Something is Afoot…

OG-AA794_GRIDAT_NS_20140204171308Back in April of 2013 there was an attack on a power station in Southern California. The attack was calculated, detailed, planned, and execute well. There were many details that perked my interest including the oil tanks being targeted instead of the windings themselves. This would limit catastrophic damage to the transformer. Additionally numerous fiber-optic lines in the area were cut, including those run by Level 3 Communications.

I have read a few writeup discussing the attack and I did come across one theory that was interesting.

Gabriel: Have you ever heard of Harry Houdini? Well he wasn’t like today’s magicians who are only interested in television ratings. He was an artist. He could make an elephant disappear in the middle of a theater filled with people, and do you know how he did that? Misdirection.
Stanley: What the f*** are you talking about?
Gabriel: Misdirection. What the eyes see and the ears hear, the mind believes.
Swordfish movie (2001)

[See the PowerPoint here]

On the morning of the 16th of April 2013 the following events unfolded at, and around, the PG&E Metcalf Transmission Substation in San Jose, Calif.:

  • 12:58 a.m. AT&T fiber-optic telecommunications cables were cut not far from U.S. Highway 101 just outside south San Jose.
  • 1:07 a.m. Some customers of Level 3 Communications, an Internet service provider, lost service. Cables in its vault near the Metcalf substation were also cut.
  • 1:31 a.m. A surveillance camera pointed along a chain-link fence around the substation recorded a streak of light that investigators from the Santa Clara County Sheriff’s office think was a signal from a waved flashlight. It was followed by the muzzle flash of rifles and sparks from bullets hitting the fence.
  • 1:37 a.m. PG&E confirms received an alarm from motion sensors at the substation, possibly from bullets grazing the fence.
  • 1:41 a.m. San Jose Sheriff’s department received a 911 call about gunfire, sent by an engineer at a nearby power plant that still had phone service.
  • 1:45 a.m. The first bank of transformers, riddled with bullet holes and having leaked 52,000 gallons of oil, overheated – at which time PG&E’s control center about 90 miles north received an equipment-failure alarm.
  • 1:50 a.m. Another apparent flashlight signal, caught on film, marked the end of the attack. More than 100 shell casings of the sort ejected by AK-47s were later found at the site.
  • 1:51 a.m. Law-enforcement officers arrived, but found everything quiet. Unable to get past the locked fence and seeing nothing suspicious, they left.
  • 3:15 a.m. A PG&E worker arrives to survey the damage.

The damage to the substation took 27 days to repair and cost $15.4 Million. In the substation’s 500kV yard, ten transformers were damaged; In the 230kV yard, seven transformers were damaged; In the 115kV yard, 6 circuit breakers were damaged. It was also claimed that a total of 52,000 gallons of mineral oil (used for cooling) leaked as a result of the bullet strikes.

The damage to the fiber-optic telecommunications infrastructure was repaired within 24 hours. AT&T had six cables cut and needed to install new cables to work around the affected area. LEVEL 3 Communications had one cable cut, which was repaired within 10 hours.

The attack on the substation was so over-the-top, especially given that no long-term damage was inflicted, that it more appropriately should have been an entry in Bruce Schneier’s Movie Plot Threat Contest. The trope “orgy of evidence” comes to mind because the attack was so inconsequential for the level of effort expended. Sure it lightened PG&E’s wallet and provided an opportunity for endless sound bites by consultants and lobbyists touting their employers agendas, but nobody’s lights went out as a result of this attack.

So this brings us back to Houdini’s misdirection. Two events occur, one is over-the-top and will obviously lead in the morning media, the other deals with some cut cables in holes next to railroad tracks – decidedly non-spectacular and non-photogenic.

The thing is is that the Metcalf Transmission Substation is next to railroad tracks. And it happens that the railroads’ right of way is used to run fiber-optic cables. I’m sure you’ve heard of SPRINT, which use to be SP Communications, which was founded by Southern Pacific Railroad way back when. Fiber is why all the big name companies in Silicon Valley want to be as close to the railroad tracks as possible!

