pick up weapons and overthrow the government?

So, yes, terrorists, but the kind with propaganda that makes them the loyal Americans, waving around a pre-Civil War or at least pre-federal income tax version of the constitution. The sort who manage to think of Barack Obama, Jerry Brown, the California Highway Patrol, and so on as agents of an occupying force.

If these are Timothy McVeigh wannabes, better they should destroy transformers than murder hundreds of people.

John MooreJanuary 2, 2014 9:51 AM

It sounds like a single crazy person or maybe two. What kind of terrorist shoots up a transformer rather than using some kind of small explosive? It sounds ridiculous.

SimonJanuary 2, 2014 9:53 AM

Christopher: "Wellinghoff massively underestimates the mitigation cost of his metal plating: There are thousands of substations that provide power to critical systems. The cost of plating them even with plastic would go into the billions--easily. "

And its easily defeated by a truck with a boom lift

MiramonJanuary 2, 2014 9:56 AM

Eco-terrorists? Union members? False flag operation? Criminal dry-run? Seriously? None of these are plausible considering the actions taken, the actual results, and the conceivable consequences. Eco-terrorism has come and long-since gone and was never really a thing in the first place. If a IBEW member wanted to do damage, they could do much more than that, and much more safely, and moreover, that's not the sort of thing that union members actually do. The mere words "false flag" usually indicate that the utterer should go back underground to the shelter to await the end times. And what kind of big-heist criminals call attention to themselves so clumsily? If it was a dry run, they wouldn't have done any damage.

So much easier to believe in a crazy person with tinnitus and a tinfoil hat trying to stop the sounds in his head.

Jesus ChomskyJanuary 2, 2014 9:57 AM

I'm thinking organized crime. Either a botched job, or a dry run for something BIG. I'm leaning more towards botched, because the perps have revealed their method. Presumably steps are being taken to close that gap.

Milo M.January 2, 2014 10:01 AM

http://www.midwestreliability.org/04_standards/sc/2013/Agenda/MRO_BOD_CIP_UPDATE_20130627.pdf

"Metcalf Substation Incident
500kv/230kv substation located south of San Jose
Unknown perpetrators shot at transformers and breakers
116 impact points on 22 pieces of equipment
Lost 52,000 gallons of transformer oil
10 of 11 transformers were struck
Unusually well informed attackers
- Two fiber lines cut before the attack
- Telcom vaults were resealed, garbage spread to draw attention away
- Left the scene minutes before law enforce arrived
- Targeted only the ‘hot’ transformers (one was down for maintenance)
- Nearby Generating station was on outage"


http://www.rtoinsider.com/pjm-grid2020-1113-03/

"Mark Johnson, formerly vice president of transmission operations for PG&E, said the gunmen targeted transformer radiators, firing an estimated 150 rounds. The gunmen hit 10 of 11 banks, causing a 'slow bleed' resulting in the loss of 52,000 gallons of cooling oil.

The shooting occurred minutes after the suspects are believed to have cut underground fiber optic cables a half mile from the substation, briefly knocking out phone and 911 service in the area."

"It took nearly a month to replace the radiators and return the substation to normal operations."

"Federal Energy Regulatory Commission Chairman Jon Wellinghoff . . . told Bloomberg News that he feared saboteurs with guns could target transformers. Transformers are often custom built and can take 18 to 36 months to replace, Wellinghoff said."

IrveJanuary 2, 2014 10:03 AM

Perhaps they wanted to kill both fiber and power, but the power didn't affect the area they needed, thus the plan didn't go further?

maxJanuary 2, 2014 10:11 AM

I don't think the lack of explosives says anything about sophistication; explosives are generally a lot more traceable than ammunition (or at least, tracked more). I guess a rifle also works without messing with the fence.

@Jason: The 0.22 in the article seems to be the security guy talking about means of damage, the rest of the article talks about high powered rifles.

Bob TJanuary 2, 2014 10:18 AM

@Miramon

Eco-terrorists? Union members? False flag operation? Criminal dry-run? Seriously? None of these are plausible...

Ah, so the only thing plausible is an individual nut or two with a tinfoil hat. Seriously? Eco-"terrorists" have certainly been active in the past decade on the west coast. The FBI defines their actions as terrorism. They are usually non lethal, property destructive types of events. Here's just one from less than 5 years ago.
http://www.cnn.com/2009/CRIME/09/04/washington.towers.terrorism/index.html


RSaundersJanuary 2, 2014 10:23 AM

While I'm OK with the suggestions, particularly copper thieves, I take offense to the headline. What was at all "military-style" about this attack?

In the Middle East and Congo we have seen numerous attacks on power stations by military and para-military groups. In none of them do I read about a pair of gunmen firing randomly through the fence at transformers.

A military attack on a power station would involve covertly slipping past the fence to place timed or remote-controlled demolition charges on key transformers. After returning to a rally point the charges would be detonated and the power station disabled.

Perhaps it's the "military style" firearms used, though when we're talking styling we're probably not talking about real military utility. Military assault weapons are used to shoot people, not machinery. Perhaps if we were talking about some sort of 50 cal we could be thinking anti-machine. If a military unit were firing into a power station to disable it I think a Javelin anti-tank round or 120mm mortar would be the weapon of choice. You would have at least a squad-sized unit, but assault weapons would be purely for self-defense against the power plant's security force.

Perhaps we just have an FBI that thinks it will get better press investigating a military attack rather than a random rustler roundup. Maybe in California they think the military only has rifles at its disposal, or maybe it's all about banning assault weapons.

Frankly an assault weapons protest in California is shockingly plausible, people could have been hurt.

NesetalisJanuary 2, 2014 10:24 AM

I wonder if they were trying to drum up fear of an assault on utilities. It has been quiet the last few months, nothing fresh to bitch about or fear... :P

False DataJanuary 2, 2014 10:53 AM

It seems to me that, if someone were trying to steal the copper, using a rifle would be an awfully noisy way to do it, and if they really insisted on shooting they'd shoot the surveillance camera rather than the transformers. It's hard to tell from the surveillance footage, but it looks like they stayed out of camera range while firing the shots and didn't approach the transformers.

At first blush, this looks like an amateur terrorist attempt. Someone's watched enough TV to think of trying to cut cables to knock out alarm calls. They knew transformers contain cooling oil, a fact available in the Wikipedia article. They figured by shooting the transformers, which they could do from outside the fence, the oil would leak, driving up operating temperatures and shutting down power for the area the substation serves.

But they didn't count on redundancy in the grid. Had they attacked at midday in August, rather than late at night in April, the effects might have been more widespread.

timJanuary 2, 2014 10:58 AM

What I found interesting is that taking down power and communications is much harder than one originally thought. Its also obvious that the story is being over sensationalized. But its FP so that isn't a surprise.


@Baby New Year and @gruntled

Upset union members.

Where were YOU two that night? That theory that you are the ones behind this is just as plausible as your immature dig at union members.

