Skip to main content


Willis- June-July 2023 iP

Strengthening the Substation Fence

People have finally discovered one of the best unkept secrets in America: Our utility systems can be attacked, and it doesn’t take military tacticians to pull it off.

Activists have recently renewed calls for more attacks that disrupt essential utility services and create chaos. Previously, terrorist groups focused on disabling the bulk power grid by attacking assets such as Pacific Gas & Electric’s Metcalf transmission substation. Now, their target list has grown to include distribution substations and the critical infrastructure of small and midsized utilities. This new strategy aims to inspire harassing attacks on lower-tier infrastructure assets across the U.S. The purpose of these attacks is to create widespread disruptions of essential services, overtax resources and wear down responders. The idea is that the cumulative damage caused by these localized attacks will eventually have the same impact as an attack on bulk power resources.

The Backstory
In June 2022, information about an “accelerationist handbook” began circulating on Telegram – an instant messaging service used extensively by terrorists – and on dark websites. The handbook is a guide to disrupting civil society through targeted acts of terror. The messaging encourages followers to use the tactics found in the handbook to carry out small group or “lone wolf” infrastructure attacks. This call to action promotes attacking small and isolated utility assets. The message is that one or two people, with little to no expertise or training, can easily carry out the tactics described in the handbook. For example, the guide refers to distribution substations as “sitting ducks” located in “largely unprotected and often … remote locations.” The handbook also encourages attacks on telecommunication, water/wastewater, gas and other essential services. This means every rural or remote infrastructure asset is now a potential target. I have seen these tactics before; they’re essentially guerrilla warfare tactics.

Many people have never heard of the accelerationist movement before. Accelerationists are extremely radicalized groups found across the terror spectrum. They include right-wing extremists, left-wing radicals, anarchists and entities like eco-fascists. While the news media tends to focus on the white supremacist elements of the movement, there are just as many with other ideological views. But while their ideologies differ, their goal is the same: to undertake radical action that accelerates the collapse of the U.S. government and Western society. You can learn more about accelerationists and their grid attack plans in a great 2022 article by Bridget Johnson published in “Homeland Security Today” (see

Accelerationists point to the 2013 Metcalf transmission substation attack near San Jose, California, as the hallmark infrastructure attack. In that attack, unknown assailants cut communication lines and opened fire on the substation, hitting 17 transformers and causing over $15 million in damages. The attack almost succeeded in causing a chained power grid collapse. However, for accelerationists, the key takeaway from the incident was that the perpetrators were able to get away with the attack without being caught or identified.

The growing threat of infrastructure attacks was apparent long before the June 2022 call to action. Increasing infrastructure assaults over the last several years prompted grid operators to request a U.S. Department of Homeland Security (DHS) assessment of current grid infrastructure risks. The follow-up DHS assessment memo recognized the expanding threat and noted the vulnerability of distribution assets. The memo stated that although small-scale attacks are unlikely to achieve “widespread, multi-state power loss,” especially when performed by attackers with little technical knowledge or insider assistance, they still represent a significant threat of “physical damage that poses risks to operations or personnel.”

Three Existing Issues
So, why should you be concerned? No matter your organizational structure, size, operational function or location, this new strategy represents a genuine and enhanced threat to your system. The enhanced danger stems from the exploitation of three existing but generally ignored issues: people, vulnerability recognition and replacement shortages.

1. People
The unpredictability of people is the most significant variable in security. Historically, some people have demonstrated a willingness to take unrestrained action without considering consequences or concern for collateral damage; this includes those who attack utility infrastructure. Sometimes these attacks are the impulse actions of the bored, drunk or chemically influenced. Sometimes they’re the actions of thieves. And sometimes they’re the copycat actions of unoriginal threat actors. But recent attacks have been orchestrated by a fourth group: extremists motivated by ideological rhetoric.

2. Vulnerability Recognition
The fact that extremists have come to recognize the vulnerability of lower-tier infrastructure assets is problematic, to say the least. Those advocating infrastructure attacks have provided readily available information about exploiting these vulnerabilities. The goal is to inspire amateurs – who lack the skills, resources and fortitude to pull off a complex attack on a major facility – to attack small and midsized utility infrastructure targets. This new call to action makes any substation or distribution asset a potential target. These homegrown terrorists will target a substation based solely on location and access without regard to ownership. And though these individual attacks seldom have widespread catastrophic impacts, the assailant still gets bragging rights while you suffer the collateral damage.

3. Replacement Shortages
The nationwide transformer and special equipment inventory shortfall and prolonged manufacturing lead times exacerbate an already precarious security situation. This lack of replacement equipment can make power restoration difficult and costly, and the resulting outages can be long, drawn-out affairs. In the event of a terrorist attack on one or more substations, the current equipment dilemma could have severe long-term consequences.

Take Action
Now that we understand the problem, what can we do about it?

Strengthening the substation fence, so to speak, involves more than fencing, cameras and event recordings. The goal is proactive asset protection. And the first step is to realize that while a determined assailant is likely to inflict damage, practical actions can be taken to limit the extent of the damage.

First, improve employee threat awareness. Providing threat awareness training to your team is essential. Effective training increases your employees’ ability to recognize and respond to potential threats. Awareness is your most important security asset for personnel and system protection, and it’s the quickest to deploy.

Second, activate a community watch system. Engage local law enforcement and the community to help watch for signs of surveillance. Almost every terrorist attack is preceded by surveillance and reconnoitering in and around the target. But be clear on the response you want the community to take: Communicate any suspicious activity to the utility; do not take direct action.

Third, conduct an infrastructure security assessment. Identify your critical assets and determine how vulnerable they are to attack. Then develop a protection plan to minimize the potential for an attack and limit damage. Don’t forget that not all critical assets are substations. The key is a threat assessment of the utility at large as well as the identified critical assets. The security assessment is where recommendations for cameras, ballistic shielding, dynamic lighting and enhanced perimeter fencing come into play.

With the assessment findings and recommendations in hand, it will be time to take action. Develop a plan to address each vulnerability cited and create a proactive schedule for implementing mitigation measures. Next, craft budgets and schedules to address immediate concerns and longer-term security measures.

Finally, consider the costs. Ignoring the problem is basic negligence. You are responsible for protecting your organization’s people, resources and infrastructure to the best of your ability. Ignoring the problem doesn’t meet that standard. Don’t think in terms of if but rather when an attack will occur. Sooner or later, one likely will.

When you decide to act, remember that the cost of doing it wrong can be as bad or worse than doing nothing at all. Don’t simply take a vendor’s word that a single fix-all solution will solve the problem; it won’t. While a vendor’s expertise is valuable in dealing with their specific product or solution, remember that their job is to sell their product – and when you sell hammers, every problem looks like a nail. When you seek security training and assessment know-how, you’ll find people everywhere claiming expertise. But security is uniquely industry specific.

Realize that effective security measures and training developed for one industry are often ineffective in another. Ensure you engage a skilled infrastructure security practitioner and a training professional who understands utility security. Together, you can develop solutions specific to your organization. Remember that the cost of getting it wrong can devastate your people and your system.

About the Author: Jim Willis, M.Sc., CMAS, CHS-V, is the CEO of InDev Tactical, a security training and consulting firm. He has over 40 years of experience working with electric power utilities and infrastructure security. Willis earned a bachelor’s degree in electrical engineering and a master’s in international development and security. He is a credentialed homeland security and anti-terrorism specialist with expertise in training, security consulting, threat assessments and security operations. Contact him at