Two former Washington, D.C., powerbrokers have criticized Pacific Gas & Electric Company for failing to aggressively beef up security as promised at critical electric substations that deliver power to Northern and Central California.
“Overall, it looks like there is essentially no security,” R. James Woolsey, energy specialist and former director of the Central Intelligence Agency, said in reaction to an NBC Bay Area undercover investigation.
Woolsey and Jon Wellinghoff, the past chair of the Federal Energy Regulatory Commission (FERC), reviewed the Investigative Unit’s findings, which exposed potential vulnerabilities in PG&E’s protection of critical substations.
Both men concluded that the utility company has not acted fast enough to make significant upgrades to security for its electric infrastructure a year and a half after the attack on the Metcalf substation in South San Jose. During that April 2013 attack, gunmen fired 100 high-powered rifle rounds into 17 high-voltage transformers, shutting down the facility for almost a month. The attack had the potential to knock out power to much of Silicon Valley.
“For 18 months to pass after Metcalf, and for us not to be in the midst of a major upgrade in resilience and security of our major transformer farms, I think is inexcusable,” Woolsey said.
PG&E promised to increase physical security at its critical substations by spending $100 million over the next three years, but what NBC Bay Area witnessed fell short of aggressive.
“It’s surprising that they haven’t done more at this date,” Wellinghoff said.
Utility executives and congressional representatives have called the Metcalf incident a game-changer. And although the Federal Bureau of Investigation has not officially labelled the attack an act of terrorism, many high-ranking federal officials have speculated that it may have been a trial run for a more robust attack.
“It scared me to death,” Wellinghoff said. “And it scares me today because it is evident at least from the reporting that you have done that we have not taken substantial steps to in fact protect the physical security of these facilities.”
The Investigative Unit made 14 unannounced visits to nine of PG&E’s largest and most critical substations across the state. The observations lasted 30 minutes to one hour in the early morning, during the day and late at night. Staying on public property, NBC Bay Area was able to get close enough at some locations to use a thermal imaging camera and identify high-voltage transformers in the dark.
One substation provided an ideal hiding place just outside the fence line; the Investigative Unit was able to stand on a hill covered in thick trees and bushes and look directly at a row of transformers 50 yards away. PG&E had promised to remove potential hiding places near its critical substations.
While security vehicles were present at seven of the nine sites, most stayed stationary and did not patrol the perimeters of the facilities. One security officer answered questions when he saw an NBC Bay Area camera, but didn’t ask for names or the purpose of the visit. Security guards were not present at two of the nine substations.
A military veteran with two decades of experience working in special operations reviewed the entire NBC Bay Area investigation and concluded: “Metcalf could be repeated at all the sites you showed me in less than 15 minutes.”
He asked not to disclose his name because of potential future security work.
Since last April’s attack, both Woolsey and Wellinghoff have pushed for an overhaul of how the power grid is protected. The men agree that the risk of significant damage is too high to be ignored.
“This is about the survival of the country and our society and our way of life,” Woolsey said. “It’s not about the lights being out a day or two. We are talking about the end of American civilization if this is not done right.”
Government reports dating back decades show that these risks are not new. In 1990, the Congressional Office of Technology found that electric power systems are “vulnerable to saboteurs with explosives or high powered rifles” and that major cities and even multi-state areas “could lose virtually all power following simultaneous attacks on three to eight sites.” The report also concluded that utility companies are taking some positive steps to secure their infrastructure but “generally consider the risk to be too low to warrant large expenditures.”
Stephanie Douglas, PG&E’s head of corporate security and former Special Agent in Charge of the FBI's San Francisco office, calls the protection of the critical substations “high-level security.” She pointed to upgrades that include onsite guards 24 hours a day, enhanced security cameras and around the clock remote monitoring.
“Our security isn’t overly visible to somebody just on the outside of the fence,” she said.
Promises to increase security didn’t stop a break-in at the Metcalf facility in August. A full 17 months after the multi-round rifle attack, vandals cut their way through perimeter fencing, and without being detected, stole construction equipment from the substation.
The heist happened in front of PG&E’s cameras, while two guards patrolled onsite and crews reportedly monitored from an offsite security system. The incident went unreported for five hours.
“I think that [because] it was at the same site that it ought to be a matter of some embarrassment,” Woolsey said.
Nine days before that second security breach, Douglas said that the utility was making security improvements every day to prevent another "Metcalf attack" from happening. Though she declined a request for an interview following the break-in, Douglas stood by her original answers to NBC Bay Area’s questions.
“I can’t guarantee anything,” she said, “but we are working hard every day to make sure our facilities are safe and secure.”
In March, nearly a year after the Metcalf attack, FERC directed the utility industry to address risks due to physical security vulnerabilities.
The commission is now seeking to approve the standards, which would force utility owners and operators to perform threat assessments of their substations and implement security plans if necessary. It is unclear when utility companies would be required to comply with those standards.
“In protecting the grid, it is very important that we learn from all experiences, including the recent events at the Metcalf station,” FERC chair Cheryl LaFleur said in a statement to NBC Bay Area. “Protecting the reliability and resilience of the nation’s electric grid is a core responsibility of the Commission and the entire electric industry.”
Lawmakers in California and Washington, D.C., are also aiming to increase security responsibilities of PG&E and other electricity corporations. Woolsey and Wellinghoff are two heavyweight voices joining the growing chorus of officials pressuring utility companies to tighten their security networks.
“Not only have they not moved fast enough,” Woolsey said, “to a very great extent they have not moved at all in any appreciably important way.”
If you have a tip for the Investigative Unit, email email@example.com or call 888-996-TIPS.