If we assume that the real target was the telecommunications infrastructure, how would someone tap some of the most monitored lines in the world?

By causing the fiber cables to be so extensively damaged that new sections have to be pulled to work around the damage. This level of disruption would require that any quality/security scans performed – using optical time domain reflectometers (OTDRs) – be re-calibrated after the repairs. The new cable sections could have been pre-engineered to have clip-on couplers (passive taps) built in that exert “micro bending” (i.e., spatial wavelength displacement). If they are detectable by the OTDR they would probably show up as noise near the repaired areas and be ignored. And the voila! Job done.

The next challenge for the strike team would be getting the output from the couplers to somewhere it could be analyzed. Once it was confirmed that the couplers had not been detected, then another team could move in and install appropriate transmitters or couple them into dark fiber for back-haul to data extraction.

We may never know the who/why of this attack. The over-the-top nature of it suggests that it was corporate sponsored as opposed to sovereign. The Metcalf Substation does have some interesting corporate neighbors, but given the nature of the communications traffic flowing in that right of way just about anyone using or traversing that corridor could have been the target.

TL;DR: The substation was actually a diversion.

But there wasn’t much to give credence to the situation until I saw my inbox this morning. Let me repeat something before we start with the new data:

Once is happenstance, twice is coincidence, three or more times is enemy action. And I don’t believe in coincidence.

Lets start with the first article that hit my inbox, USA today.

The FBI is investigating at least 11 physical attacks on high-capacity Internet cables in California’s San Francisco Bay Area dating back a year, including one early Tuesday morning.

Agents confirm the latest attack disrupted Internet service for businesses and residential customers in and around Sacramento, the state’s capital.

FBI agents declined to specify how significantly the attack affected customers, citing the ongoing investigation. In Tuesday’s attack, someone broke into an underground vault and cut three fiber-optic cables belonging to Colorado-based service providers Level 3 and Zayo.

The attacks date back to at least July 6, 2014, said FBI Special Agent Greg Wuthrich.

(Emphasis mine.) Well that’s interesting, but it doesn’t sound all that interesting. The article does note that the incidents have occurred in remote areas but attempts to play it as merely petty vandalism to delay people from getting their cat videos. (No I’m not making it up, see this line…)

Backup systems help cushion consumers from the worst of the attacks, meaning people may notice slower email or videos not playing, but may not have service completely disrupted, he said.

But repairs are costly and penalties are not stiff enough to deter would-be vandals, Doherty said.

“It’s a terrible social crime that affects thousands and millions of people,” he said.

First you have to catch the vandals to fine them, and if this has nothing to do with vandalizing infrastructure but instead tapping it this is a very serious thing. But certainly those lines will help calm those who don’t know details, have the attention span of a squirrel, and don’t have the memory to correlate other external events that are most likely related.

Now lets flip over to the Wall Street Journal.

The latest attack hit several cables in Livermore, Calif., shortly before 4:30 a.m. Pacific time and hadn’t been repaired as of early Tuesday evening, according to several Internet service providers affected by the outage. Some operators complained that law enforcement activity made it harder for crews to fix the problem.

“It’s very inconvenient in terms of getting up at 4 in the morning,” said Peter Kranz, chief executive of local Internet provider Unwired Ltd.

FBI Special Agent Greg Wuthrich said the agency understood operators’ frustration but needed its investigators to look for evidence before anyone patches up the cuts.

“When some of the first cuts were taking place, the cuts and cables were fixed, and there was no evidence, no anything to look at,” he said. “We just need to have a little bit more time to have our people go in.”

I love the complaints about law enforcement making it difficult to repair the communication lines because they want to inspect and collect evidence. This is a classic case of “repair the problem, investigate no further on root cause.” Please stop digging you could induce panic.

