Substation Physical Security Intelligence Report 2026

The Security Gap

The U.S. Grid Has a Physical Security Problem

⚡

The Fundamental Vulnerability

The U.S. electric grid includes 55,000 transmission substations and 160,000 miles of high-voltage power lines. The vast majority were built in an era when physical attack was not a design consideration. Many are secured by nothing more than chain-link fencing and a padlock. A determined adversary with a high-powered rifle, insider knowledge of which components to target, and the willingness to engage from outside the perimeter can cause millions of dollars in damage and cut power to tens of thousands of customers in under ten minutes — as demonstrated in Moore County, North Carolina, in December 2022. The U.S. has known this problem existed since the Metcalf substation attack in April 2013. Twelve years later, the attack frequency is accelerating and most substations remain inadequately protected.

185 Physical attacks / threats reported in 2023 — a new record, beating the prior 2022 record

2,800+ Physical security threats reported to NERC E-ISAC in 2023 — up 1,000+ from 2022

163 Reported electrical incidents caused by vandalism, physical attack, or suspicious activity in 2022

~3% Percentage of attacks that cause actual grid outages — but the 3% that do can be devastating

The threat actors are diverse: domestic violent extremists (DVE) targeting grid infrastructure as a force multiplier for other criminal activity; far-right extremists sharing targeting guides on online forums; disgruntled individuals; copper thieves who cause collateral damage; and nation-state actors who have already demonstrated they can penetrate utility SCADA systems. Russian hackers compromised several U.S. electrical utilities in 2017-2018, breaching air-gapped security networks. The Russian PIPEDREAM malware, designed specifically to compromise OT systems, came dangerously close to disrupting a significant portion of U.S. electric supply in 2022.

The problem is not lack of awareness. NERC CIP-014 has required risk assessments and security plans for the most critical substations since 2015. The problem is scope — CIP-014 only applies to the highest-voltage, highest-impact transmission substations. Thousands of distribution substations that serve hospitals, emergency services, and dense population centers are entirely outside the mandatory framework. And even where CIP-014 applies, the standard mandates a plan, not a specific protection level — leaving enormous variation in actual security posture across the industry.

Documented Incidents

U.S. Substation Attack History — Key Incidents

The pattern is clear and consistent: rifle fire at transformers from outside the perimeter, cutting communications first, targeting equipment with no line-of-sight protection. The Moore County attack is the operational template that threat actors are replicating.

April 2013 — Metcalf, California

The Attack That Should Have Changed Everything

Unknown attackers severed fiber-optic telecommunications cables, then systematically fired high-powered rifles at cooling systems of 17 transformers at PG&E's Metcalf transmission substation near San Jose. Approximately $15 million in damage. Police arrived and found nothing suspicious — the attack was complete before they entered. This attack directly triggered NERC CIP-014. Despite this, most substations remained essentially unchanged a decade later.

November 2022 — Pacific Northwest, Oregon, Washington

Multiple Coordinated Attacks

A series of attacks on substations across Washington and Oregon. One on Thanksgiving Day. Vandalism causing customer outages. Pattern: rural locations, perimeter breach, equipment targeting. Part of a documented uptick that began in 2017.

December 3, 2022 — Moore County, North Carolina

The Template Attack

Rifle fire on two Duke Energy substations. 45,000 customers lost power for up to four days. Moore County Sheriff: "whoever was responsible knew exactly what they were doing." Law enforcement assessed the attacker had insider knowledge of substation equipment — knew precisely which components to target for maximum outage. No arrest. No identified motive. This is now the operational template cited in domestic extremist online forums as a model for grid disruption.

December 25, 2022 — Washington State

Christmas Day Attack

Two men attacked multiple substations in Washington state on Christmas Day. 14,000+ outages across Tacoma Power and Puget Sound Energy systems. At least $3 million in damage. Federal charges filed. Attack occurred on same day as a coordinated "grid down" messaging campaign on extremist forums.

February 2023 — Baltimore, Maryland (Disrupted)

Neo-Nazi Grid Attack Conspiracy

Federal authorities charged two individuals — one a neo-Nazi group founder — with conspiracy to destroy Baltimore-area energy infrastructure. Target: multiple substations attacked simultaneously to cause cascading outages. The planning documents recovered were detailed. This was not amateur — it was a structured campaign. The grid attack was intended as a triggering event for broader civil unrest.