MikeAJanuary 2, 2014 11:01 AM

At the time of the earlier telcom fiber cuts in that area, the "smart money" among those I know in the industry was that it was "false flag" operation intended to discredit union members in negotiations. In this case, at the risk of being labeled a conspiracy theorist, I'd like to point out that PG&E are under fire for deferring maintenance and pocketing the money allocated for it, and as a regulated utility they get to recoup legitimate costs of doing business from rate-payers.

Again, I'm far from convinced of this, but hypothetically, if I had some shoddily maintained equipment, and needed a cap-ex boost, a "terrorist attack" on that plant could look like mana from heaven. And think of the benefit of padding the bill for repair.

OTOH, "rednecks playing IMF" is also pretty plausible. As is "drumming up support for more security theater".

ERJanuary 2, 2014 11:01 AM

dry run or false flag of dry run; I'd ask AQ myself (yes, it's that easy to do) but apparently just talking, even if not aiding and abetting can be used against a person these days on a whim

KenJanuary 2, 2014 11:07 AM

The readily available tools & ease with which it was done, and the absence of some more complex things, suggest someone that knew enough to do what they did, did it. "Rednecks" as noted earlier fits. As does winning a bet...as does "because it was there".....

Probably not a "dry run" for anything.

Maybe the outage was a means to some other end and not the end itself?????

So many people & businesses take for granted their security systems will have uninterrupted power and don't include suitable backup power systems.

What comes to mind includes:
- an identified drug trafficker's storage facility where stored cash proceeds became accessible when the security systems went down
- some intellectual property became accessible while the power was out (industrial espionage)
- etc....

Basically -- who/what is at risk in the area the power was out, and, of those who is least likely to report a compromise arising from a theft made possible by the power outage?

Also, if intellectual property was the target, an insider in many locations would have been enabled to use battery-powered back-up devices to access some storage media and steal data completely undetected. The actual target victim might now know they're a victim.

MichaelJanuary 2, 2014 11:08 AM

Best comment so far:

"Surely if it was a military-style raid they would have hit a Canadian power plant by accident and then blown up a wedding on the way home."

Garrett KajmowiczJanuary 2, 2014 11:09 AM

FWIW, I work in a commercial office park. We've had power to our building cut because people broke into the local substation and cut out the grounding cables as a part of copper theft. No shots fired, but people are raiding power substations for cabling.

As for the cost of ammo (for those not involved with firearms): Here in PA I would expect that 100 rounds of .22LR ammo, purchased in bulk, would cost less than $5.

h4xJanuary 2, 2014 11:29 AM

I would assume robbery. Knock out power/911/cells and go ram a truck through a door of a shop or bank. Maybe the alarm system runs on data/3G

WaelJanuary 2, 2014 11:32 AM

My guess is follow the money trail. Perhaps some workers about to lose their jobs at the Transformer manufacturing facility needed to bring in some new buisness... As Milo M relayed:

Federal Energy Regulatory Commission Chairman Jon Wellinghoff . . . told Bloomberg News that he feared saboteurs with guns could target transformers. Transformers are often custom built and can take 18 to 36 months to replace, Wellinghoff said."
Then they get a chance to work for an extra year and a half to three years...

h4xJanuary 2, 2014 11:33 AM

If no robbery reported they might have been after an illegal op to jack like a meth lab or grow. Maybe the lab watchmen use cells to call for reinforcements if robbed. Cartel can pay off a telco employee to teach one of their crew members which lines to cut

Eugene BogoradJanuary 2, 2014 11:35 AM

In his first (and best) book Suvorov describes typical training exercise used by Soviet KGB and SVR (military intelligence): SVR cadettes had to recruit some important Russian, KGB had to catch them doing it. Nothing was off the table - intimidation, physical force, etc.

http://amzn.com/042509474X

So this could well be some training exercise.

Dry RunJanuary 2, 2014 11:44 AM

I think it was a dry run for something bigger. I also am a utility industry security person who's had access to some non-public information on the incident. I will not reveal that information, but will rely on the public information.

Cutting the cables may have been an attempt to knock out the SCADA for the substation which would alert on transformer overheating. This would increase the liklihood that the transformer would be permanently damaged and have to be replaced.

150 shots were fired in about a minute, which indicates some sort of automatic weapon. That is why they used the term "military" attack. Also, the shots were fired at night under poor lighting conditions. It is likely that they used infrared goggles to see the hot transformer radiators. This could be why they didn't shoot the one that was off.

This substation, and many more around the country, are systempunkts (http://globalguerrillas.typepad.com/globalguerrillas/2004/12/the_systempunkt.html) in that taking out a few of them in a region can seriously disrupt the power distribution for that region. Imagine this attack in an August heatwave with a few bands of attackers hitting one or two large substations each around a major metro area. The power grid is a redundant mesh, but cannot survive the loss of too many critical nodes.

I think the use of the term "cyberwar" in this case might be legitimate, but that it is being used to mean something very different than what we generally mean by the term. This did not involve malware or information based attacks. It was nothing like Stuxnet and it was orders of magnitude cheaper to execute. A sustained power outage and communications failure does have a significant cyber impact.

RobertMJanuary 2, 2014 12:17 PM

Disagree with dry run theory. Profile fits angry person, either ex-employee of power company or of some company affected by the outage. Possible tin-foil hatter/right-wing nutjob.

Brian M.January 2, 2014 12:24 PM

@Garrett Kajmowicz:
As for the cost of ammo (for those not involved with firearms): Here in PA I would expect that 100 rounds of .22LR ammo, purchased in bulk, would cost less than $5.

As the article noted, the weapons were "high-powered rifle[s]." Based on personal experience with firearms and trash, a .22LR won't penetrate thicker sheet metal. I'm guessing they used a semi-automatic rifle, like AR-15 or AK-style, and cheap ball ammo.

@Milo M:
Good work! Thanks for the links.

AnuraJanuary 2, 2014 12:47 PM

When U.S. officials warn about "attacks" on electric power facilities these days, the first thing that comes to mind is probably a computer hacker trying to shut the lights off in a city with malware.

/me shakes head

No, just no.

It could be a lot of things, protection racket, (attempt at) knocking out power/alarms for heist (possibly of something that no one would call the police about losing), environmental terrorists, security contractor attempting to beef up business. It doesn't sound like they tried to steal anything at the plant.

The rehearsal theory doesn't sound very plausible to me; it doesn't take much to knock out power, and you don't have to be in a power plant to do it. If you want to do damage, targeting switching stations would be much easier to pull off, and probably more effective since power stations are highly redundant. Power stations aren't going to be much of a target for middle east terrorists, especially not in California. If terrorists were going to target California, they would be much more effective, both in terms of economic damage and death toll, blowing up major sections of freeways during rush hour with car bombs - hit the right places (e.g. where major freeways pass over major freeways), and you can screw up traffic for months.

