Why Attacking The Grid Became Hip & What We Can Do About it

In April 2013, a group of armed men attacked 17 Bay-area power substations in an effort to presumably disrupt power to neighboring business. The attack was carried out using 7.62 rounds which are commonly used in AK-47s (and its variants) as well as numerous other rifles namely certain sniper rifles such as the M-24 depicted below. The attacks were said to be carried out with military precision as the attackers both shot at the transformers and breached the underground area where various power cables were located.

I've also attached the surveillance video of these attacks so you can get an idea of how they occurred.




Much has been pontificated on exactly who could have carried out such an attack. Former Federal Regulatory Commission Chairman John Wellinghoff stated he believed the attacks were a "terrorist act" even though the FBI has said to various media outlets they don't see any evidence of that now. As an investigator and a former military police officer, I can tell you when law enforcement says they "don't see any evidence supporting that", that does exclude any suspicions they might have. My preliminary guesstimate is the FBI has some idea as to who the perpetrators are especially given the investigation is several months old and we're approaching a year since the attacks occurred.

I have heard from various sources this was the work of animal rights groups or environmentalist, given the target selection and court convictions of members of those groups in attacks against similar targets despite the methodology being completely different from the Bay-area attacks. For the record, I completely disagree with this supposition, as it eliminates several other groups who are just as capable and have just as much stake in pulling off this kind of attack. As a matter of fact, I find it odd those who suspect environmentalist/animal rights connections would ignore the attackers would choose a methodology using firearms which goes against one of the strongest weapons going for them - the lack of human casualties and kinetic attacks which harm human beings. Think about what I'm saying here for a second. Why would you bring a gun to an op where you could be discovered by law enforcement if the weapon isn't going to be useful as a defensive weapon against them? Also, any of these groups would have to account for the damage done to their public image if discovered with sniper rifles. It certainly makes it easy for their opponents to call them "enemies of the state".

What I surmise, rather amateurishly, is the perpetrators brought guns to do the damage and possibly, engage responding law enforcement. Thankfully, the latter never occurred I suspect because the suspects believed they had done enough damage. I am also of the opinion this was a dress rehearsal for a larger scale attack. Many groups do a dry-run before a major attack to test how the target and responders react. We see this all the time with bomb threats called in weeks before an attack. No suspicious device is found at first as the subjects observe reactions. They then rework the plan and decide whether to order another test. I know this because this is how I was taught to plan operations in the military and I suspect whoever is behind these attacks was taught the same lessons.

So why the power plants and why sniper attacks? Quite simply, because the security industry and our government partners have been discussing this since 2002. We've consistently asked that critical infrastructure beef up its security. Additionally, a report was done by the National Academy of Science describing the probability for success of a sniper attack against transformers. One could use the CARVER matrix to determine this is perhaps the more likely of any probable attack against critical infrastructure nodes. This is partially because of the ease of access to the target, lack of security at the target, its criticality (it is vital to the target's mission), and its recoverability.

My summation is the attackers didn't have much experience as a group with kinetic attacks and may have used this attack as a means to demonstrate some proof of concept. Whether there will be more attacks is still unknown. Given the hype surrounding this one, they may try again.

Here's what I propose power companies can do to protect their substations:

• Add 10 foot fencing around the perimeter of substations, ensure fence is encased in concrete at the bottom to prevent digging under the fence, and configure the barbed wire in a Y configuration.
• Have a roving armed security unit patrol actively in the area of transformers and substations conducting periodic but random security checks of the area. Have a randomizer pick the days and times of these attacks on a daily basis. Never keep the same schedule.
• Consider feeding the substation's closed circuit television feed into your state's emergency management agency or fusion cell incident management consoles.
• Emplace barriers throughout the avenues of approach to disrupt potential vehicle traffic to the substation. 
• Consider placing armoured steel on the transformers and other critical areas.
• Consider using seismographic security sensors and magnetic sensors along various vantage points.
• Conduct a foot patrol in the area as a part of your random checks I mentioned earlier. 
• Conduct a red team exercise yearly on your facilities to ensure personnel and security operators understand and implement sound practices to secure your assets in an attack.

As a caveat to the recommendation above, I fully realize this is not a fully comprehensive plan. The idea is to demonstrate how the power companies can implement various measures which are relatively less-complicated than might be assumed. If you have other recommendations, please post them below. I'd like to hear from folks from all over the industry.

