The “grid” (the colloquial term used to refer to electrical energy infrastructure as a whole, which will be the main focus of this paper) is something that is becoming largely outdated, which does pose some security risks, but more pressing is the matter of securing the upgraded parts of our system involved in the of production, distribution, and utilization of the energy. The reason for this is because of a lack of knowledge regarding cybersecurity as a whole, but also specifically in relation to securing our infrastructure in the U.S.A. Within the U.S, this is becoming more of a priority as we are replacing sections of our grid infrastructure to be more up to date, along with more potential threats emerging. The more centralized we become in the realm of interconnectedness within the grid via cyberspace, the more potential openings and vulnerabilities appear that motivated actors may be able to utilize and manipulate towards the aim of destabilization of a certain region or holding control of energy infrastructure as a potential leveraged threat towards the attainment of some other aim. The vulnerabilities of our electrical infrastructure system–utilizing a cyber-security lens–will be examined, along with identifying potential actors that may exploit these weak-points, with specific information in both of these realms, which includes offering recommendations for remedying this as well as a ranked threat assessment.
Potential Threats Involved & Relevance to National Security
Some potential threats include the infliction of pain, devastation, or instability on society through the disruption and misuse of our energy infrastructure. For instance, if there is a period of rough weather in a region, and the electricity supply is messed with, then we could potentially observe people freezing to death, especially those who are older. Chronic disease is also something that is correlated to this, as well as other issues such as being unable to pay medical payments on time. Now, on a large scale, over a period of a couple of days to weeks or even beyond, we see the negative impact of an attack like this compound. For society to operate in a stable manner, we need stable sources of energy to go about our daily lives, and without this, we would quickly see an apocalyptic-esque situation appear due to human nature, and out of necessity as well due to the movement from equilibrium being mediated by homogeneity to a rapid heterogeneous environment pressured by scarcity of required resources for survival (Casey et al., 2020).
So, because of this, there is also a costly economic impact that this has, since attacks do halt the production and consumption of goods, which has a ripple effect until equilibrium is once again reached. Also, it should be observed that there is often an interdependence between infrastructure systems, so if one is compromised, another (water, telecommunications, transportation, etc) could be more easily compromised or not function as required as displayed in a situation where emergency communications are throttled, healthcare and law enforcement would be inhibited to some degree. Still another potential threat from an attack on our energy infrastructure would be the responsiveness and mobilization of the military, since a lack of energy (depending on the kind) would greatly inhibit their ability to move forward with their regular operations or respond to threats that are relevant and pressing in a competent and appropriate manner (Sampath Kumar Venkatachary et al., 2024).
Key Vulnerabilities
The weak points that are created by a system that uses digital technology along with being increasingly interconnected include a number of things, but most significantly, the process control network (PCN) is the candidate that appears to be more heavily subjected to an attack compared to anything else, because it mediates the information between the control room and the electrical grid, meaning certain substations and field devices. It is not the actual physical infrastructure that transmits and delivers electricity, but is the mediating network between the two, and is largely intangible, but of vital importance in regulating the system. Beyond this introduction of a target that would appear to be likely to be attacked along with being potentially catastrophic if attacked, there are also some other types of attacks that need to be listed. These include a lateral movement, physical access, remote maintenance access, third-party gap exploit, overcoming air gap, insider access, and cascading effects (Krause et al., 2021).
Specific Threats
Dealing with the first in the list, a lateral movement is an attempt to gain access to the PCN through compromising an office device and then looking for login credentials of some kind to the PCN, and the example given in the article is that of a virtual private network (VPN). Secondly, physical access is intuitive, as it is dealing with gaining access to the PCN via a physical network cable that is present in the substation, as handling of information are handled remotely and not imminently, and once someone has access to this by plugging in their own device, they are able to control the flow of information, however, for this to have any real impact, there most likely need to be multiple people at different areas that are working in tandem together. Also, most break-ins to substations consist of stealing the copper wires to resell, though this could function as a cover for physical access. Thirdly, remote maintenance access is a potential threat vector due to the necessity of contractors being able to remotely access these systems to debug them or deploy software updates. There have been instances where there were issues with these entry points becoming compromised, and thus an attack was carried out (Krause et al., 2021).