Matt HJanuary 2, 2014 12:55 PM

1) Dumb-ass boredom/vandal
2) Copper theft oops
..
..
..
..
..
..
..
13) Electricity trader sponsor

An electricity trader would have made a profit, and thus have been successful, but it seems an unlikely scenario.

Stanislav DatskovskiyJanuary 2, 2014 1:04 PM

Follow the money.

Someone will make off like a bandit. No, not copper thieves - the folks selling alarms, security hardware, armoured fences (and perhaps armoured transformers, etc.)

RustProtectionJanuary 2, 2014 1:05 PM

@Dry Run - No full automatic rifles required. A low recoil common civilian semi-auto rifle like an AR-15, can be shot 5 times/second at a large target. At that rate you'd need 30 seconds for the shooting of 150 rounds, and you'd have an easy 30 seconds for four 30 round magazine changes. Two or more shooters would make it even easier.

KevinJanuary 2, 2014 2:04 PM

Let's look at the candidates and the arguments for and against:

1. Disgruntled unions:

Con: Unions want to exert pressure on businesses to negotiate favorable terms. Major criminal acts like this don't make much sense, if the crime is ever traced to the union the union is in for major criminal legal headaches. Union work actions involve work stoppages slowdowns, strikes, and perhaps minor acts of sabotage to prevent scab workers from being effective, like letting the air out of fleet vehicles tires. Things that aren't really worth a criminal investigator's time and effort. Vandalism involving gunfire is definitely going to be investigated and pursued, and even if the crime is likely to be unsolved, the consequences are just too large.

2. For-profit criminals looking to measure responses and effectiveness at cutting power and communications as an adjunct to committing a larger crime.

Con: The most successful crimes are ones that are undetected, at least for a time. Committing such a high-profile act, sure to get significant law enforcement attention, isn't really a good strategy; unless of course the crime this act was supposed to facilitate, either through disruption or misdirection may have already occurred. Criminal enterprises rarely show this level of sophistication as well, although it has occurred from time to time.

3. Ideological, cause-oriented extremist groups. I'm thinking very radical environmental or anti-business groups. This act has the feel of similar acts of vandalism against agribusiness and other environment-oriented businesses like logging, animal research, etc. Perhaps a yet-unpublicized climate change group.

Con: These acts are usually attributed by the group after the fact, such as an anonymous message to a news outlet taking credit for the act and promising more until the change the group wishes is carried out. The purpose in the minds of such actors is to gain recognition for their cause, and remaining silent after the act doesn't serve that purpose.

4. State-sponsored acts by a hostile power, including possible a "cyber" element.

Cons: This seems the most farfetched and unlikely scenario for a host of reasons. For one, tracing such an overt act back to a state or quasi governmental sponsor would result in some kind of retaliation from a nation known for international retaliation in the last decade. This also isn't very "cyber" at all, with destruction of equipment using gunfire. If the purpose of the act was to disable power and technology, it seems like far to blunt and crude an instrument for that purpose.

5. Unknown actors for unknown reasons. Truth is often stranger than fiction, and it's quite possible we won't touch on the correct people and motivations unless they are apprehended.

Given the nature of the act, I think #3 is the most plausible, but it's all highly speculative without more supporting evidence. I do think we can make a strong logical case against unions #1 or "cybercriminals" state sponsored or otherwise per #4, and a less strong but still reasonable logical case against garden variety for-profit criminals in #2.

Counterfeit CrimeJanuary 2, 2014 2:18 PM

Logically, at some point the coverage of the surveillance state will reach a point where if there is any crime at all, it will be crime that is allowed to happen. Or crime events staged by the police to cover the fact that they know everything.

3ik4fbhJanuary 2, 2014 2:40 PM

They don't know our names = success


It's a nuclear facility that powers tens of millions of infrastructures.. It could of been a "dry run" or a success. Who's to say it wasn't a strategic diversion or stage for something else? Either way they attacked a vital part of US infrastructure, and the "experts" don't even know what they were wearing..

Now.. Use millions or billions to "fix it" and just do more internal loans to cover the economic deficiencies like the US typically does.

I'm willing to bet they won't even make progress from bullet forensics. The rifling alone would lead to the culprits in the hands of a competent agency..

AnuraJanuary 2, 2014 2:44 PM

I'm willing to bet they won't even make progress from bullet forensics. The rifling alone would lead to the culprits in the hands of a competent agency..

The video alone can catch them, the investgators just need to hit the "Enhance" and "make 3D" buttons to extrapolate their facial features from the shadows cast on the ground. Then all you need to do is collect semen samples and get a DNA match.

pfoggJanuary 2, 2014 2:50 PM

Based on the points listed in Milo M's post, it sounds like there was planning and preparation, but it failed. They either got half-way to a power outage, or 3/4 to something else, and then quit. Lots of benefits to cutting power and emergency service if you intend something else (even if it's just stealing copper), but if the first step failed, we can't possibly guess the second (unlike thriller-mystery stories where this is discovered or revealed in Act 2 or 3).

I would tend to discount vandalism based on not having announced 'investigating persons of interest': this wasn't casual, opportunistic teen vandalism, so people with technical experience and knowledge of the power station (former insiders?) would have to have sufficient motivation, and there can't be that many of those.

The dry-run argument sounds weak, since it was a sufficiently prominent target to attract attention and warn any real targets.

DanielJanuary 2, 2014 2:59 PM

Todd Lyons.

+1. I agree. i do not know anything about this incident but I do know a little about how copper thieves work and more importantly think. Your explanation fits hand to glove.

VinnyGJanuary 2, 2014 3:40 PM

@RustProtection - mostly agree. I do think you are a bit high re accurate sustained semi-auto fire, but 60 rpm is not at all unrealistic. Given two or three somewhat skilled riflemen using semi-automatic rifles with reasonable magazine capacity, the reported shots over time could be easily accomplished (including mag swap time, as you mentioned). And of course the accuracy of the report should be questioned as well - if I heard unexpected rapid rifle fire nearby, my priority would be cover, not counting...

FigureitoutJanuary 2, 2014 3:54 PM

Stanislav Datskovskiy
--Well, AT&T gave out a $250,000 reward for info on the perps...

Bruce
Anyone have any ideas?
--Lol, a million things...An easy place for copper theft is new construction areas, they leave the big storm drains out wide open. Also see a lot of them have cuts that could either be from cars hitting or quick snip and go's.

Cartels likely
Lone nut likely
False flag likely

3ik4fbhJanuary 2, 2014 4:04 PM

@Anura: I'm guessing you don't know every tier of law enforcement in the US have almost unregulated access to firearms manufacturing databases with unique rifling geometry per model.. It takes a matter of minutes to track firearm sales and ownership with this data when correlated to other databases accessible at the same level at the same workstations..

Those databases have existed for over a quarter of a century anbd predate personal computers..