Kenya Mall Shooting - Why It Went All Wrong & What We Can Do To Be Better

Yesterday, the New York City Police Department released a report from its SHIELD initiative about the Kenya mall shooting/terrorist attack. It was a pretty damning report to say the least. Before we talk about the report, let's talk about SHIELD is and why that's important to understand in the context of this report. SHIELD is the NYPD's homegrown information-sharing component with private sector security. It provides analysis on current and future threats. I've previously read some of SHIELD's reports. Some were good and some were typical of fusion center reports - some meat and some potatoes but not a full meal. This report was driven, in part, to go over what NYPD and private security could learn about what happened in Nairobi. There was plenty.

There were some startling revelations:

1. Kenyan police were VASTLY outgunned. The report states, "The typical Uniformed Kenyan Police Officer is not as well equipped as their western counterparts, typically only carrying a long gun, most commonly an AK-47 style rifle with a folding stock, loaded with a single 30 round magazine. They do not carry handguns, wear body armor, gun belts or have portable radios to communicate." Each of the terrorist were carrying 250 rounds of 7.62 mm ammunition. Lack of body armor and radios to communicate resulted in fratricide. More on that later.
2. Responding plainclothes officers were also outgunned and had no visible identification. Remember what I said about fratricide? From the report: "Very few of any of the plainclothes law enforcement first responders displayed any visible law enforcement identification such as a badge, arm band, ID card or  a raid jacket, making identification as “friend or foe” extremely difficult for other armed first responders."
3. Realizing the police were outgunned, Kenya made the incident response a military matter. That's as bad as it sounds. The report says, "Kenyan government officials decide to transfer the handling of this incident from the police to the military. A squad of Kenya Defense Forces KDF soldiers enters the mall and shortly afterwards, in a case of mistaken identity, the troops fired on the GSU-RC Tactical Team.They kill one police officer and wounding the tactical team commander. In the ensuing confusion both the police and military personnel pull out of the mall to tend to the casualties and re-group."
4. Responding military forces used an RPG-7 as a room clearing tool. I kid you not. And the destruction was insane. "It is reported that at some point during the day the Kenya Defense Forces decided to fire a high explosive anti-tank rocket (possibly a RPG-7 or an 84mm Recoilless Rifle) as part of their operation to neutralize the terrorists in the Nakumatt Super Market.The end result of this operation was a large fire and the partial collapse of the rear rooftop parking lot and two floors within the Nakumatt Super Market into the basement parking."
5. It is possible the terrorists escaped in part because the Kenyan security forces failed to secure a perimeter. It is rather elementary for the very first thing Western police do in these scenarios is to lock down the perimeter. No one comes in or out unless they can be positively identified as a "friendly". This credentialing occurs by checking IDs and only first admitting law enforcement and first responders to exit upon verification.
6. The mall employed unarmed officers who performed unsatisfactory "wand searches". This is irritating to say the least. Why? Unarmed officers are appropriate for certain environments and are the way to go in most environments. However, in high value targets, such as mass gathering locations in places like Kenya, I would have used an armed component. Armed officers are not only armed but can be equipped with radios and are usually uniformed. This makes identifying them for law enforcement somewhat easier. Also, armed officers can do things unarmed officers can't due to safety concerns such as locking down perimeters and evacuating victims.
7. Wand searches are weak. I dislike them with a passion. Why? Officers get tricked into believing a search was "good" because the wand didn't annunciate. This is all kinds of bad. A search should be thorough in high value targets. If you're going to employ officers and have them search, have them be thorough and do it without a wand. I would use the wand only in environments where I had other search mitigators in place such as backscatters or X-ray search devices.

So what does this attack teach us in the West?

1. The desire of terrorist groups to attack mass gathering locations is still very alive.
2. Places like malls should consider Kenya to be a warning. If you're in mall security, I highly suggest going over your active shooter plan and rehearsing it on a fairly regular basis with local police departments and simulated shooters. In these exercise, test not just your ability to minimize casualties but to also test your security apparatus under stress. This is best accomplished by "killing" responders, taking hostages, attempting escape, and causing confusion among responders. Get your people used to chaos in these scenarios.
3. Never do wand searches at high value targets and test your people regularly. I've gone over why I think wand searches are bad. So let's examine why you should test and train your searchers regularly. Searching is one of the most important yet often neglected security components. We usually pick rookies and the "lowest common denominator" to do this function because it's "easy". Doing good and thorough searches that you can go to sleep easy with at night are not easy. Searchers should be trained on subject "tells", physical characteristics of forbidden items by touch, sound, smell, and sight, the tools they can use to do searches better, etc. They should also be regularly "red-teamed" which is to say you should have a non-attributable person walk through security and see what they can get through. When they're done, they should report to management their findings.
   