2023 — Southern California (Disrupted)

Near-Catastrophic Attack Prevented

Unknown suspect attempted to destroy a local substation by shooting at a transformer and shutting off circuit breakers. FBI stated that if the attack had succeeded, it could have caused catastrophic consequences for people relying on electricity for medical purposes. FBI offered $25,000 reward. Attack partially thwarted by multilayer security that had been installed post-2022.

2022–2024 — National Pattern

Extremist Targeting Intelligence Widely Shared

DHS/CISA documented that neo-Nazi publications and online message boards from 2022 onward contain detailed guides: which substation components to target, optimal firing positions for maximum damage, how to attack from outside the perimeter beyond camera range. This intelligence is publicly available to any motivated actor. The operational knowledge for a Moore County-scale attack requires no specialized training.

Ongoing — Nation-State Threat

Russian Pre-Positioning

Russia has compromised multiple U.S. utility SCADA systems (confirmed 2017-2018). PIPEDREAM ICS malware designed specifically for U.S. grid systems was discovered and disrupted 2022. Russian "ghost ships" mapping North Sea wind infrastructure 2023. The threat is not only domestic. State-sponsored combined cyber-physical attack is the scenario requiring the most urgent hardening response.

Battlefield-Proven Protection Doctrine

What Ukraine Has Learned — Six Years Under Attack

Russia has attacked Ukraine's power infrastructure with cruise missiles, ballistic missiles, kamikaze drones, and fiber-optic FPV drones on 30+ separate large-scale coordinated strikes since February 2022, and on hundreds of additional localized strikes. Ukraine has lost 70% of its pre-war generating capacity. Half of all high-voltage transmission substations were damaged or destroyed. And yet the grid is still running. The lessons Ukraine has developed — under live fire, under existential pressure — are the most operationally relevant substation hardening doctrine available anywhere in the world. They are directly applicable to U.S. grid security.

63,000Pieces of energy infrastructure damaged since Feb 2022

$93BEstimated damage to Ukraine's energy sector

50%Of Ukrenergo high-voltage substations damaged or destroyed

Ukraine's Three-Layer Passive Protection System

Layer 1 — Gabions and Sandbags: Wire cages filled with rocks or sandbags protecting 90+ facilities across 21 regions from debris, fragmentation, and indirect fire. Lowest cost, fastest to deploy, effective against drone payload fragmentation and secondary debris. This is the baseline — deployed first at all sites.
Layer 2 — Concrete Barriers: Pre-cast concrete structures around Ukrenergo's primary network. As of January 2025, covering 22 substations and 63 autotransformers in 14 regions. Withstands direct drone attacks and ballistic impacts. Three-layer concrete fortifications ordered by government decree July 2023. During the April 2024 Russian offensive, passive protection saved at least half of substation equipment from destruction.
Layer 3 — Iron and Steel Fortified Structures: The most costly and most protective tier. Full iron-and-steel-reinforced enclosures around the most critical transmission equipment. Protects against direct missile strike fragments and shaped-charge drone warheads. As of January 2025, construction began at 22 sites following third-year U.S. USAID reinforcing steel delivery (20,000 tonnes).
Drone Defense Integration: Anti-drone nets, electronic warfare jamming, and acoustic detection deployed at transmission substations. Not a substitute for passive hardening — a complement to it. Passive protection is the backstop when active defeat fails.

Ukraine's Resilience Doctrine — What Changed

Dispersion is survival: Ukraine's pre-war grid was centralized — large generating plants, large substations, everything connected. Russia exploited this. Post-2022 strategy: replace large vulnerable plants with hundreds of smaller distributed generators. 1,500 MW of rooftop solar installed by early 2024. Distributed generation reduces the value of attacking any single node.
Rapid repair over full protection: Ukraine cannot protect every asset. Instead, it pre-positions spare transformers and repair crews, and has compressed repair timelines from weeks to days at many sites. Speed of restoration is a resilience multiplier.
European grid interconnection: Ukraine accelerated integration with the EU ENTSO-E grid in 2022 — import capacity reached 700 MW by February 2023. Cross-border redundancy provides the grid with an external resilience backstop that no domestic hardening measure can replace.
Microgrids and invincibility points: Cities built "invincibility points" — hardened local generator clusters keeping essential services (hospitals, traffic, communications) running during main grid outages. Each serves as an independent power island.
The lesson U.S. utilities need to hear: Physical hardening saved at least 50% of equipment during Ukraine's most intense attack period. Without the three-layer protection, the Ukrainian grid would have collapsed. The question for U.S. utilities is not whether these lessons apply — it is why they have not been implemented already.