Again the paper plays this off not nearly as serious almost as if it’s just some kids out pranking the world. Then we get to the local paper…

The severed fiber optic cables that disrupted Sacramento-area communications is just one in a series of 11 Bay Area incidents in the past year being investigated by the FBI.

Phone, television and Internet services were disrupted in Auburn and the surrounding areas following three severed cables in Alameda County Tuesday morning, according to the federal agency.

Since July 6, 2014, there have been 11 incidents of vandalism to fiber optic cable networks in the greater San Francisco Bay Area.

FBI Special Agent Greg Wuthrich said at this point it is unclear why the cables are being damaged, but said state and federal law enforcement are coordinating on the investigation.

According to communications provider Wave Broadband, three major fiber optic cables were severed at around 4:20 a.m., causing service outages in Sacramento, Rocklin and Auburn areas.

Wait, it wasn’t just one cable shared by multiple service providers, but three different cables? Additionally as these were related to the backbone and given one of the providers involved you just tapped a decent chunk of the internet. Just what the hell is going on down there. I start searching for more information, including something on the Metcalf substation incident to try to cross reference and discover this:

The Silicon Valley power substation that was attacked by a sniper in April 2013 was hit by thieves early Wednesday morning, according to the Pacific Gas and Electric Company, despite increased security.

The substation, near San Jose, Calif., is the source of energy for thousands of customers, and the idea that it was the target of a well-organized attack, and that it might have been disabled for an extended period, raised anxieties about the possible broader vulnerability of the grid. The attack this week did not involve gunfire, and it did not seem intended to disable the facility.

The date on that “theft” is August 27, 2014. The recent string of attacks on the fibre lines started July 2014. Tell me, if you wanted to inspect the response and repair actions of an attack couldn’t you just easily disguise it as a simple theft? You could get up close and personal and inspect exactly how the substation was repaired and what additional actions were taken to harden the substation.

Look, I’m a big fan of Halon’s razor and I hate conspiracy theories because honestly 99% of them are bullshit. But we have multiple, repeat incidents. There were clues and suspicion of possible nation-state involvement which were dismissed. We have an administration who actively works to diminish the significance of attacks and events that surround us and affect us in deep and profound ways. Additionally we see that there are outside nation states who have taken a keen interest in the United States. Just look at the Office of Personnel Management hack, seriously that is a threat beyond what most realize. Then while all this is going on we have people calling to critically weaken our cyber security infrastructure, in the name of stopping terrorism.

There is someone gathering intelligence, placing equipment in the correct locations, and improving their leverage against us. We’re in a technological cold war and we’re seeing the spill over from the physical side of things. Things are not looking good, safe, or secure, especially with over 18 trillion in national debt. Stay safe and keep your powder dry.

Quote of the Day–Brian Hauss(6/6/2013)

To be sure, rummaging around through people’s personal papers may well turn up the occasional bad guy, but that is not the only consideration. No doubt law enforcement agents would also find it useful to walk into people’s homes at will, but we don’t allow them to do so because that would intrude on our reasonable expectation of privacy in our homes. And just as we reasonably expect privacy in our homes, so, too, do we expect that border agents will not base their decisions to search through our electronic information on a whim or a hunch. Put another way, requiring law enforcement agents to possess objective reasons for a search is a feature of our constitutional framework, not a bug.

(Emphasis mine.)

Brian HaussDHS Releases Disappointing Civil Liberties Report on Border Searches of Laptops and Other Electronics

June 5th, 2013


[For those who haven’t heard yet.  The DHS is claiming the following line of BS regarding searches at the border.