Nice humor derived from illiteracy though.. Maybe have a clue before you try to give a clue?

anonymousJanuary 2, 2014 4:05 PM

CallMeLateForSupper: Lessee.... this incident occurred what?... 8-9 months ago, and the who and why are still unknown? What were NSA contractors "targeting" in the mean time?

They were busy preventing a terrorist attack in Boston that was planned for April 15, 2013.

Oh, wait...

3ik4fbhJanuary 2, 2014 4:10 PM

@Anura: By the way it's called symmetry matching, the witch magic you described, and actually works sometimes where enough geometry and video quality are in place. It uses very basic geometry and statistics.

It's most often used on partial license plates with higher success rates.

Vulf BlitzerJanuary 2, 2014 4:16 PM

If there are a lot of these around I'm going with dry run for a future prison break or major heist by somebody with enough money to bribe employees (cartels). Doesn't matter if they've shown their hand in would take years to upgrade every similar mesh station

AnuraJanuary 2, 2014 4:30 PM

@3ik4fbh

Find me one case where someone was caught solely from a recovered bullet. I'm not talking about using recovered bullets as part of a case, I mean locating a suspect entirely based on recovered bullets.

Yes, forensic ballistics exists, but aftermarket barrels are common (especially with AR-15s), upper receivers on AR-15s (contianing the barrel, bolt, extractor, anything that would leave evidence) are unregulated - in fact, all parts for sale except for the lower receiver are unregulated, makers use third party machining equipment for barrels which may be identical for two manufacturers, makers reuse the same barrels across different models, records of rifle transactions are limited as electronic records of sales for rifles get stored in the store, not a third party database unless the ATF copies the records (which is not anywhere near real-time), many states allow private party transfers without background checks or records of sale.

AnuraJanuary 2, 2014 4:31 PM

Not to mention you are talking about high velocity rifle bullets made of soft metals fired at hard targets.

EvanJanuary 2, 2014 4:39 PM

Some kind of right-wing anti-government militia is my guess. They would have the guns but most likely not demolition-quality explosives, and could conceivably be stupid enough to think that a practice run against a live target like in the movies is actually a good way to gather intelligence on emergency response procedures.

bcsJanuary 2, 2014 4:51 PM

Step 6 from "how to scare lots of people and feed more of your enemie's GDP into useless DHS budget without actually killing anyone."

Kevin LydaJanuary 2, 2014 5:30 PM

I'm amazed how rarely right-wing militias are coming up in this thread. Their activity has been rising for 5+ years and gun/ammo sales have also sharply risen during that period.

Attacks on police in CA in 2011: http://www.splcenter.org/blog/2011/01/25/hemet-attacks/

The section of the manual mentioned in that article that discusses sabotage of power stations: http://cdn.preterhuman.net/texts/wars_and_weapons/other/Sabotage/25_Sabotage.htm

The argument that it's union members or eco-terrorists is just ridiculous. But the determined ignorance of an actual, demonstrable threat on a site that should have rather level-headed people on it is incredibly disturbing.

Bob BlakleyJanuary 2, 2014 5:39 PM

I had a few thoughts when I read the article.

First, I thought that it might be an attempt to steal copper, preceded by an attempt to disable transformers to de-energize the cables. If so, someone didn't do much homework on the facility and will have been disappointed to have found fiber instead of metal. This doesn't make a huge amount of sense, but there's no minimum IQ to be a suspect.

Second, I thought that someone might have a financial interest in collecting insurance from or repairing the damage (Devil's night in Detroit seems to have been largely an insurance racket when I was living nearby). But I can't work out who the interested parties might be; surely no small operator would benefit from this sort of thing?

Third, I wondered if it might be a diversion of attention from something else. But this seems to me to be both a movie-plot threat and an underwear gnomes scenario: step 1: cut power & phones, step 2: ??, step 3: profit!

Finally, I think we have to proceed from an understanding that someone who would fire a "high-powered rifle" at a large metal object indoors cannot be that bright. Maybe check the local hospital admission records for someone with a wound from a ricocheting rifle bullet that night to find the suspect?

CuriousJanuary 2, 2014 5:54 PM

I suppose this might have been one individual sympathetic with authorities in general, with an idea of provoking authorities to act on adding security in general, or maybe someone wanting to create a sprawling market for a future need of security solutions, like armed guards or security systems. They would only need to get away with it once.

bitmonkiJanuary 2, 2014 7:09 PM

@Milo M.: Thanks for the super helpful links -- probably would have written this off as frustrated copper thieves otherwise.

I find the most curious bit to be that they apparently tried to cover their tracks after cutting the cables by "resealing" the telcom vault doors and then strewing trash over the (I'm guessing) replaced manhole covers.

If thieves, perhaps they then drove on, saw the powerstation and decided to blaze away to vent their frustration.

If saboteur(s) perhaps the true target was the cables, and they wanted to delay examination of them by creating the leaking transformer situation.

After reading the information at @Milo M's links, my first reaction was "Wow! Well informed bad guys!"

But now I'm not so sure.

Google Maps has pretty good photos of the substation and surrounding area -- there isn't much in the way of housing or business near enough to pose much threat to casual poking around at night, especially if one stays away from the fenceline where the security cameras are pointed (to stop fence hoppers apparently).

So there isn't much preventing teenagers, copper thieves, etc. from seeing and prying up manhole covers, because 'Why not? We're bored/could make money.'

I was also concerned about apparent targetting of only the live transformers (10 out of 11 toal), but @Dryrun's comment about infrared goggles changed my mind, although I think infrared scope would be more likely.

As for rate-of-fire of AR-15, whoever thinks they can aim and pull the trigger 5 times per second probably hasn't tried it.

When I was using the M-16 (what every AR-15 aspires to be ;), it had settings for full automatic, burst and semi-automatic. Burst mode was three round bursts per trigger pull -- pretty useful when targets are plentiful and getting closer. I've never used an AR-15, so don't know if it has burst mode, but I think it would be a fairly trivial customization for a competent gunsmith.

But assuming a somewhat unrealistic one burst per second one's effective rate of fire would still be something well less than 180 rounds/minute, assuming one is actually trying to hit different targets in that time frame -- the muzzle wants to climb each time a round is fired, so one must correct for that, etc.

22 targets were hit in that time frame, so without further information concerning spacing, relative size, etc. of the targets I'd be inclined to think two shooters.

Plus M-16/AR-15 *are* essentially .22 cal (every so slightly smaller, IIRC). Its just that they are very, VERY motivated .22 rounds -- LOTS of powerful powder pushing them out. We were expected to consistently hit man-sized targets at 500 yards with them. And did. :)

Overall, I still favor frustrated copper thieves, but consider the saboteur explanation a pretty strong second.

JEPJanuary 2, 2014 7:11 PM

This was the second time that fiber optic lines in that immediate area were cut in the last couple years. Both times, the south county cities of Morgan Hill and Gilroy, as well as chunks of Santa Cruz and Monterey Counties, had significant communications problems. *They* don't like us down here.

robJanuary 2, 2014 7:56 PM

Some weirdness about those incidents.