Key Ukraine Finding — Directly Applicable to U.S. Grid

Concrete and steel structures have proven effective in shielding power transmission substations from attacks. This is confirmed by the Wilson Center, IEA, Atlantic Council, and Congressional Research Service — all citing Ukraine's operational experience. The U.S. grid faces a less kinetically intense but increasingly frequent threat from rifle fire, drone payload delivery, and coordinated multi-site attacks. The countermeasure is the same: ballistic-rated protection around critical components. The physics does not change because the attacker's nationality does.

Defense Architecture

Layered Substation Protection Architecture

No single measure is sufficient. The correct architecture is layered — each layer provides redundancy against failure of the layer before it. Ukraine proved this under live fire. The architecture below is applicable to U.S. substations now, at varying cost levels, without waiting for regulatory mandates.

1
Perimeter SecurityDelay and detect — the outer ring
High-security perimeter fencing, anti-climb measures, vehicle barriers, and ballistic-rated perimeter gates. The goal at this layer is not to stop a determined attacker — it is to slow them, force closer engagement, and eliminate standoff shooting positions. Chain-link fencing is not a security measure. Ballistic-rated perimeter walls and high-security mesh systems with intrusion detection are the correct answer for critical substations.
Vendors: Guardiar (Guardian Fence System 7000 — 46-minute breakthrough delay, ASTM ballistic tested), Betafence, FDC Substation Security, Ameristar Perimeter Security, Tymetal Corp, LARAN Fence Systems
Most substations have only chain-link. This is where almost all U.S. substation hardening investment should begin.
2
Ballistic Protection for Critical EquipmentThe transformer is the target — protect it directly
Ballistic-rated walls, panels, and enclosures directly around transformers, control houses, breaker/transformer cabinets, and SCADA/communications equipment. This is the most important single hardening measure. The Moore County and Metcalf attacks succeeded because transformers had zero ballistic protection and direct line-of-sight from outside the perimeter. Eliminate line-of-sight. Eliminate the attack vector. Ukraine's three-layer concrete and steel protection of autotransformers reduced equipment loss by approximately 50% during peak attack periods.
Vendors: Southern States Ballisti-Wall® / Ballisti-Cover® (UL-752 Level 10 certified), Oldcastle Infrastructure Defender Walls (precast concrete), Permacast Walls (custom precast), ArmorCore by Waco Composites (fiberglass panels, UL752 levels 1-8), Strescon (precast concrete structures), Hesco Bastion (rapid-deploy blast barriers)
Southern States Ballisti-Wall is the most deployed purpose-built transformer protection product in the U.S. utility market. Oldcastle Defender Walls are the heavy concrete option for highest-threat environments.
3
Visual and Thermal ConcealmentRemove the targeting information
Non-reflective coatings, thermal masking fabric, and visual screens prevent drone-borne EO/IR reconnaissance from identifying high-value equipment. Ukraine lesson: drone operators target what they can identify from above. Remove identifying equipment signatures — distinctive transformer shapes, heat signatures from cooling systems — and you reduce the targeting information available. This applies to both ground-level standoff attacks and drone reconnaissance.
Vendors: Saab Barracuda (multi-spectral thermal masking), Fibrotex (Israel — military-derived concealment systems), Custom agricultural and industrial netting suppliers
Low cost, high value for drone defense. Applied to cooling equipment, HVAC exhaust, and distinctive structural features identifiable from aerial reconnaissance.
4
Detection — Sensors, Video, and AIFind the threat before it engages
Multi-layer detection: radar for drone and ground intrusion detection at extended range; AI video analytics for perimeter intrusion and loitering detection; acoustic sensors for gunshot detection, drone audio signature, and glass break; thermal cameras for 24/7 perimeter coverage in darkness and adverse weather; Remote ID monitoring for drone identification; SCADA-integrated sensors for equipment tampering. The Meerkat ballistic line-of-sight tool (IEEE Spectrum 2025) specifically models substation vulnerability to ballistic attack — identifying which equipment is exposed from which external positions.
Vendors: DroneShield (DroneSentry-C2 — C-UAS detection), Dedrone/Axon (RF detection + Remote ID), ShotSpotter/Motorola (acoustic gunshot detection), Teledyne FLIR (thermal perimeter cameras), Avigilon/Motorola Solutions (AI video analytics), Fortem TrueView (drone radar), Specter (long-range wireless perimeter sensing), Power Intelligence (substation-specific detection systems)
ShotSpotter/Motorola gunshot detection is critical for substations — provides real-time alert and geolocation of rifle fire before the operator identifies the attack. Mean response-to-alert time: under 60 seconds.
5
Drone DefenseCounter the aerial threat vector — legally limited in U.S.
Drone delivery of explosive or incendiary payloads, drone reconnaissance for pre-attack intelligence gathering, and drone-based electronic warfare are all documented threats to energy infrastructure. Detection at this layer is legal for any U.S. utility. Defeat requires federal authorization under current law — but the NDAA FY2026 SAFER SKIES Act and the pending Tom Cotton bill may extend defeat authority to designated CNI operators including energy utilities. Anti-drone netting over critical equipment (same architecture as data centers) is the passive defense that is legal and immediately deployable.
Vendors (detect — legal for utilities): Dedrone, DroneShield DroneSentry, Fortem TrueView, SRC Silent Archer
Passive physical (legal): Anti-drone netting (Robetco, Karman Line Aerospace), thermal concealment, Hesco blast barriers
Defeat (federal only currently): DroneGun (DroneShield), EnforceAir (D-Fend), Leonidas HPM (Epirus)
Tom Cotton bill (pending 2026): would extend defeat authority to DHS-designated high-risk CNI — energy utilities are the primary intended beneficiary. Watch this legislation.
6
Resilience and Rapid RecoveryThe Ukraine lesson — you cannot protect everything; recover fast
Spare transformer pre-positioning. Distributed backup generation. Microgrid islanding capability. Mutual aid agreements for rapid equipment transfer. Transformer replacement lead times can exceed 12-18 months for custom high-voltage units — the Strategic Transformer Reserve (STR) program and NERC's spare equipment database exist to address this. Ukraine's key insight: speed of restoration is a resilience multiplier that reduces the strategic value of any single attack.
Programs: NERC Spare Equipment Database (SED), DHS CISA Infrastructure Security, Edison Electric Institute (EEI) GridResilience, EPRI Grid Resilience Program, DOE Strategic Transformer Reserve, Atlas Power (mobile transformer supplier)
Ukraine's model: Ukrenergo pre-positions spare transformers and repair crews at regional depots. Repair timelines compressed from weeks to days at many sites. The U.S. grid has far more spare capacity than Ukraine — this resilience lever is available now.

