Security for Power Grid and Electrical Infrastructure | CloseProtectionHire

Power grid physical security sits at the intersection of critical national infrastructure protection, organised property crime management, and terrorism and sabotage threat mitigation. The threats are not new – transmission infrastructure has been targeted by state actors, non-state armed groups, and criminal networks for decades. What changed in 2022 was the demonstration, in rapid succession, that advanced state actors had both the will and capability to attack energy infrastructure in Europe (Nord Stream, Ukrainian grid), and that non-state actors with minimal capability could cause extended outages at US distribution substations (Moore County, North Carolina).

The response – NERC CIP-014 in the US, the EU CER Directive in Europe, accelerated CNI physical security reviews in the UK – has elevated physical security from a compliance exercise to a board-level concern for grid operators in a way that was not consistently true before 2022.

The 2022 Incidents and Their Security Implications

Three events in 2022 shaped the current grid security baseline:

Nord Stream, September 2022. Four deliberate explosions on Nord Stream 1 and 2 in the Baltic Sea. Not an electrical infrastructure event, but the first confirmed deliberate attack on European energy infrastructure by an actor with subsea military capability. The immediate consequence was a European energy security review across all infrastructure types. German federal and Swedish prosecutors confirmed sabotage. Attribution remained disputed in public reporting.

Industroyer2, April 2022. The Sandworm threat actor (attributed to Russian GRU by ESET and Mandiant) deployed Industroyer2 malware against a Ukrainian high-voltage substation, with a simultaneous Caddywiper campaign intended to disable the response capability. The attack was disrupted before achieving its effect, but confirmed that state-level cyber-physical attacks on grid infrastructure were being deployed in an active conflict context.

Moore County, North Carolina, December 2022. Two gunmen attacked Duke Energy’s Randleman and West End substations with firearms, targeting transformer radiators and SCADA control equipment. Approximately 45,000 customers lost power for four days. The attack required no specialist capability: targeted, deliberate gunfire at physically accessible critical components was sufficient. No sophisticated tools, no explosives, no inside access. The FBI and DHS updated their advisory on domestic terrorism targeting energy infrastructure in direct response.

The regulatory consequence was swift. The FBI-DHS joint advisory in early 2023 specifically addressed the physical attack vector at substations. NERC accelerated its review of CIP-014 implementation standards. In Europe, the CER Directive’s implementation was treated with new urgency.

NERC CIP Standards for Physical Security

NERC (North American Electric Reliability Corporation) Critical Infrastructure Protection standards apply to Bulk Electric System operators in the US and Canada. For physical security, the relevant standards are:

CIP-006: Physical Security of BES Cyber Systems. Requires physical security perimeters (PSPs) around control system equipment, electronic access controls at PSP entry points, visitor control and logging, and monitoring of physical access. This is the standard that addresses server room and SCADA workstation physical access.

CIP-014: Transmission Security Assessment. Requires Transmission Owners with facilities at 230kV and above to: identify their highest-risk substations based on consequence of loss; conduct independent transmission security assessments; develop and implement physical security plans for identified facilities; and have those plans reviewed by an unaffiliated expert. CIP-014 does not mandate specific security measures – it requires risk-based plans addressing identified threats, which typically include gunfire, vehicle-borne attack, explosive attack, and insider threat.

European equivalent: the EU NIS Regulations 2018 in the UK (implementing NIS Directive 2016/1148) identify electricity as a sector with Operators of Essential Services obligations, including network and information system resilience that incorporates physical security components. The CER Directive 2022/2557 extends and strengthens these obligations from October 2024.

Large Power Transformer Vulnerability

Large power transformers are the single highest-consequence physical assets on the transmission network. A 345kV or 765kV LPT is purpose-built to the facility’s specifications, weighs between 100 and 400 tonnes, costs between USD 2 million and USD 10 million, and has a manufacturing lead time of 12 to 24 months. There is no significant global stockpile.

The US Department of Energy Spare Transformer Equipment Programme (STEP) was established specifically to address this vulnerability. The DoE Transformer Resilience and Advanced Components (TRAC) initiative funds domestic LPT manufacturing capability because the current supply chain – concentrated in South Korea, Germany, and China – represents a strategic risk.

Physical security planning for substations must account for the LPT vulnerability: ballistic protection for cooling radiators, vehicle barriers at distances proportionate to the blast stand-off required to protect the transformer, CCTV with sufficient resolution to monitor the transformer yard, and perimeter intrusion detection that triggers before an attacker reaches the transformer perimeter.