Now moving to the fourth item on the list above–a third-party gap exploit is made up of suppliers or subcontractors that are required for the production and maintenance of the system, on a physical and remote level. It could be that some software that is created is infected with some sort of virus or the entire makeup of it allows it to be easily breached or deliberately predisposed to being penetrated, or that an accident occurs where someone performing maintenance plugs in something that has malware on it. Next, we have the overcoming air gap, which is the attempt of attackers to infiltrate a PCN through placing USB drives with malware on them around facilities of interest, and curious employees correspondingly plugging them in to see what is on them. Surely, such an attack must be rare as it would be beyond belief to maintain that people in those positions would be so ignorant as to do that. Sixth, an insider attack can be defined as when an employee or someone with direct access and knowledge to the system is able to utilize what they know to attack specific components of the power grid system. Lastly, cascading effects is when an attacker leverages the ability to throw the system out of balance, thus leading to a chain or domino-effect of power outages (example: think multiple fuses blowing in succession), potentially through the utilization of consumer electronics, and the potential for these attacks will increase as more infrastructure is created (EVs, charging stations, etc.) along with the increase of people using things like cloud based storage and systems (Krause et al., 2021).
Strengths of Attack.
Lateral Attack:
The strengths of this from an attacker’s perspective include being hard to detect along with commonly providing long-term access. Another would be expanding attack surfaces leading to a greater potential of this occurring (Christos Smiliotopoulos et al., 2024).
Physical Access:
If an actor or actors do gain physical access to a PCN, the advantage would be a foothold on target hardware, bypassing controls and authentication, and potentially stealthy implants, manipulation or sabotage of sensors, among some other things.
Remote Access Maintenance:
The advantage for an attacker from this angle lies in having a direct authenticated entry point into the network, along with a potential supply chain amplification which is speaking to the chance that attackers might be able to target customers depending upon what kind of access they are dealing with. Another would be the ability to bypass air-gapping, granting attackers access to otherwise isolated systems.
Third-Party Gap Exploit:
From advantages from this method include high privilege access to insider systems, along with once again supply chain amplification, and it also does blend in with normal business, and it also has the ability to bypass segmentation and air-gapped systems.
Overcoming Air Gap:
Some benefits that attackers from this angle might enjoy can include a relatively low chance of being detected, on top of bypassing isolated and segmented systems, and gaining direct access to the PCN. A potential angle for this may be technology enhanced social engineering, including deepfakes among other things (Willige, 2025).
Insider Access:
The superiority of this method lies in the fact that full trust has already been given (in many cases) and that they have an extensive knowledge of the grid and how it operates, which allows them to carefully choose their target and then potentially be more likely to avoid detection, but also create more damage than almost any other method unless a large degree of coordinated actors are present.
Cascading Effects:
The strengths of this method include a low resource but high payoff outcome, as the compromise of one node may lead to an entire area being destroyed. Also, there is the advantage of complicated forensics as the actor will enjoy an easier time evading detection if a large number of systems fail at once, along with the potential for lateral exploitation in other areas being opened as the system scrambles to come back online, manage the damage, and find out what happened, along with often hiding long-term persistence or other back door methods into these systems.
Weaknesses of Attack.
Lateral Attack:
A weakness for an attacker could be a staged observable chain since to get onto the network, a footprint of some kind must leave, which also goes into telemetry, which is the gathering of metadata which is almost always going to be left, and also segmentation friction as many decentralized networks make pivoting difficult.
Physical Access:
Some risks here include potential difficulty in reaching the site, including breaking into it and also because of surveillance, and if something is penetrated once, it is unlikely that it is going to be able to be revisited. Even if something is planted, it may be discovered decently quickly depending on what the function of it is.
Remote Access Maintenance:
For this, some weaknesses for attackers could be that policy and audit trails would be present, which could lead to being discovered if logins among others things are kept. Also, there may be a lack of privilege in gaining access to the system if the accounts are not granted full admin access.
Third-Party Gap Exploit:
There may be a single point of failure, which could lead to their exposure if there is any forensics trail leading back to them, along with a heterogenous environment, which means that not all of them are the same, so where one method or attempt may work undetected, it may not at another.
Overcoming Air Gap:
Some potential weaknesses can include a need for human or physical access, which can be messy and high risk, along with being dependent upon insiders or operations that are less than ideal.
Insider Access:
Again, with humans being present, and reliance upon them, more factors that can be difficult arise. Also, for insiders, action is often scoped and auditable, and it is plausible to say that anomalies are more likely to be detected, and they often lack full privileges, though this may not be an issue overall depending upon the goal of the attacker.
Cascading Effects:
The planned chain may not follow through, and on top of this, it requires great timing sensitivity, which usually includes scale and precision which can be costly and are nearly impossible to coordinate properly, as well as if the attack on a large scale is successful, it will trigger rapid government intervention and emergency powers coming online, increasing the risk of detection because there will be more motivation to find them.
Specific Attack Outcomes.
