A homemade bomb police described as "really crude" caught fire early Wednesday at a critical electric substation in southern Arizona, causing little damage but invoking fears of a coordinated assault.
The nighttime attack charred the side of a 50,000-gallon diesel storage tank at the Valencia power delivery facility near Nogales, Ariz., but injured no one and did not interrupt power to the area, according to local law enforcement.
"Our preliminary investigation shows that these people did not have really good working knowledge of how this plant operates -- but you never know," said Nogales police Lt. Carlos Jimenez, who estimated 30,000 people could have lost electricity had the substation been compromised.
Although the Arizona Department of Public Safety dispatched a bomb squad to the scene, Jimenez said the device used in the attack behaved more like a big match than a grenade or explosive.
Whoever led the attack managed to breach the chain-link fence surrounding the facility, which was unmanned at the time the bomb detonated, he said.
Jimenez said federal authorities were also investigating the incident because its "intentions were far-reaching."
"It is critical infrastructure for the city [of Nogales], and that's one of the reasons we're having a full-scale response" from the FBI and the Bureau of Alcohol, Tobacco, Firearms and Explosives, he said. Representatives from the two federal agencies' regional offices did not respond to requests for comment yesterday.
The substation is operated by UniSource Energy Services, which provides electricity to about 93,000 people in Mohave and Santa Cruz counties as a subsidiary of Tucson-based holding company UNS Energy Corp (Greenwire, June 12).
UniSource spokesman Joe Salkowski said that the "transformers in the substation were not damaged or apparently targeted."
An armed attack last year on the Metcalf Pacific Gas & Electric Corp. substation near San Jose, Calif., took down 17 costly and hard-to-repair transformers by disabling cooling equipment.
Though the Nogales bomb was not nearly as damaging or apparently as well-organized as the Metcalf assault, officials cautioned that the investigation is ongoing.
"Everyone is fortunate that the damage wasn't worse than it was," said Rebecca Wilder, communications director at the Arizona Corporation Commission, which oversees the state's electric power industry. "The Corporation Commission is monitoring this. ... [I]t's important to continually review security and see if there are some additional measures that should be taken."
ACC Chairman Bob Stump sent a March 3 letter to UniSource Energy Services asking for information about the company's physical and cyber security precautions.
Stump said the Metcalf incident, which has yet to be solved by law enforcement, "may be a harbinger for more successful -- and serious -- attacks."
"We can only pray that Arizona never suffers such an attack," he wrote in the letter addressed to Jo Smith, senior director of regulatory services at UniSource and its sister utility Tucson Electric Power.
Coincidentally, the Nogales incident coincided with publication of an analysis by Jason Black and colleagues with the Battelle Institute, urging the electric power sector and its regulators to seek comprehensive solutions to the entire range of threats facing the grid -- natural disasters, cyberattacks and physical assaults. Battelle, a nonprofit research and development organization, manages U.S. national laboratories.
Following the Metcalf attack and later news articles highlighting substation vulnerabilities, members of Congress have focused on the physical threats to the grid. The Federal Energy Regulatory Commission responded with an order directing its standards-drafting body, the North American Electric Reliability Corp., to return a physical security plan. NERC's proposal is now before the commission.
Black's paper urges the adoption of an "all-hazards" threat response, noting that "physical attacks are only one of many threats to the security of the bulk-power system."
NERC's physical security proposal, following FERC's direction, calls for each utility to assess the particular vulnerabilities to its most critical transmission networks. Black said it is essential to combine company-by-company strategies with security plans across regions to guard against possible cascading outages caused by disasters or attacks.
While physical defenses may be critical in some situations, they must be weighed against other investments that could expand the redundancy and resiliency of the transmission infrastructure, making the grid less vulnerable to disruptions and faster to recover after an outage, said Black, Battelle's research director for energy and environment.
"Recovery can include pre-positioning of spare equipment, development of operational protocols, and conducting scenario exercises to train first responders, field personnel, and operators," the Battelle paper said. Building armored shields around substation transformers may ward off armed attack, but won't defend against a cyber campaign or rogue ground currents triggered by a massive solar flare, Black added in an interview.
Proposed solutions should include cost and benefit comparisons, Black said, recognizing that pinning down such trade-offs can be challenging when dealing with low-probability but disastrous events, such as a massive solar flare, or a sophisticated combined cyber and physical attack on key substations.
"If you do a system-wide, or all-hazards approach, you make sure investments are most efficient and effective," he said. "Physical security is important. But just don't focus on that at the expense of the other issues."