Vendor Intelligence

Substation Security Vendors — Products and Capabilities

Vendors operating in U.S. substation physical security, organized by protection category. Most products apply to any hardened site — the substation application is not fundamentally different from data center hardening in the passive protection layers.

Company	Product / Solution	Category	Key Capability	Market / Certification	Notes
BALLISTIC PROTECTION — Transformer and Equipment Hardening
Southern States LLC U.S.	Ballisti-Wall® / Ballisti-Cover®	Ballistic enclosure	UL-752 Level 10 certified ballistic protection for transformers, control houses, breaker/transformer cabinets, SCADA equipment. Designed for straightforward installation and removal.	U.S. utility market — NERC CIP-014 applications	Most deployed purpose-built transformer ballistic protection product in U.S. utility market. Georgia-based manufacturer with established utility customer base.
Oldcastle Infrastructure U.S.	Defender Walls	Precast concrete walls	Purpose-built precast concrete substation security walls. Heavy protection for highest-threat environments. Scalable for large transformer yards. Ukraine equivalent: Level 2 concrete protection.	U.S. utility market — CIP-014 and voluntary hardening	Large-format precast concrete — best for new construction or major retrofits. Used by multiple large U.S. utilities post-2022 attack series.
Permacast Walls U.S.	Precast concrete security walls	Precast concrete walls	Custom precast concrete ballistic wall systems. Substation-specific design capability.	U.S. utility market	Custom design capability — useful for non-standard site geometries.
ArmorCore by Waco Composites U.S.	ArmorCore® Fiberglass Ballistic Panels	Ballistic panels	UL-752 certified fiberglass panels, levels 1-8. Lighter than concrete. No ricochet or spalling — bullet captured and contained. ISO 9001:2015. 10-year warranty.	Retrofit applications — can be installed without specialized certification	Best for retrofit applications where weight is a constraint. Faster installation than precast concrete. More affordable entry point for smaller utilities or distribution substations.
PERIMETER SECURITY — Fencing, Gates, and Anti-Intrusion
Guardiar U.S./Intl	Guardian Fence System 7000 / TurnkeyEPC	High-security perimeter	Double security mesh — 46-minute breakthrough delay (ASTM tested). NERC CIP-014 compliance capability. Full EPC (engineering, procurement, construction) turnkey. Betafence partnership for mesh.	U.S. utility market — large energy providers	Full turnkey EPC provider for utility substations. One of the few vendors that does the complete job — design through commissioning. Significant reference base with major U.S. energy providers.
FDC Security U.S.	Substation security systems	Perimeter + access control + detection integration	Threat assessments, risk modeling, ballistic gates and walls, StrongWeld Defender ballistic gate (UL 752 rated), NERC/FERC compliance tools, integration with Lenel/Genetec/Avigilon	U.S. utility market — Florida and Southeast	Full-service substation security integrator. One of the few firms that explicitly integrates ballistic perimeter protection with access control and video management for substations.
Dickerson Infrastructure U.S.	Substation security systems installation	Full security system integration	Switchyards, substations, fossil and nuclear sites. From initial grading through systems integration. Complete installation capability.	U.S. utility / nuclear / fossil fuel sites	Specialist contractor with nuclear site clearance. Relevant for highest-security transmission substations and nuclear switchyards.
Ameristar / ASSA ABLOY U.S.	Stalwart® high-security fencing	Perimeter fencing	High-security welded mesh fencing systems. Anti-climb. Crash-rated vehicle barriers. CIP-014 application experience.	U.S. utility / CNI market	Widely deployed for utility perimeter upgrades. ASSA ABLOY ownership brings integration with broader physical security ecosystem.
DETECTION — Sensors, Video Analytics, and Gunshot Detection