With the methods listed above, there may still be various ways in which they can be utilized to bring about a physical occurrence and cause some sort of active disruption (not passive espionage). These include disconnecting resources, injecting false information, and/or if neither full access is granted, and/or they are unable to inject false information, another method that may be used is denial of service attacks. Disconnecting resources consists of causing a malfunction or a lack of connection within a power grid system. For instance, an example can be shutting off different substations switches thus leading to large outages. Injecting false information can look like forging or manipulating sensor readings, thus leading to a corresponding response to this false information which will lead to malfunctions or disruption within the system. Another can be denial of service which takes out a specific part of a system (exhausting something important, takes out something else), but could potentially cause overloaded and burnt out lines (Krause et al., 2021).
Probability of Occurring.
The probability of these different attacks is ranked differently according to Krause, with lateral attack (LA) being at a high rate of difficulty, physical access (PA) rated at a medium level of difficulty, remote access maintenance (RAM) is highly difficult, third-party gap exploit (TPG) is highly difficult, overcoming air gap (OAP) is highly difficult, insider access (IS) is at a low difficulty, and cascading effects (CE) is at a high difficulty. There is some struggle in trying to pinpoint the level of difficulty then corresponding to the likelihood of the attacks occurring as there is no real data regarding this, and all this is what I think, not anything that I know. Intuitively, it would seem as if the higher difficulty areas would be less likely to occur, and the lower difficulty ones more likely to occur, but factors such as loyalty (such as in the case of the insider attack) along with other potential aims and goals that may be present factor in, along with the amount of risk an actor is willing to tolerate, along with their capabilities, and if there are any actors working in tandem. To answer another related but separate question, LA only requires a single actor, PA requires a local actor and can be more than one or can be multiple, with RAM requiring multiple actors, TPG necessitating multiple, with OAP only requiring one or more local operators, with physical access needing only a single actor, and cascading effects needing multiple operators (2021).
Now, depending upon the method used, and the circumstances surrounding how much access the method grants (it will differ according to situations, etc., there is no cookie cutter answer) the different types of actual real world disruptions or issues will be contingent upon their ability and access to it, along with their goals. If the goal is to disrupt the grid quickly, then disconnecting resources seems like an apt way to accomplish this. If it is to disrupt but more insidiously, injecting false information may be more appropriate. If it is to cause damage but the other two options are not present, then denial of service may be better suited for this aim.
Overall, it is fair to say that we should expect an increase in cyber attacks as we move toward a more interconnected and digitally technological system, because this allows for remote attackers in other countries and even our own access to systems from their domiciles as opposed to having to go out and try to infiltrate a facility or break into a substation (think IOT and perhaps exposed Blue Iris software via port forwarding giving access to camera UI as an example). Also, cybercrime and related internet crime is on the rise, so taking steps to learn about potential weaknesses within these systems and how to mitigate them is imperative, and is not something that should be taken lightly.
Potential Severity if Attacked.
The severity of the attack would depend upon the individual circumstances, including the method used to gain entry, the goal of the attack, and the more peripheral factors as well. There is no one size fits all answer, but, the most severe would be an insider coordinated cascading attack on the PCN. The reason for this is because a cascading attack has the most potential for causing long-term and immediate damage, and the insider method has the greatest chance of accomplishing this, depending upon their role.
Ranked List of Threats.
The attack methods that require more time and resources to attack are similar to the order of the probability of occurring. The differentiation that needs to be looked at is a sort of investment analysis based on things such as technical sophistication, personnel required, logistical burden, the security demands that are present, time-to-compromise, risks of detection, and a potential requirement for insider knowledge or privileged access. From here, we move to a list of the most resource-intensive (an approximation) to the least resource intensive.
Coordinated cascading effects are the highest in reference to most time and resources. Some reasons for this include requiring multiple operators spread across different areas, attacking different nodes. Another is that it necessitates deep knowledge to correctly attack these areas, and the timing must be precise, potentially extremely close in proximity. Along with being spread across different areas, they must pre-position, and there are high security demands due to the scale of the attack. The payoff would be highest out of all the methods, and only nation-state actors would be realistically able to complete this.
Another is remote access maintenance being high in this category, because it requires compromising secured remote-maintenance channels used by legal contractors, and it usually requires a coordinated team utilizing advanced tradecraft, and is not something for individuals who do not have a high level of sophistication. Monitoring and the number of vendors can also be a hindrance, along with layered authentication (for instance, if a hardware security key is utilized anywhere along the way).