   Here's a video I did on how I would search bags:
   
   
4. CCTV and analytics are EXTREMELY important to an active shooter scenario. There are several takeaways from what we learned about CCTV and the lack of analytics in Nairobi. First, CCTV coverage was spotty in some areas. Also, the CCTV coverage was easily identified and avoided by the terrorists. We also know while they had remote viewing capability, it was five miles away and more than likely not cross-fed into the police. While a CCTV monitor can't identify every threat, video analytics can alert them to suspicious activity. At the very least, consider it an option.
5. Garages and parking lots should be regularly patrolled. While there was a guard posted at the entrance of the garage, had a response element been closer by, they could have locked the exterior doors to the mall.
6. Train your employees on how to sound the alarm and IMMEDIATELY lock down their storefronts and secure customers. I would consider including them as a part of your active shooter training as well. Make that mandatory training for all storefront management and their trusted employees. I would include it in a leasing agreement if I had to.
7. Have a HIGHLY accessible public address system to sound the alarm.
8. Train local non-law enforcement responders on the need to "shoot, move, and communicate". Seriously, I can't stress this enough. There is a huge debate in the US surrounding concealed carry permit holders as responders. I'm okay with them responding, though I prefer they receive some training on  the need to identify themselves to law enforcement prior to responding via a phone call if time and circumstance permit.
9. Equip every security person and law enforcement officer with a radio.  If you want to avoid wasting your time clearing rooms that have already been cleared or fratricide, then you HAVE TO equip your responders with radios and share your frequencies with them.
10. Train your personnel on reporting formats like SALUTE. We've covered this before so I won't bore you with the details.
11. Train your security management personnel on casualty collection points, IED mitigation, cordons, perimeter searches, and periodic vulnerability assessments. These things can't be overstated in training. Trust me. You'll thank me for this later.

Social Media Investigations 101 - Are You Sure You Want To Post That?

Soooo.... You've been on Facebook a while and you've set your privacy settings to whatever new super-secret stealthy hidden mode setting Facebook has.  You probably also feel like none of your 400+ friends would ever tell anyone what you post. You look at articles about people posting things they shouldn't going viral and you think "I'm so glad that's not me. I would never do something like that." I destroy that myth everyday at my job. In real life, I investigate leads in criminal cases which can aid my clients. A favorite place I go for these leads is social media.

When I tell people I go to Facebook for leads, the first thing they like to say is "Well, you're not going to find anything on me like that." I'm polite so I smile and tell them "Probably not." Of course, I'm lying. If I've told you that, this is where you're probably feeling a little uneasy. Let's be clear, if I don't have an interest in finding something, I probably won't find it. That's not to say I can't because I assure you I can.

So, let's breakdown how I might do a social media query. I won't bore you with site specifics but I will address some things that are common throughout the social media investigations landscape. This is not to scare you. I am merely trying to inform you so you understand exactly what information you voluntarily give away.

Disclaimer: For the experts: This in not all-inclusive and I'm aware of the many advances in social media investigations. This is mainly informative for those who may not know and to spark some discussion.  All others: Please check whatever jurisdiction for whatever legalities may exist for you.

The best way to illustrate this topic is to assume you'll be doing a search yourself. If you don't mind being spooked, try this on yourself assuming you're a complete stranger who's only been given the task of obtaining whatever information exists on you in social media. I recommend creating your own "blank" account that you have no affiliation with to get started. When we get to associates, feel free to pretend and assume the worse about people on your friends list you haven't seen or spoken to in some time.

1. Start with a subject. Having a name (preferably a first and last name is good). I've done this with neither. More on that later.
2. Put the name in the search box of the social media site you're searching. This fruitful if you're seeing if someone is on the site or if the profile is possibly "hidden" from searches. The latter requires for you to know the subject is actually on the site. While doing this, play around with nicknames or aliases. A personal favorite of mine are email addresses. I also use their most used username if I know it. I have also looked up last names only just to see if someone posts things to a relative's profile.
   
   When searching Google, try to place quotations marks at the beginning and end of your subject's name. Also, type in site:whatever-the-social-media-site-you-think-they-are-on.com/net/org/edu/gov. Novice searchers give up because the results are too many. This narrows it down quite a bit.
   