[A]dding a heightened [suspicion-based] threshold requirement could be operationally harmful without concomitant civil rights/civil liberties benefit. First, commonplace decisions to search electronic devices might be opened to litigation challenging the reasons for the search. In addition to interfering with a carefully constructed border security system, the litigation could directly undermine national security by requiring the government to produce sensitive investigative and national security information to justify some of the most critical searches. Even a policy change entirely unenforceable by courts might be problematic; we have been presented with some noteworthy CBP and ICE success stories based on hard-to-articulate intuitions or hunches based on officer experience and judgment. Under a reasonable suspicion requirement, officers might hesitate to search an individual’s device without the presence of articulable factors capable of being formally defended, despite having an intuition or hunch based on experience that justified a search.

Translation:  “We don’t need to specify a reason why we are seizing and searching your property.”

Now many may have forgotten so I will provide you an extra reminder of the area the DHS would like to claim as free from that pesky 4th Amendment.

For more on that go back and read my article on it (dated 2008).  So think about what the department of homeland security is claiming as within their legal abilities, and then think long and hard about that map where they can put up “border inspection points” at will.  Think your safe just because you don’t regularly travel out of the country?  Get real.

Listen folks, you either have these rights or you don’t.  They’re not predicated on some theory that you surrender them because you want to do X.  NO!  If the government wants to search my personal effects, they must present a case including evidence that I have committed a crime, or that I intend to harm another.  *Note I said harm, the war on drugs needs to go to!*  The only way you end up with this current view of the law is through twisted perversion and a lackadaisical attitude that say “I don’t care, what’s it matter?”

Just because I want to fly to visit my friends in Nashville, doesn’t mean I surrender my 4th amendment rights and agree to have someone fondle me and my wife.  It’s horse crap and frankly if we don’t stop it, it will just get worse.  There’s two options for stopping it, we get the courts to do their damn job, or well, use your imagination for the second option.

News flash folks, in a free land bad people some times end up doing bad things.  Its comes with territory.  Honestly though even in your perfect police state, the crazy guy can still do damage, even more so due to the delayed response.  Grow a pair, embrace the responsibility and with it experience freedom.  It’s freaking AWESOME. –B]

Am I Crazy Now?

So I got to work this morning and saw this on Drudge Report:

DrudgeCBnBA

The immediate image and thought that went through my head was exactly this:

36497314

Now don’t get me wrong, I don’t hate law enforcement.  I don’t think there is any conspiracy regarding the ammo crisis either.  That said, LEOs should go ask DHS for ammo, they have a nice stockpile, put in an order for more, and are refusing to answer questions about it.

Personally I think the police should have to live under the same stress both economically and politically as the rest of us.  IE, if your state bans normal capacity magazines, that extends to law enforcement, that exemption for law-enforcement is merely hypocritical double speak.

Does this make me crazy?

SSCC #477 – TSA

It’s been awhile since we’ve come back around to the origination that gave me the idea for this list.  For a quick history of this type of behavior:

Remember, these are the agents that were caught, there’s going to be a large group that are not caught. The TSA isn’t held responsible for lost and stolen items, they receive a free pass. There is no incentive for them to solve the problem other than bad PR.  But we have a new bad agent to add to the list:

TSA baggage screener Sean Henry, 32, was arrested on Tuesday after a sting operation conducted jointly by the TSA and the Port Authority Police Department caught Henry leaving the airport with two iPads that had been planted as part of the sting, as well as numerous other electronics devices he had allegedly stolen from passengers.

I applaud the officers who did the right thing, but the fact is the government has created a situation that foments this type of behavior.

State Sponsored Criminal: Sean Henry

Because why shouldn’t a TSA be able to make some extra off the top from the people they’re already abusing.

SSCC #470–US Marshals Office

U.S. Deputy Marshal Lucio Osbaldo Moya is accused of showing a photocopy of the unidentified agent’s driver’s license to colleagues last fall and, upon learning it belonged to an undercover investigator, sending a warning text to his father, who has served prison time for various drug charges.

You would think that when the Marshals service did an investigation at hiring they would have noted the following the history of the father.  While not everyone is very close with their immediate family, it would have probably been prudent to conceal information that might be associate with is father in one form or another.