"The underground cables, protected by manhole covers, were cut shortly before 1:30 a.m. in two locations along Monterey Highway"
and
"around 1:45 a.m., the sheriff’s office and San Jose police received reports of gunfire in the area of Monterey Highway and Blanchard Road"
and
"the substation, which is located near both a public gun range and the sheriff’s shooting range."


1) Sounds like there were cables cut that were beneath separate manholes. How long does it take to open a manhole and access the cables?
2) is the 1:30am time based on an outage time, were the cables cut multiple times or where there multiple sets of cables cut?
3) what time does the surveillance footage show?
4) if it was one person or group, could they have cut both the cables and shoot up the station? was there enough time?
5) if the cables were cut by one party and the shooting was done by another, could it have been a coincidence? 6) since it was early on april-16th, maybe it just disgruntled tax-payers?
7) would a sheriff or deputy have anythiong to gain by shooting up a sub-station?

CJJanuary 2, 2014 8:04 PM

Subjects knew the location of the fiber cable bundles best to cut. Then they shot at the transformers? From insider knowledge to meat-axe.

Then, there's no mention of the wireless systems that are supposed to kick in when landline goes down in this way.

Does this feel Red-team-like to anyone else?

65535January 2, 2014 8:30 PM

This FP article refers to an event in mid-April of 2013 and the timing related to the death of Aaron Swartz and the LulzSec convictions. I don’t know what to make of it.

[CBS]

'SABOTAGE: Cables Cut, Shots Fired At San Jose, Ca. Power Station'
Wednesday, April 17, 2013 9:57

"Excerpted from CBSnews -SAN JOSE – In apparent acts of “sabotage” in the South Bay early Tuesday, someone cut fiber optic cables, knocking out some 911 service, and then fired a rifle at a PG&E substation, Santa Clara County’s sheriff said. The vandal’s objective appears to have been “shutting down the system,” Sheriff Laurie Smith said at a news conference at the substation Tuesday afternoon."

http://beforeitsnews.com/opinion-conservative/2013/04/sabotage-cables-cut-shots-fired-at-san-jose-ca-power-station-2621642.html

The time frame was after Aaron Swartz was found dead. Also, the LulzSec members, “Topiary, Kayla, Tflow, and Cleary pled guilty in April 2013 and were scheduled be sentenced in May 2013…” -Wikipedia

https://en.wikipedia.org/wiki/Anonymous_(group)#LulzSec

It could have been some sort of reaction to those events.

BryanJanuary 2, 2014 8:48 PM

It isn't hard to keep a high powered rifle under control for multiple shots. It's a matter of training, and how it is held. It's also much easier if the barrel is fitted with a gas deflector. With a gas deflector sized for the round used, muzzle climb can be eliminated.

“”The rifling alone would lead to the culprits in the hands of a competent agency..””

Ever seen what happens to the marks on the side of a bullet as it passes through a sheet of metal? Yeah, they get all messed up. Likely no usable ballistics left to look at.

Bruce ClementJanuary 2, 2014 9:24 PM

Nobody has suggested the obvious yet.

After one of their infamous 36 hour drinking sessions, Bruce Schneier and Chuck Norris decided to see if the transformers really would blow up the way they do in the movies ...

Happy New Year everyone

benEzraJanuary 2, 2014 10:44 PM

@3ik4fbh,

"I'm guessing you don't know every tier of law enforcement in the US have almost unregulated access to firearms manufacturing databases with unique rifling geometry per model.. It takes a matter of minutes to track firearm sales and ownership with this data"

Barrel markings on a bullet are like tire tracks, not fingerprints. Given an intact bullet (not impossible, though not certain), one can usually tell the caliber, usually infer the chambering (e.g. .22LR vs. .223 vs. .22 Hornet vs. .22-250 if it's a .22 caliber bullet), and over short time scales you can match the individual gun that fired it from a small sample of suspect guns. What you can't do is match bullet X to an individual gun that has been shot a lot since the ballistic sample was taken, or pick a gun out of a sample size of thousands or millions. Just as tire tracks can tell you that "a sports car, possibly a late-model Corvette or CTS, shod with fairly new Michelin Pilot Sport tires, was here", and if you have a couple dozen suspects, you can tell that those tracks probably came from the Goodyears on Suspect 7's 2012 CTS-V, but you cannot examine tire tracks and pick a car out of all Vettes and CTS's in a region.

I don't know what these "military style" rifles were (and the term is so broad as to encompass most firearms, from a Brown Bess to a Remington 700), but assuming the reporter means "chambered in a military caliber", they could be anything from smallish .223/5.56x45mm or 7.62x39mm, to more powerful rounds like like .308 Winchester/7.62x51mm NATO, .30-06 Springfield, .300 Winchester Magnum, or .50 BMG. Thing is, the first four in that list are four of the most common civilian rifle calibers in the USA, so caliber/make/model doesn't really tell you much if it was one of those.

Nor do I know what caliber rifle was used, but .223/5.56mm (as kicked around upthread) would seem an odd choice if the culprits wanted to actually break things, since it is the least powerful of common centerfire calibers.

@Dry Run,

"150 shots were fired in about a minute, which indicates some sort of automatic weapon. That is why they used the term "military" attack. Also, the shots were fired at night under poor lighting conditions. It is likely that they used infrared goggles to see the hot transformer radiators. This could be why they didn't shoot the one that was off."

As has been mentioned upthread, 150 shots in a minute or two, from two people, is ~1 round per second or so, entirely do-able with a small-caliber non-automatic rifle. If it was actually two minutes, that's more like a shot every two seconds, which is rather slow and deliberate.

And unless it was pitch dark, transformers are not exactly hard to see even without flashlights. We probably can't infer sophisticated equipment without further info.

@bitmonki,

"I've never used an AR-15, so don't know if it has burst mode, but I think it would be a fairly trivial customization for a competent gunsmith."

All post-1986 civilian AR-15's are designed to be as difficult to convert to auto or burst as any other civilian self-loading rifle; they use civilian-only lower receivers and are designed so that burst or auto fire-control parts won't fit.

scottJanuary 2, 2014 11:17 PM

Bruce, others have noted "upset union members," and in fact at the time of the attack it was surmised that there was a connection with some tense union negotiations that were coming to a head with Pacific Gas & Electric. A similar attack had occurred a few years before in the same stage of similar negotiations.