ShotSpotter / Motorola Solutions U.S.	ShotSpotter Respond for Critical Infrastructure	Acoustic gunshot detection	Real-time gunshot detection and geolocation. Mean alert time under 60 seconds. Distinguishes rifle fire from other sounds. Notifies SOC and law enforcement simultaneously. Deployed in 150+ cities and expanding to CNI.	U.S. utility / CNI — expanding from law enforcement market	The single most important detection system for the rifle-fire threat vector that characterizes U.S. substation attacks. Gunshot detection is the gap in almost every substation security plan.
Specter	Long-range wireless sensing network	Perimeter detection + AI situational awareness	Software-defined long-range perimeter sensing beyond camera lines-of-sight. Natural language alert configuration. Real-time map-based situational awareness. Sensor-agnostic.	CNI / Data Centers / Substation perimeters	Addresses the detection gap at rural substations where cameras have limited effective range and intruders can approach from outside camera coverage zones.
Power Intelligence U.S.	Substation security protocol / detection systems	Substation-specific integrated security	Adaptable customizable substation security protocols. Developed specifically in response to 2022-2023 attack series. Fast deployment capability.	U.S. utility market	Purpose-built for the post-2022 attack environment. Focused specifically on substations — not a generalist security company applying generic solutions.
ZEI / Zimy Electronics U.S.	CIP-014 compliant perimeter security systems	Perimeter security integration	CIP-014 compliance design and deployment. Understanding of NERC audit requirements and documentation expectations. Utility-specific installation experience.	U.S. transmission owners — CIP-014 compliance programs	Specializes in the compliance layer — designing systems that satisfy CIP-014 audit requirements, not just security requirements. Distinction matters for NERC audit outcomes.
ENGINEERING AND CONSULTING — CIP-014 Compliance and Physical Security Planning
POWER Engineers U.S.	Substation security engineering and CIP-014 consulting	Engineering / compliance consulting	Physical substation security expert services. Five-tier substation criticality ranking model (extending beyond CIP-014 scope to all substations). Digital twin simulation for security planning.	U.S. utility market — all substation tiers	Leading engineering firm for substation security. Recommends extending CIP-014 principles beyond mandatory scope to all substations — the only operationally correct approach given the attack surface.
TRC Companies U.S.	Layered risk-based substation security consulting	Security consulting / risk assessment	Layered risk-based approach to substation security. Regulatory framework navigation. CIP-014 compliance. Physical security plan development.	U.S. utility / CNI market	Published Nov 2025 analysis on why layered risk-based approach is essential — directly applicable to utility security programs updating post-2022 attack series.
Meerkat (IEEE Spectrum 2025)	Ballistic line-of-sight analysis tool	Security assessment software	Groundbreaking tool that identifies which equipment within a substation is exposed to ballistic attack from which external positions. Models line-of-sight vulnerabilities before an attacker does.	U.S. utility / security consulting	Proactive vulnerability identification — find the attack angles before the attacker does. Featured in IEEE Spectrum 2025 as a significant advance in substation security assessment methodology.
RAPID-DEPLOY PASSIVE PROTECTION — Ukraine-Proven Methods
Hesco Bastion UK / Intl	RAID and Concertainer blast barriers	Rapid-deploy blast and ballistic barriers	Military-standard wire mesh and fabric containers filled with local soil or aggregate. Deployed in minutes. Proven in combat zones worldwide. Blast, ballistic, and fragmentation protection. Reusable and relocatable.	Military / CNI / Emergency hardening globally	Ukraine equivalent of Layer 1 gabion protection — already available in the U.S. Used by DoD at forward operating bases. Directly applicable to immediate emergency hardening of substations before permanent solutions are installed.
Saab Barracuda Sweden / Intl	Multi-spectral concealment systems	Thermal and visual concealment	Military-grade thermal masking fabric reducing equipment heat signatures. Visual concealment for aerial reconnaissance denial. Used by Ukraine and NATO forces.	Military / CNI internationally	Directly applicable to substation cooling equipment concealment. Reduces drone EO/IR targeting signatures. Available through defense supply channels.