Next, is third-party gap exploit, also high, because attackers must compromise suppliers, or other organizations, and sometimes multiple. It involves supply chain infiltration, which is generally a long process, and it necessitates malware customization to blend into legitimate areas and workflows. It is operationally heavy, but the payoff for attackers would be worth it.
Another is overcoming air gap, which can be considered perhaps medium-high, because it must physically deliver something (like the USB example) or socially engineer employees or their superior to get around this. Another factor is that it often requires closeness physically or something such as insider assistance. The success of it depends upon human error, which is unreliable, but also proven to be the weakest link in reference to cybersecurity (generally). Overall, it is occasionally feasible, and does not necessarily require multiple actors to have a high rate of success.
Another is physical access, which can be put squarely in the medium category (in reference to the others) because it does necessitate gaining access to substations or field sites, which are often in remote unmonitored areas. However, there is a risk of surveillance, alarms, or police response, perhaps from the report of a local or someone passing by, and it does also require (sometimes) multiple coordinated actors to hit many substations at one time for any real meaningful effect (the grid is not one giant dependent chain). It can be considered riskier than network attacks for risks of detection.
Second to last is lateral movement which can be placed in the medium low section, which commonly can begin with phishing or office network compromise, which are already standard and widely used vectors of attack. The main barrier can be considered the movement from information technology to operational technology, and once the foothold is established, privilege escalation and credential harvesting can sometimes take a period of time, but is not resource heavy. The investment for this is moderate, and the payoff may be potentially high (as with all of them).
Lastly, we have insider access, which does require the least amount of resources, and utilizes preexisting knowledge, privileges, and trust, along with not requiring external intrusion tools, or any complex malware, or break ins. The difficulty comes not from the execution, but it would cost defenders more resources as the detection may be potentially difficult, though there are usually measures to make sure that these people are monitored and secured. So the risk of detection is moderately high.
Key Threat Source
Due to the large number of potential threat sources that could emerge and wreak havoc upon our electrical infrastructure in the U.S., I am going to draw upon past examples while also being more general, in the interest of having something to write about, and not continuing ad nauseam concerning different threat sources, as there is almost no end of them. For my threat, I am specifically choosing an actor that would have access to zero-day threats, as well as utilizing examples such as the 2015 Ukrainian attack upon electrical infrastructure (Oughton et al., 2019).
Source Threat Assessment
The principal threat source is a cyber adversary with the capability of exploiting certain vulnerabilities within control systems and being able to be used across electricity distribution substations. The article highlights several factors that do increase the severity and potential likelihood of cyber-physical attacks on electricity distribution, as well as the networks involved. First, the transition toward cyber enabled infrastructure, including smart grids and in general opting more towards the integration of digital technology leads to an expanded attack surface and also generating systemic vulnerability. Also, issues that are common such as poor cybersecurity compliance, old software, and insufficient institutional training, and perhaps hacking resources do contribute to the overall threat environment. One of the main problems that is raised is that operators face significant uncertainty regarding exploits that are unknown to the vendor, until they are activated by attackers. The threat itself can be considered to be an issue that will become more common, and as we can clearly see anecdotally, in the 10 years since the writing of the article, cyber-crime has risen significantly (Oughton et al., 2019).
Key Capabilities
Some key capabilities demonstrated through the 2015 Ukrainian cyber-physical attack include the delivery of malware through spear-phishing campaigns using malicious attachments, and comprehensive reconnaissance of environments prior to the execution of the attack, compromise of legitimate operator credentials enabling unauthorized access to substation control systems, use of remote administration tools or client software to issue operational commands, utilization of virtual private network connections to access and control substation equipment, remote manipulation of substation breakers which resulted in physical power disconnection, and potential deployment of rogue hardware to breach air-gapped systems, as identified in stakeholder assessments (Oughton et al., 2019).
Ranked List of Methods to Mitigate Risk
The first method can be distributing cybersecurity investment across all substations, which means that the number of substations matters in the negation of attacks, as it is not the size of the substations that matters more, but spreading security throughout all of them, in preventing attacks from scaling. Another can be providing additional protection to substations supporting other critical infrastructures, because some substations are more associated with higher systemic value to due dependencies from other kinds of critical infrastructure. It is important to provide additional resources to these to help protect the people these areas are serving. Making heterogeneous environments for substation hardware and software configurations is also important, as greater diversity between substations reduces the scalability of attacks, while standardization makes large-scale compromise easier. Another would be implementing comprehensive monitoring of assets (Oughton et al., 2019).