State Sponsored Criminal #470: Lucio Osbaldo Moya

Because the government doesn’t need to investigate who they hire, just everyone else.

SSCC #458–I.C.E.

Anthony V. Mangione, who headed U.S. Immigration and Customs Enforcement’s South Florida office for four years, possessed up to 150 images of child pornography, some depicting the "extreme abuse of children," according to federal prosecutors.

He was busted while still working for ICE.  This one’s bad and I’m not going to comment on it.  This one makes the count because:

As the Special Agent in Charge of ICE’s South Florida office, Mangione supervised more than 400 employees in nine counties. He was regularly at the forefront of arrests of child pornography suspects, vowing to see them punished.

State Sponsored Criminal #458: Anthony V. Mangione

Because there are monsters in this world.

SSCC #446 – DHS

A 43-year-old Department of Homeland Security worker allegedly used Facebook to solicit more than 70 area children for sexual acts, according to authorities.

We’re not talking high school students either…

Robert B. Rennie Jr., a Loudoun County resident, was charged Oct. 24 with five counts of using a computer to solicit a child under the age of 15, after a school resource officer was tipped off to suspicious activity on a Mercer Middle School student’s Facebook page.

Sounds like a fine upstanding government employee doesn’t it?  I wish I could come up with something better, but this just makes me sick.

State Sponsored Criminal #446: Robert B. Rennie

Because working for the government means you’re some how special.  

No, I Think You Missed The Point…

“If you think a control-system attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities,” Napolitano said at a Washington Post cybersecurity event, noting the effects in some cases can be “life threatening.”

While yes, cybersecurity should be taken seriously, Sandy is not an example of how dangerous a cyber attack could be.

What do I mean I hear you cry?  Sandy is a prime example of what someone could do to physically interrupt the power system.  While you could find a way to get a breaker to open or close unintentionally, the easier method of disrupting utilities is to find critical points and physically knock them out.

First, let me do a quick explanation of what’s going on in the NYC area.  Most power distribution in the NYC area is below ground.  This makes it below sea level.  This is one of the reasons they shut down many areas early, in an effort to protect equipment so that it can return to service more quickly.  Still, that equipment has to be cleaned, transformers for example have to be washed, insulation checked, and refilled with cooling oil.  This takes time, though much less time than having to fly in a replacement transformer, removing the old one, and installing and commissioning the new one.

So what we have is a bunch of distribution points that were/are full of water, need to be drained, the equipment cleaned, checked, maintained, and replaced possibly in some instances.  All of this must be done before re-energizing that circuit.

So why did I take the time to explain all that?  Well because it illustrates that if done properly, a physical attack, can easily do more damage than any cyber attack, and even more than that you have decreased the potential recovery time.  But that’s not all.  Say you execute an attack on physical infrastructure and take out 2 transmission level transformers on a main artery.

You have now done triple digit damage in the millions if not more.  Plus it will take 2-3 years, at a minimum, to replace the transformers.  Any stock they have for those transformers is in very limited supply.  This means if you hit a couple of places at once, you could very well permanently cripple the ability for a region to get the power necessary to operate.

Seriously, think about this, cyber-security to protect assets worth millions of dollars and provide hundreds of millions in revenue are going to be left unguarded by their owners and operators?  Get real.  The bigger and harder problem is physical security.  How do you stop someone from running a truck into a transmission tower?

Why do I bring all this up?  Because our overlords often start screaming about “necessity” in an effort to create new regulations and requirements which honestly are unnecessary.  They’re unnecessary because do you think a utility company doesn’t want to protect its equipment?  For every minute a transmission line is down they’re loosing millions of dollars in lost revenue.

We’ve seen these cries before and yet again it is to drum up “FUD” among people who don’t really understand how the system works.  FUD is how you make a bunch of people clamor to do something when nothing really needs to be done.  That’s what Janet’s doing with her latest ramblings.