Metcalf Attack: NBC Reports on PG&E Security Memo
NBC Bay Area reports on a leaked PG&E memo regarding security of substations after the Metcalf attack.
PG&E Memo: https://www.documentcloud.org/documents/2081637-pg-amp-e-memo-august-30-2014.html
Transcript from NBC Bay Area website:
An internal Pacific Gas & Electric Corporation memo obtained by NBC Bay Area shows the company is years away from promised security upgrades at its electrical substations.
The company made promises to bolster security at critical facilities after a dramatic automatic-weapons attack on its Metcalf substation in South San Jose more than two years ago. Since then, the company claimed that it has increased security at key substations and that more changes are coming soon. The director of corporate security said publicly that PG&E has “high level security” at critical facilities.
This new information casts doubt on those prior statements and raises concerns about the company’s ability to provide security for the California electrical grid. The memo was provided to the Investigative Unit by PG&E insiders who wanted this information out.
Last August, Stephanie Douglas, the director of the Corporate Security Division (CSD), wrote to PG&E president Chris Johns that “the physical security infrastructure of PG&E has plenty of work to be done.”
“In reality,” she wrote, “PG&E is years away from a healthy and robust physical security posture.”
Just 12 days before that, Douglas told the Investigative Unit a very different story.
“For our critical facilities right now we have high level security there—yes,” she said.
In April 2013, snipers attacked the Metcalf substation in South San Jose. The attack caused millions in damages and could have blacked out much of Silicon Valley.
Although federal law enforcement officials have not officially labelled the attack an act of terrorism, many high-ranking government officials have speculated that it may have been a trial run for a more robust attack. Authorities have yet to capture the gunmen.
In June 2014, PG&E committed to spending $100 million over three years to harden security at the Metcalf substation and several other critical facilities.
An NBC Bay Area investigation last July discovered that security was still lacking at many electric substations a year and a half after the attack at Metcalf. In 14 unannounced visits to nine substations in Northern and Central California, the Investigative Unit revealed what experts have called vulnerabilities in PG&E’s security network.
A month later, on August 18, Douglas provided an interview to the Investigative Unit to discuss whether PG&E had done enough to prevent another event like the Metcalf attack.
“We are working every day to make sure it never happens again,” Douglas said at the time.
Then, on August 27, the Metcalf substation experienced a second security breach. Unidentified intruders cut through a fence and stole expensive equipment. PG&E’s “high level security” had failed to produce any public photos or video of the break in.
On August 30—12 days after the interview and three days after the second security breach at Metcalf—Douglas sent a memo to Johns describing the significant challenges facing her division.
She wrote that CSD had not received enough resources to make significant improvements at substations and that the allocation of resources “remained unchanged from before the attack on Metcalf.”
She added, “These improvements continue to be slow, piecemeal and uncertain” and “We risk not knowing about security issues and having gaps exist for some time before the issue is resolved.”
In the memo Douglas also wrote that CSD couldn’t account for existing security assets. “The company’s existing security infrastructure is an assortment of technologies, many of them outdated. They have been cobbled together over the past 25 years and I would consider them to be in a ‘fail’ mode.”
State Senator Jerry Hill has criticized PG&E for security failings, including the fatal pipeline explosion in San Bruno in 2010. Since then, the utility company has pledged a commitment to safety and security. Hill says the memo calls PG&E’s integrity into question.
“They’ve said they were going to change. They’ve committed to change, but they haven’t changed,” he said.
Hill authored successful legislation requiring greater requirements and accountability for security at PG&E substations.
“This memo clearly states that PG&E had not done and hadn’t had the resources to do what was necessary to provide the security of their infrastructure,” Hill said. “It clearly says that she did not tell us the facts of the situation.”
Douglas and PG&E representatives declined new interview requests to discuss the contradictions in public statements and the private memo. Instead, the company sent an email detailing changes to security since Douglas sent the memo. They include more funding and staffing for security and monthly progress updates for senior managers.
PG&E also points to significant security upgrades at the Metcalf substation. In early 2015 the company built a barrier wall around the substation, enhanced its detection and deterrent systems and improved lighting.
It is unclear when PG&E will make major improvements to other critical substations. As Douglas wrote in the memo the company is still years away from a “robust physical security posture.”
“We don’t have years for security,” said Hill. “This could be drastic and devastating for our economy and for many people’s lives if we lose some of these substations.”
Substation Security Timeline
In an internal memo from PG&E revealed that the company was years away from promised security upgrades. Just a few days before, she told the NBC Bay Area Investigative Unit that there was already “high-level” security at critical facilities. Here’s a timeline of our investigations.