Regulatory Framework

NERC CIP-014 — The Standard, Its Gaps, and What Comes Next

CIP-014 is the mandatory physical security standard for U.S. bulk electric system transmission substations. It was a significant step forward when promulgated in 2015 — and it is insufficient for the current threat environment. Understanding both its requirements and its gaps is essential for any utility or CNI operator developing a substation security program.

What CIP-014 Requires

R1: Risk assessment of all applicable transmission substations — those whose loss could cause instability, uncontrolled separation, or cascading within an interconnection. Applies to substations at 500kV or above, or 200-499kV connected to three or more other substations.
R2: Third-party verification of the risk assessment by an unaffiliated entity — a registered planning coordinator, transmission planner, or reliability coordinator.
R3: Share assessment results between transmission owner and operator within seven days of completing R2.
R4 / R5: Develop and implement a documented physical security plan for each applicable substation. The plan must address identified threats but CIP-014 does not mandate specific protection measures — it mandates a plan and implementation.
R6: Third-party review of the physical security plan every 36 months. Auditors will ask for documented evidence — incomplete documentation is the most common audit finding.
Ongoing: Annual plan reviews, testing records for detection systems, updated threat assessments, law enforcement coordination documentation.

The Critical Gaps in CIP-014

Scope gap: CIP-014 applies only to the highest-impact transmission substations. Thousands of distribution substations serving hospitals, emergency services, and dense population centers are entirely outside the mandatory framework — yet the Moore County attack targeted distribution infrastructure, not transmission.
Performance gap: CIP-014 mandates a plan — not a protection level. Two utilities facing identical threat environments may implement vastly different security measures, both fully compliant. The standard has no minimum ballistic protection requirement.
Drone gap: CIP-014 predates the drone threat. No standard specifically addresses drone reconnaissance, payload delivery, or aerial attack on transmission infrastructure. FERC/NERC have not yet updated the standard to reflect this threat vector.
Review cycle gap: Risk assessments required every 30 months. The threat environment changes faster than this. The domestic extremist targeting intelligence published in 2022 was not incorporated into utility risk assessments on a 30-month cycle.
Distribution gap: The standard covers the bulk electric system. Municipal utilities, cooperatives, and distribution-only utilities — which operate the substations closest to end users — face no mandatory physical security requirements at all.
The POWER Engineers recommendation: Extend CIP-014 principles to all substations using a five-tier criticality model — not just the mandatory high-impact sites. This is the operationally correct approach. Most utilities have not implemented it.