Occam's razor applies here, I think. No looming cyber-attackers, no Hamburglar either.

anonymousJanuary 3, 2014 1:42 AM

The Boston Bombing was (Source Wikipedia), Apr 15 at 2:49 pm EDT = 11:49 am PDT; the attack on the power plant was Apr 16 at 01:00 am (PDT, I assume), 13 hours later. I presume it is most likely that some more or less self-proclaimed terrorist(s) heard the news about the Boston Bombing and decided to cause more "mayhem" by causing a power outage (using an already existing plan), which failed, which is also likely the reason the one(s) who did it were not caught, yet. Don't see any political or big business angle, because for such actors it would presumably be forseeable how little damage it would cause and how little media attention it would get at that time, but maybe I am missing something - ever seen the movie Chinatown?... ;)

KevinMJanuary 3, 2014 3:17 AM

@anura.
!7.62 x 39! I'd think even the old Russian steel core ammo would have difficulty punching thru a substation transformer shell, unless they have a known "weak spot".

Those things have to be made of at least 8-10 ga steel just to support their weight. I was really thinking 3/8" or 1/2" plate.

MassaJanuary 3, 2014 5:00 AM

I subscribe to the "scrap metal" theory. Especially if the un-repairable transformers end up in the "scrap metal heap", and contingent on their mode of disposal...

benEzraJanuary 3, 2014 7:31 AM

@Anura,

"According to this it was 7.62x39 rounds:

http://www.texasre.org/Lists/Calendar/Attachments/605/Item%204d%20-%20NERC%20CIPC%20Report%20to%20TRE%20MRC%20-%202013Jun14.pdf"

Thanks for the link; that sheds some light, particularly the detailed knowledge of the installation that it demonstrates. Interesting choice of a relatively low-powered round, fired low on the radiators to maximize coolant loss from the holes, and the fact that only energized transformers were targeted (because coolant loss doesn't hurt a turned-off transformer); someone unfamiliar with power systems would have been more likely to fire center-mass at all of them, and the knowledge of the communications lines that were cut may also suggest inside knowledge.

Based on that article, I suspect the "vandalism by disgruntled current/former employee" angle is more likely than the "terrah" angle, whether domestic or otherwise.

EnergyJanuary 3, 2014 8:24 AM

This appears to have been of a scale and type to primarily test impact and affect and secondarily through post-even published material, response.

Just how to approach such a thing, IMO. And perhaps why FBI and Foriegn policy entities are interested in heating this up again.

And for those not in the Energy industry, there is sharp DoE and HLS focus on Cyber vs. Physical security methods, scope and approach...investment vs. efficacy.

Knott WhittingleyJanuary 3, 2014 8:58 AM

Dumbasses groomed and lured into it by bored NSA analysts trying to win an office pool about when such an attack would take place.

BryanJanuary 3, 2014 9:58 AM

""!7.62 x 39! I'd think even the old Russian steel core ammo would have difficulty punching thru a substation transformer shell, unless they have a known "weak spot".

Those things have to be made of at least 8-10 ga steel just to support their weight. I was really thinking 3/8" or 1/2" plate.""

Actually, they may have an internal framework to support the transformer at the bottom, and the contacts at the top. The shell only needs to contain the oil.

The cooling fins don't have to support the weight. They can be of a thinner metal. In fact thin aluminum or copper would be best for heat transfer. Steel has a much lower heat transfer rate. Enough so that making the fins out of copper or aluminum may be worth it.

who-knows-whoJanuary 3, 2014 12:04 PM

> lighthouses... unmanned... powered by small nuclear reactors

Not quite... radioisotope thermoelectric generators are not the same as nuclear reactors. Heat from radioactive decay a mass of radioactive material is converted directly to electricity, generally a thermocouple at 3-7% efficiency. Generally, mention of a nuclear reactor implies fission or fusion (maybe more commonly someday), not merely radioactive decay, a much simpler to manage process.

RTGs power space probes for example. Solar is simpler, less dangerous, and cheaper for most earthly applications. And many of those lighthouses are being converted to solar:
http://barentsobserver.com/en/arctic/2013/08/two-nuclear-generators-missing-arctic-26-08

Seems two of the lighthouse RTGs have been lost, apparently to the ocean rather than theives.

Peter A.January 3, 2014 12:36 PM

From what I've read about this incident, it looks like a fairly competent act of sabotage, carried out by a group with limited resources, hence forced to use a somewhat unusual tactics and therefore achieving a not so spectacular outcome.

1. They had pretty fair intelligence. They knew what communications cables to cut and where they were located. They knew which transformers were energized (or discerned that by observing them in IR) so they knew where to concentrate the attack. They have chosen a remote substation with little surrounding buildings/people who could see them - and a one close to firing ranges where sound of gunfire would be less suspicious. They have avoided perimeter security devices (fence breach sensors/cameras).

2. They apparently failed to cut communications to the substation's control systems as the system reportedly switched to backup microwave links. They may not have known of the backup - or simple were unable or unwilling to disable it too, as it could have required entering the perimeter to access and disable the antennas.

3. They cut the fiber cables in such a way as to cause maximum possible damage and repair difficulty, using simple tools - manhole opening keys (if the the manholes were locked at all), ladders and bolt cutters.

4. They have applied unorthodox but simple tactic to disable the transformers - using commonly available rifles and ammo to shoot out holes in radiators made of relatively thin sheet metal (compared to the hull), in order to spill the oil, causing the transformers to overheat. The actual damage was likely limited to lost oil and damaged radiators - as the control systems probably cut power when low oil/high temperature sensors kicked in. They could have achieved much more damage if they were able to damage the transformers completely by disabling cutoff circuitry first, therefore causing the transformers to overheat severely and explode - or by using explosive charges to a similar effect. They were probably too resource-limited to pull the greater feat off.

5. They have executed the attack safely and securely for them. They stayed well off the energized parts, avoided security cameras etc. - and still weren't caught... Probably they weren't able to reliably defeat the perimeter security system without a risk to them in order to get closer and/or haven't any viable explosives to cause more damage anyway - so they just not bothered to enter.

6. They have covered their tracks as they could - by closing manholes and spreading trash on them. Likely they have also taken other measures such as using stolen guns/cars etc. They have left the scene in time not to get caught.

7. They have largely achieved their primary goal of disabling a fairly big power station - even if no spectacular Hollywood-style effects :-) What secondary goals they might have remains a mystery.

AC (Anonymous Coward) SlaterJanuary 3, 2014 1:49 PM

@ benEzra & Anura

"[loads of legit info]...Based on that article, I suspect the "vandalism by disgruntled current/former employee" angle is more likely than the "terrah" angle, whether domestic or otherwise."