Substation Physical Security Measures

Physical security at transmission substations varies considerably by asset value and consequence of loss. For CIP-014-designated critical substations, the security plan typically includes:

• Physical perimeter: security fencing of sufficient height (typically 2.4m) with intrusion detection (vibration sensors, motion detection, or fence-mounted detection systems)
• Vehicle access control: hardened gatehouse, vehicle barriers rated for appropriate vehicle weight, intercom and CCTV at the access point
• Ballistic protection: for critical equipment (transformer yards, SCADA buildings), ballistic barriers or concealment from external fire lines
• Lighting: full perimeter lighting activated by intrusion detection, with generator backup
• CCTV: 24/7 coverage of transformer yards, control buildings, and perimeter entry points, with off-site recording
• Remote monitoring: integration with a 24/7 security operations centre rather than reliance on local patrol
• Visitor control: logged access for maintenance personnel, contractors, and operational visits

Infrastructure Crime in P1 Markets

Chronic infrastructure theft is a material operational security problem in P1 country grid environments.

South Africa. Eskom estimated ZAR 7.5 billion in infrastructure theft in the 2022/23 financial year. Copper conductor theft, transformer oil theft, and metering equipment theft drive outage rates that are distinct from the deliberate sabotage threat but have comparable operational impact. Physical security for Eskom substations and transformer yards requires armed response capability beyond passive perimeter security.

Nigeria. The Transmission Company of Nigeria records systematic copper theft from high-voltage transmission lines. In the north-east and north-west, power tower sabotage by Islamist armed groups – Boko Haram/ISWAP affiliates – has taken transmission lines offline in Borno, Yobe, Zamfara, and Kaduna states. Repair teams responding to these faults require security assessment before deployment and armed escort in high-risk areas.

Pakistan. KESCO and PESCO distribution infrastructure in Karachi, Khyber Pakhtunkhwa, and Balochistan faces both systematic cable theft and deliberate Islamist insurgent targeting. Repair teams in KPK and Balochistan operate under armed escort arrangements. The CPEC power corridor – associated Chinese-built generation and transmission infrastructure – has been an explicit target for Baloch nationalist armed groups.

Indonesia. PLN (Perusahaan Listrik Negara) infrastructure in parts of Papua and Sulawesi faces access security challenges distinct from the main Java-Bali grid.

Inspection Team Security in Hostile Environments

Transmission line inspection – whether conducted by foot patrol, helicopter, or drone – in hostile environments requires a security layer that grid operators in low-risk markets do not routinely plan for.

Key requirements for inspection team security in P1 markets:

• Pre-deployment assessment of why an outage occurred before sending repair teams (distinguishing weather fault from deliberate sabotage)
• Route reconnaissance before ground team deployment
• Armed close protection escort for teams operating in armed group-affected areas
• Communication protocol with defined check-in intervals and escalation thresholds
• Vetted transport with tracking capability
• Medical evacuation plan with defined response times

For the water and utilities infrastructure security framework, which covers comparable SCADA physical security and CNI designation challenges at wastewater treatment plants, pump stations, and distribution networks – see our security for water utilities and infrastructure guide. For renewable energy infrastructure – where wind farm remote site access security, solar array perimeter management, and green hydrogen facility protection create a comparable but distinct security environment – see our security for renewable energy infrastructure guide. For counter-UAS operations at substations and transmission infrastructure – including Detect-Identify-Defeat sensor deployment, UK CTBSA 2019 ATCO powers, and the documented use of commercial FPV drones against power infrastructure in the Ukraine conflict – see our counter-UAS and drone operations security guide.

Sources

NERC CIP-006: Physical Security of BES Cyber Systems, current version. NERC CIP-014: Transmission Security Assessment, current version. FBI/DHS: Joint Advisory on Domestic Terrorism and Physical Attacks on Energy Infrastructure, January 2023 (update to prior advisories). Duke Energy/Moore County NC incident: NCUC incident reporting, December 2022; FBI investigation reference. ESET: Industroyer2: Industroyer’s Cousin Targeting Ukrainian Power Grid, April 2022. Mandiant: APT44/Sandworm: The Notorious Cyber Attack Group Behind NotPetya, June 2022. EU CER Directive 2022/2557: Directive on the Resilience of Critical Entities, OJ L 333, 27.12.2022. Eskom: Annual Integrated Report 2022/23 (infrastructure theft ZAR 7.5 billion estimate). DoE: Spare Transformer Equipment Programme (STEP) documentation, 2024. DoE: Transformer Resilience and Advanced Components (TRAC) initiative, 2023. Nigeria Transmission Company of Nigeria: Annual Security Report reference 2023. ACLED: Pakistan Energy Infrastructure Attacks 2020-2024.

James Whitfield is a Senior Security Consultant with 20 years of experience in critical national infrastructure protection, energy sector security, and corporate risk management across global markets.