   Despite what you think, no name is too common for a determined investigator. There are other things than our names that differentiate us. For example, your name is "John Smith". That's too common of a name for some investigators. But what happens when I search for "John Smith" in Dayton, OH who is a police officer married to a woman named Ebony? If you're the target, you're not as anonymous as you thought.
3. Search them by username and old phone numbers. Sometimes, this is all you have to go on. Do it. That username may be their most commonly used one for everything. This could lead to old social media profiles (a time machine treasure trove of forgotten pics, lifetime issues and events, contacts, etc.), photo-sharing sites they frequent, articles they bookmark (Pinterest), comments they've made on other sites (Youtube can be great for this stuff), and sites they don't want anyone to know they frequent. Getting the username can be tricky. If I have a confirmed profile for them, I'll take the username that is in the profile's URL and then perform an "exact phrase" search on Google.
   
   I like to try the phone numbers search quite a bit. I'm not looking for an address neccessarily if it's a social media investigation. Some profiles are only searchable with a phone number. Also people post their numbers on sites that don't value privacy. For example, you run a shop that sells auto parts. As such, you belonged to a parts forum online. There you posted your number to get orders under a username I never knew existed. Not only do I have historical data on you possibly but I may also get a look at your posts there as well whatever I can dig up on this old username.
4. If none of this proves fruitful, try a Google Image search. You may not be aware of this but Google now allows you to search by image. That means, I don't need your name to find you on the Internet. Sometimes, I find people use the same photo for most sites they frequent. Perhaps, you'll find a site with a picture you have and can dig up useful information such as other pictures, other usernames, and most importantly, associates.
5. Associates are where the money is. Seriously, most people assume, wrongly, their Facebook friends feel the same way they do about things or they feel some impunity with what they post to their audience. In some cases, this may be true. However, I can guarantee it probably is not. Finding associates can be tricky if you don't know much about your subject. Hopefully, Google will help you out here. If not, I recommend spending the $19.95 to use people-search sites like Intelius or Spokeo. This should give you a list of names of people who either know your subject or lived in the same area as him. Also, try Classmates.com. Someone went to high school with your subject and I bet you they're still on their Facebook friend's list. Another feature of some site's search engines is the suggest friend's list. If you're friends with their friends, social media sites like to let you know and ask if you want to be your subject's friend. Of course, you don't. But this provides with that profile you've been looking for or at least one of them.
   
   Old friendships are tricky. We think the people who have known us the longest have our best interests at heart. Let me assure, some of them don't. Most people trust these folks with lots of personal information, when they go on a tirade or a rant. The simple truth is if someone has it in for you, they can voluntarily give anyone access to whatever you share with them online.
   
   

   

   This young lady thought she was being "funny" outside of Arlington. Several of her "friends" didn't think so.

    
6. Be careful what you "like". People wrongly assume the pages they like or the comments they reply to on someone else's page is somehow protected. Yeah, that is totally wrong. It is protected ONLY if they have set themselves up with the strictest privacy settings. Many times, a person's "likes" can reveal about themselves even if an investigator can't see anything else. A great example are Facebook Groups which advocate violence or are sexually explicit. Unfortunately, people forget to hide what pages they "like" and it suddenly has some bearing on something they never imagined it would.
7. Search for a name in a foreign language. I see you laughing but I once had someone hide their profile by using another language to hide their name. It's a great idea but as I ran out of options, I went to Google Translate and entered the subject's name from English to Korean. Suddenly, her profile appeared.
8. Search their friends' friends list. Some people hide in plain sight. You may be searching for the right subject but entered the wrong letter. A friend's friends list will probably have the name as something else.
9. Search EVERY PHOTO, LOCATION TAG, EVENT SIGN-IN, etc. Sometimes, the information we seek is in places we dismiss as being "dry". Look through EVERYTHING. Trust me. This alone can give you more associates, state of mind of your subject, places they've been or frequent, events they've been or locations they can be expected to be at, and all the drama that comes with social media picture posting.
10. When you've found what you're looking for, archive it. This sounds easier than you think. Grab your smartphone and take a picture of your screen where the information is. People trust screenshots more than they do a link they can click.
11. Do this exercise on yourself and assume your current or future employer, spouse, child custody judge, friends, family, and others are doing the same. Those who get their 15 minutes of fame from poor Facebook posts never seem to think they'd get turned in by their "friends". Also, here's a tidbit - if you're posting information you shouldn't, never exclaim "I don't care who sees this." I GUARANTEE you will.

*Some places I like to go to search for social media investigation queries

• www.spokeo.com
• www.pipl.com
• www.linkedin.com
• www.facebook.com
• www.twitter.com
• www.google.com
• images.google.com
• www.whitepages.com
• www.intelius.com
• www.blackbookonline.info
• www.topsy.com

*You're not getting all of my trade secrets