Agree with your analysis and more realistic assessment of the most likely culprit(s). While your conclusions are based more on facts and sound security principals, unfortunately, they're not as "sexy" as what the rest of us have dreamed up based on our SME-level understanding of TV shows like CSI, and our vast experience with firearms, military and three-letter-agency special-ops expertise based on our many hours of Call of Duty, and of course our lifelong exposure to FUD and hype from our news media and government officials|liars. I think most of us have missed the point of Bruce's Movie Plot contests, since we're each trying our hardest to out-do each other echoing/parroting the usual speculative, unsubstantiated, and ridiculous conclusions and talking points of the media and DHS officials trying to come up with some scary, budget-justifying boogey-man (terrarists! right-wingers! assault weaponz, oceans eleven plots, oh teh noes!) to attribute to this simple incident. :-/

Mike SJanuary 3, 2014 2:16 PM

I tend to go w/ the disgruntalled employee line. The advanced knowledge of where to cut, where to shoot, access points, etc. points to someone who had more familiarity w/ the overall system and that particular station's chracteristics than an outsider could gain by observation alone. Who knows why, laid off, sacked, payscale disagreement?
It seems that from a terror standpoint it would be much easier and safer to just drop the xmisson towers.

3ik4fbhJanuary 3, 2014 2:18 PM

@benEzra: Manufacturers are required by federal US law, when manufacturing inside the country, to turn in rifling data per-model.. Nanometer scale is used, sometimes across models, for the rifling machining and data. Feel free to ask someone who has internal knowledge of gun manufacturing to verify; it's actually a federal felony to not do so..

This data is easily correlated to track gun sales; of course not down to an indevidual gun as I thought I made clear in the first place. Which are also regulated with data-entry legislature, and have been for a quarter of a century except for some rifles and shotgun classes..

It's not near the fiction as you and others here suggest. Neither are symmetry algorithms used to recover partial image data and human symmetry; there are actually software solutions used by government and civilians that use them with significant success rates..

It seems to me there are too many people trying to enlighten us all that have too little education to be doing so..

AnuraJanuary 3, 2014 2:38 PM

@3ik4fbh

Manufacturers are required by federal US law, when manufacturing inside the country, to turn in rifling data per-model.. Nanometer scale is used, sometimes across models, for the rifling machining and data. Feel free to ask someone who has internal knowledge of gun manufacturing to verify; it's actually a federal felony to not do so..

Can you please give the title and section of the US code where that requirement is defined?

This data is easily correlated to track gun sales; of course not down to an indevidual gun as I thought I made clear in the first place.

Earlier you said the following:

The rifling alone would lead to the culprits in the hands of a competent agency..

Are you retracting your statement?

MarkJanuary 3, 2014 4:22 PM

@Brian M., there's something you need to know about news reporting: all long guns are either shotguns, assault rifles, or high-powered rifles. Since the emphasis in this story is on the damage done, the guns were clearly high-powered rifles -- if the emphasis had been on the number of people killed, the guns would have been assault rifles instead.

benEzraJanuary 3, 2014 4:36 PM

@3ik4fbh,

"Manufacturers are required by federal US law, when manufacturing inside the country, to turn in rifling data per-model. Nanometer scale is used, sometimes across models, for the rifling machining and data. Feel free to ask someone who has internal knowledge of gun manufacturing to verify; it's actually a federal felony to not do so."

Citation, please? According to the Gun Control Act of 1968 as amended, the controlled and tracked portion of the firearm is the receiver (or the frame, in the case of handguns), not the barrel, and often the barrel is not even manufactured by the gunmaker. (Case in point, my competition rifle is manufactured by Rock River Arms but has a Wilson barrel.) And no rifle barrel on this planet is manufactured to nanometer tolerances.

You are correct that firearm make/model can often be inferred from the rifling design, land shape, groove depth, and pitch/twist rate (just as the identity of a car can be narrowed down by tire size, track width, and wheelbase if available), dimensions which I'm sure LE agencies have access to. In the case of a popular caliber like a 7.62x39mm, that may get you down to a few tens of thousands to hundreds of thousands of units. Or not, depending on model and how individualized the specs are; I'd expect that 7.62x39mm barrels as used in this incident tend to be less individualized than, say, .223/5.56mm or .308 chambered barrels, and Eastern European barrels tend to have rougher tolerances than most Western European or American barrels.

"This data is easily correlated to track gun sales; of course not down to an indevidual gun as I thought I made clear in the first place. Which are also regulated with data-entry legislature, and have been for a quarter of a century except for some rifles and shotgun classes."

You said that examination of the bullets would, given competence, identify the culprits, not merely provide broad caliber/model information, and I'm not seeing how you could even come close to that level of specificity.

"It's not near the fiction as you and others here suggest. Neither are symmetry algorithms used to recover partial image data and human symmetry; there are actually software solutions used by government and civilians that use them with significant success rates."

Image processing software can do remarkable things, but it cannot identify an individual rifle S/N from a recovered bullet.

3ik4fbhJanuary 3, 2014 9:05 PM

@Anura: "Earlier you said the following:" Yes it would. Nothing I said afterwards contradicted that statement either..

@benEzra: Why don't you and your illiterate troll friend just go to the BATF site instead of asking me to help you learn? Not only are the regulations I stated 100% accurate, but there are more.. For example homemade firearms made under those regulations are even then illegal to distribute or sale under tax code.

Maybe you two should prove me and the ATF wrong.? I personally think based on your behaviors here that society would be better off.. Sorry if my honesty makes me evil or unpopular..

ModeratorJanuary 3, 2014 9:51 PM

3ik4fbh, if you can't engage constructively with Anura and benEzra then it's time for you to leave the thread.

Goldry BluszcoJanuary 3, 2014 11:25 PM

After staying out of this thread, I feel sure of one thing: it wasn't "military". If I had been a commando tasked with taking out a power substation without leaving much in the way of evidence, I'd be taking along Rocket-Propelled Grenades loaded with thermite to take out the transformers instead of high-powered rifles - assuming I didn't take along a couple of mortars to blow away the transmission towers -, and I'd be setting booby-traps alongside the severed cables to cause as much grief as possible.

@benEzra I agree. Disgruntled employees most likely.

RafflesJanuary 4, 2014 12:07 AM

False-flag like Boston and Sandy Hook.

When the attack happened, it was not possible to make a 911 call via any land line in the area.

from:http://jimstonefreelance.com/infrastructure.html

rJanuary 4, 2014 12:27 AM

But it WAS possible to make calls to other numbers via the same land lines.

Go check this out.

AliceBobJanuary 5, 2014 11:21 AM

IR night-vision gear and targeting the glowing transformers may sound impressive as all hell in the press. But all it does for me is highlight the immense and growing discrepancy between government pie-in-the-sky daydreaming/paranoia and the actual real world!. This could just be as simple as the moon being out, these shooting nuts night-adapting their vision, and a little white-out correction fluid on plain iron sights.

Maybe they did use IR gear. It's not exactly hard to come by. I just bought my elementary-school-age kids a head-mounted IR nightvision rig for Christmas. Toy aisle. $39.95. Walmart. Low resolution but it works well enough.

We need more than blind speculation here before accepting it as fact.


One question: Was the fiber cut at the time of the shooting attack? Or was it only discovered after the shooting started?

It must be nice for the power company. They got to charge higher rates, to fix/replace old equipment, and a card blanche pass on any environmental pollution. They are the big winners here.