What Is Coming — Regulatory Evolution

FERC has signaled it may revisit CIP-014 to expand scope to substations between 200 kV and 499 kV that currently do not meet the three-connected-substation threshold. The 2022-2023 attack series reinvigorated this discussion in Congress. The Tom Cotton bill (introduced April/May 2026), primarily aimed at private CNI operators, also strengthens the legal framework for energy infrastructure defeat authority. And the NDAA FY2026 SAFER SKIES Act now explicitly includes energy infrastructure among the CNI sectors eligible for FEMA C-UAS grants. The regulatory floor is rising — but the threat is already above it.

CoreBastion Assessment

Analyst Opinion — What Needs to Happen Now

The U.S. grid physical security posture is inadequate relative to the documented and escalating threat. The following recommendations are practitioner-grade — not compliance-grade.

The Transformer Is the Target — Protect It Directly

The Moore County and Metcalf attacks succeeded for one reason: the transformers had direct line-of-sight exposure from outside the perimeter and zero ballistic protection. The fix is not complicated. Southern States Ballisti-Wall, Oldcastle Defender Walls, or equivalent precast concrete protection eliminates the attack vector. It does not require regulatory mandate, government approval, or technology development. It requires capital allocation and a decision. Ukraine built Level 2 concrete protection around 63 autotransformers while under active missile attack. U.S. utilities should not need a warzone as a motivation to do the same.

Gunshot Detection Is Missing From Almost Every Substation

The rifle fire threat vector is the primary documented attack method in the U.S. The attack sequence is: approach the perimeter, identify target through chain-link, shoot transformer cooling systems from standoff distance, withdraw before police arrive. ShotSpotter Respond for Critical Infrastructure provides real-time acoustic gunshot detection and geolocation with under-60-second alert time. This is not expensive or complex. It is absent from the security posture of almost every substation in the country. It should be on every critical substation within 12 months.

Apply the Ukraine Three-Layer Model to U.S. Grid Architecture

Ukraine's three-layer passive protection doctrine is directly applicable to U.S. substations. Layer 1: Hesco-equivalent gabion/sandbag barriers around critical equipment — deployable in days, at low cost, before permanent solutions are installed. Layer 2: Precast concrete protection around autotransformers and critical control equipment. Layer 3: Iron-and-steel-reinforced structures for the highest-impact sites. Ukraine implemented all three while under active missile attack. U.S. utilities face a far less kinetically intense environment and have no operational excuse for not implementing at least Layers 1 and 2 at all critical substations now.

Extend CIP-014 Principles Beyond the Mandatory Scope

CIP-014 covers only the highest-impact bulk transmission substations. The POWER Engineers five-tier model is the correct approach: apply risk assessment and physical security planning principles to all substations, with protection levels proportional to criticality. The substations serving hospitals, emergency services, and data centers may not be CIP-014 mandatory sites — but an extended outage at a distribution substation serving a hospital system is a life-safety event. Voluntary adoption of CIP-014-equivalent planning for out-of-scope sites is the right answer. Most utilities have not done this.

Drone Defense: Detect Now, Position for Defeat

U.S. utilities cannot currently deploy defeat technology. They can deploy detection. Dedrone, DroneShield, or Fortem detection systems at critical substations create the detection infrastructure needed for defeat when authority is extended via the Tom Cotton bill or future legislation. Anti-drone netting over control houses and critical equipment — legal today, no authority required — is the passive backstop. Do not wait for legislation to build the detection architecture. The drone payload delivery threat to transformers is real, it is documented in Ukraine, and it is coming to the U.S. Build the detection posture now.

The Real Gap: Most Substations Will Never Meet the Threat Alone

The fundamental economics of substation security are challenging. The U.S. has 55,000 transmission substations. Many are remote, unstaffed, and surrounded by open terrain that provides natural standoff distance for attackers. Full hardening of every substation is not financially or operationally achievable. The correct strategy is: tiered protection based on criticality, resilience investment (spare transformers, distributed generation, rapid repair capability) as a complement to hardening, and law enforcement coordination that gives local agencies the substation familiarization training they need to respond effectively. Ukraine's ultimate resilience came from redundancy and speed of restoration — not from protecting every asset. The U.S. grid should learn the same lesson.