Offensive & Defensive Countermeasures
Defensive actions must address the probabilistic uncertainty of zero-day vulnerabilities and the systemic consequences of cascading failures. The reason for this is that operators cannot reliably figure out where or how an adversary will act, so that evenly distributed and broad defenses across all substations yield the highest marginal benefit. The scaling of the attack itself is the best predictor of distribution. Some countermeasures must include comprehensive wide-area monitoring, which emphasizes the need for asset wide monitoring because zero-day vulnerabilities are unknowable in advance. The benefit of this is that it enables rapid anomaly detection, and it supports earlier intervention. Another is distributed cybersecurity investment across all substations, and another is additional safeguards for substations supporting critical dependent systems, and another is increasing hardware and software diversity, and another is strengthening recovery capability.
These offensive measures are not necessarily attacks, but are proactive measures taken to protect, which can include intelligence, threat hunting, and even something like risk analysis. Some of these methods include counterfactual scenario modeling, which helps with understanding outcomes even while dealing with limited data, and another can be attack footprint forecasting, which maps different substation areas to ascertain which areas may be attacked as compared to others. Cross sector dependency mapping can include an analytic which identifies which other types of critical systems are at most risk from electricity outages and can help guide where to position resources that will aid with recovery, and defense.
Policy & Leader Recommendations
Some recommendations can include establishing federated resilience across all distribution substations, instead of having certain areas be more vulnerable as compared to others. Another could be the requirement of infrastructure diversity, because not having standardization removes the smoothness of attack and instead gives friction to attackers attempting to scale to the entire system. Another could be the integration of multiple sectors planned together, such as water, wastewater, and transportation systems, along with the electrical grid, since they are all related. Another important recommendation would be the expansion of funding for continuous monitoring of zero-day detection, and another would be having methods and protocols for a response to attacks.
Conclusion
In our contemporary time, cyber attacks become a more prominent source of threat and concern, as the proliferation of attacks can be observed, and the continued integration of digital technology is something that will not cease, and can only be expected to grow. Devastating effects of electrical grid attacks have already been observed, and these should be prevented as best as possible. As such, with more motivated actors and a wider attack surface, it is imperative that measures are taken to observe different methods and sources of attack, along with identifying defensive and offensive measures of defense, to protect critical infrastructure. The policy recommendations for this seem obvious, but they need to be said, because in large they have not been effected and still remain something that needs to be performed, especially in the realm of updating hardware and dealing with newer security measures to keep up with the evolving realm of different attack vectors. The most insidious kind of attack that must be attempted to be prevented and observed quickly is that of a zero-day attack, and these pose the greatest threat to our critical infrastructure. A mindset shift must occur to protect what is present and what will be, and that is moving from attempting to predict isolated events and instead moving towards building systemic resilience. In this, we can greatly reduce the likelihood and severity of attack.
References
- Casey, J. A., Fukurai, M., Hernández, D., Balsari, S., & Kiang, M. V. (2020). Power Outages and Community Health: a Narrative Review. Current Environmental Health Reports, 7(4), 371–383. https://doi.org/10.1007/s40572-020-00295-0
- Christos Smiliotopoulos, Georgios Kambourakis, & Kolias, C. (2024). Detecting Lateral Movement: a Systematic Survey. Heliyon, 10(4), e26317–e26317. https://doi.org/10.1016/j.heliyon.2024.e26317
- Krause, T., Ernst, R., Klaer, B., Hacker, I., & Henze, M. (2021). Cybersecurity in Power Grids: Challenges and Opportunities. Sensors, 21(18), 6225. https://doi.org/10.3390/s21186225
- Oughton, E. J., Ralph, D., Pant, R., Leverett, E., Copic, J., Thacker, S., Dada, R., Ruffle, S., Tuveson, M., & Hall, J. W. (2019). Stochastic Counterfactual Risk Analysis for the Vulnerability Assessment of Cyber‐Physical Attacks on Electricity Distribution Infrastructure Networks. Risk Analysis, 39(9), 2012–2031. https://doi.org/10.1111/risa.13291
- Sampath Kumar Venkatachary, Prasad, J., Annamalai Alagappan, John, L., Raymon Antony Raj, & Sarathkumar Duraisamy. (2024). Cybersecurity and Cyber-terrorism Challenges to Energy-Related Infrastructures - Cybersecurity Frameworks and Economics – Comprehensive review. International Journal of Critical Infrastructure Protection, 45, 100677–100677. https://doi.org/10.1016/j.ijcip.2024.100677
- Willige, A. (2025, September 30). Cybersecurity awareness: AI threats and cybercrime in 2025. World Economic Forum. https://www.weforum.org/stories/2025/09/cybersecurity-awareness-month-cybercrime-ai-threats-2025