How in the world did they manage to spill 51,000 gallons of oil through only 120 holes? 7.62x39mm bullets are less than a 1/3 of an inch across. That's a lot of oil, like 425 gallons per hole. Wasn't there a means in place to drain the oil from damaged machines? Surely eventually corrosion would cause a leak and they would have to drain those transformers...

51,000 gallons of oil! That's enough to fill a pool 30 feet by 37 feet by 6 foot average depth with over a thousand gallons of oil left over! That's bigger than the basement in my house!

If the attackers really wanted to damage the power station, why didn't they just toss a road flare onto all that oil and set the whole thing ablaze? Fire would have done a lot more damage, and taken a lot less of their time.

For that matter, why would anyone use those old slow underpowered soviet 7.62x39mm rounds (are they even supersonic?) when shotguns with deer slugs are so much easier to acquire, have a significantly higher muzzle velocity, have a significantly higher bullet (payload) mass, have a larger diameter, and when these lunatics are shooting at such a short range?

This whole thing reeks of using the tools they had on hand or using exotic tools in a deliberate attempt to throw suspicion on someone else.

LiquorJanuary 6, 2014 10:16 AM

I'll go with the 'disgruntled union' vote on this, for a simple reason -- the attack fits with an attempt to make the utility's management seem incompetent.

1) Cutting the fiber and forcing the fallback to microwave protection means that there is likely only a subset of the full SCADA data being sent: While there would be overcurrent and overload protection for the network, the individual transformer performance data such as oil levels and temperature might not be, so the oil leaks would not be apparent to remote monitoring equipment.

2) The oil in the transformers provides insulation as well as cooling. If the level drops below the level of the windings, there could be an internal flash-over that potentially could wreck the transformer. This is normally prevented by on-transformer safety relays.

3) Poor maintenance and age frequently makes the float level switches used for protection of transformers fail to operate -- or more importantly, not operate until the level is below the nominal 'safe' level. This in turn often makes the actual protection for the transformers dependent on the warnings and trips generated through the SCADA system (which probably was at reduced capability).

4) There would be a long period between the attack and the actual failure of the transformers while the oil drained. There was a good chance that the first thing that would be apparent as a transformer fault was a failure sometime in the next day. If management failed to detect this pending failure, then they would appear incompetent. What would be even more damning for management would be additional failures, since there is a possibility that damage to other transformers would not be found until they also failed.

AlexJanuary 7, 2014 9:04 PM

I'm going to vote for JPC. Just Plain Crazy. All the other notions fall apart.

If you're stealing copper, I would assume you wouldn't want to attract attention by shooting up the place. And if you had guns in the first place, you could pick a lot better targets for robbing.

If you were trying for a dry run for some sort of terrorism (domestic or imported), ideally, you don't advertise your presence in any way whatsoever. So no shooty-shooty.

Union types? I should seriously believe union types wouldn't know at least a dozen other ways to damage the utility equipment?

I'll stick with a couple of bored types who, I hope, will get caught without anyone getting hurt and then get some treatment.

LiquorJanuary 9, 2014 8:13 AM

@Alex - I won't rule out JPC either, but remember, the 'union types' don't want to just damage the equipment.

Simply damaging the equipment would not in itself make management look incompetent, and would probably make the union employees look like thugs, not desirable employees. I also know literally hundreds of ways someone with inside knowledge could cause significant damage to the system -- but I can't think of anything that management could be blamed for in those attacks. Almost all would cause an immediate failure, and there is no argument that a trained union member could have detected the problem in time to prevent it.

Simply shooting the HV insulators in the station instead of the radiators would be very likely to cause a spectacular immediate failure -- and while immediately satisfying to JPCs, would probably have had them in jail before the morning, or at least caused a full scale manhunt for them. The fact that they did not do this, even by accident while shooting, seems to imply that they were not JPCs.

This particular attack, however, with its built-in delay between attack and equipment failure, would let someone argue that the actual failure was not due to the attack, but to managements incompetence to operate the system. And as someone else pointed out upthread, because there is a shooting range nearby, it was unlikely that the sound of rifles firing would alarm anyone, so the attack itself would be unnoticed. It certainly gave them time to disappear without being identified.

John DouganFebruary 5, 2014 11:05 PM

I used to work on maintenance management software for an electricity provider and none of the vulnerability is a surprise. OTOH, there are much more comprehensive and hard to stop ways of affecting the grid than shooting at transformers, which suggests to me either local anti-technology radicals (who often make a point of not understanding the system) or a false flag Gleiwitz incident. Who would be false flagging and for what benefits is an exercise for the reader.

If you were to decide that shooting yard components was productive, you could shoot at nearly anything in a yard (ideally with a large calibre anti-materiel weapon) and shut it down. I find the reference to .22 rifles interesting as in US vernacular a generic reference to .22 usually means one of the family of .22 inch diameter rimfire cartridges used for small varmint hunting....none of which shoots much over 150 yards with any force. There are other cartridges which have the approximate same bullet diameter, most notably the 5.56mm (0.223 cal) NATO cartridge. That could do it and is common, but no one honest ever calls it a .22.

buzz4tFebruary 6, 2014 9:25 AM

"The response will be different now that the capability has been exposed. They've have learnt nothing and shown their hand."

Of course they learned something. They learned how long it takes to drain a transformer by shooting holes in it, and how long it takes to overheat. Who cares if the cops show up 5 minutes or 5 hours later? Once the transformers are damaged, its not like the cops are going to repair the damage. And if whoever coordinates the same attack at multiple sites in the area (requiring military equipment like a watch and a rifle) then whoever could cause at least a regional outage.

speculationFebruary 6, 2014 12:06 PM

Perhaps there is another motive, besides "terrorists", "eco-terrorists", "vandals", "just plain crazies", "hostile states"?

Remember when California was persuaded to deregulate (or partially deregulate) electricity and to create a "free-market" for the supply and distribution, and subsequently the electricity rates in California sky-rocketed. After a lot of dissembling and BS free market propaganda had been cut through it was discovered that Enron (and some other large financial players and power producers) had been gaming the market, by creating false shortages and by exploiting bottlenecks in the distribution system.

By buying electricity futures from certain production points, then arranging for a shortage to develop that would drive up the value of those futures, then selling the power at the high price, great profits were realized.

The main method at the time of producing a shortage was to persuade a power producer to take certain plants off-line for "maintenance" at strategic times. Another method was to take certain transmission lines out of service, thereby requiring the served area to receive power from another location.

Perhaps this attack was financially motivated by someone who couldn't persuade a utility to do it's bidding, and so took direct destructive action to realize its profit.

Before 2008 I would have thought this too short-sighted a thing for a financial type to do, but now I see they are quite prepared to knowingly destroy our society for a short-term one-off profit of sufficient size.

There is probably a hole in this theory. But I think it should at least be checked out. Perhaps the enemy is much closer and more familiar than we think. Perhaps the enemy is a member of the establishment.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..