A small team with basic weapons, local knowledge, and planning can cause outsized damage to the electric system. That is not conjecture. It is proven tradecraft and one of the clearest asymmetric attack vectors we face. The following is a practical scenario, its likely consequences, and the least-cost, highest-impact mitigations utilities and local authorities must prioritize now.

The scenario

Phase 1 — Reconnaissance and target selection. Attackers identify a handful of substations whose loss would stress or separate a regional transmission path. They prefer facilities with visible high-voltage transformers, limited perimeter barriers, and single points of access. They map nearby fiber or comms conduits and note times when site surveillance or patrols are sparse.

Phase 2 — Comms disruption and staging. Minutes to hours before kinetic action, operatives cut or sever local fiber or telecom lines to degrade alarms, delay notifications, and slow coordinated response. The 2013 Metcalf incident included deliberate cuts to nearby communications infrastructure before attackers fired on transformers, a playbook that minimizes early detection and response time.

Phase 3 — Simultaneous kinetic action. Teams at multiple sites apply concentrated small-arms fire or other destructive tools against transformer radiators, bushings, or control houses to provoke oil leaks, induce overheating, or disable protective equipment. Where multiple high-voltage transformers at a single substation are damaged, the local operator must quickly re-route power. If several strategically chosen substations are hit at once, the grid can be forced into emergency reconfiguration or separation, producing cascading outages. The North Carolina attacks in Moore County demonstrate how relatively simple kinetic strikes at two distribution/substation sites can produce widespread outages and multi-day restoration timelines.

Phase 4 — Operational friction and exploitation. With outages underway, attackers or copycats exploit confusion, threaten first responders, or target secondary infrastructure. If large transformers are destroyed or severely damaged, replacement is not a next-week fix. High-voltage transformers are specialized, heavy, and custom-ordered items with long lead times and limited spare inventories. Disabling a set of those critical transformers can produce sustained outages well beyond a few days.

Why this works

High-voltage transformers sit at choke points in the transmission system and are hard to mass-replace quickly. They are often plainly visible, enclosed by simple chain-link fences, and not routinely guarded. A relatively small attacker force can create significant localized destruction that cascades through a tightly coupled grid. Past incidents show actors used simple tactics to great effect: cutting local communications, precise targeting of cooling systems, and synchronized attacks to increase operator confusion.

Likely operational impacts

  • Local and regional outages lasting days to weeks while damaged equipment is assessed and backfeed paths are reconfigured. Moore County officials reported tens of thousands of customers without power and multi-day restorations after deliberate substation attacks.
  • Stress on system stability if the attack removes multiple key nodes in the same interconnection, forcing emergency load shedding or system separation.
  • Longer-term outages in worst-case scenarios if multiple large transformers are destroyed and spares are not immediately available. Lead times and logistical constraints for high-voltage transformers mean full functional restoration can take months in severe cases.
  • Secondary public-safety consequences: healthcare and water systems operating on generators, traffic-control failures, disrupted communications, and economic losses concentrated in affected regions.

Attack enablers to watch for

  • Publicized or leaked how-to guidance on attacking infrastructure, which can motivate copycats or extremists. Federal reporting and open-source monitoring have documented chatter and guides encouraging low-tech attacks on the grid.
  • Insider knowledge or access that reduces the time and skill needed to select high-impact targets. Investigations of previous incidents have looked at whether insider information played a role.
  • Supply chain and spare-equipment shortages that increase the recovery timeline if critical assets are damaged.

Mitigation priorities — what to do today

1) Harden the highest-value nodes, fast. Use risk-based identification (as required under the existing reliability standard framework) to prioritize substations whose loss would trigger instability, uncontrolled separation, or cascading. Apply hardened perimeters, ballistic barriers around exposed transformers, anti-climb measures, and redundant alarm communications for those facilities first. NERC and regulatory guidance already identify critical facilities and require risk assessments and plans for protecting them.

2) Layered detection and comms resilience. Assume perimeter intrusion will happen. Track and fix single points of failure in alarms and communications. Redundant, out-of-band alarm paths and local edge detection (acoustic sensors, fiber intrusion monitoring, on-site cameras with local analytics and recording) reduce the window between attack and operator awareness. CISA and DOE recommend a layered physical-security approach for substation protection.

3) Reduce exposure through equipment design and placement. Where feasible, relocate transformers away from easy sightlines, add hardened enclosures or retrofit radiators with ballistic shielding, and consider polymer bushings that reduce vulnerability to puncture. Physical hardening is cheaper than the societal cost of long outages.

4) Pre-position spares and speed logistics. Utilities and government partners should expand regional spare programs for critical transformers and other long-lead items and streamline emergency procurement and transport agreements. Analysts and prior government reviews flag limited spare inventories and long manufacturing lead times as principal recovery bottlenecks. Invest in a practical reserve strategy keyed to regional criticality.

5) Exercise the worst case and integrate response. Conduct multi-jurisdiction, multi-site red-team exercises that simulate simultaneous substation damage and comms loss. Include utility operators, law enforcement, emergency managers, and supply-chain partners. Exercises expose coordination shortfalls and accelerate realistic planning.

6) Harden the human environment. Tighten background checks and access controls on employees and contractors with knowledge of or access to critical assets. Combine that with appropriate insider-threat programs and information-sharing with law enforcement.

7) Public-private intelligence sharing and deterrence. Timely sharing of threat indicators between federal agencies, utilities, and local law enforcement reduces reaction time and can pre-empt plotting. Public statements that clearly criminalize and prioritize investigations into such attacks improve deterrence and public confidence. Recent federal products synthesize threat trends and recommended physical mitigations for electricity-sector stakeholders.

A final, blunt assessment

This is not a Hollywood “grid goes dark” fantasy. It is a practicable asymmetric attack against specific weaknesses in how we protect and restore high-voltage infrastructure. We have case studies that show the methods, effects, and political noise that follow. We also have mature, implementable fixes: focused hardening, redundant communications, spare-equipment strategy, and disciplined exercises. Investments and actions that cost utilities and government far less than the economic and social costs of a regional outage will materially reduce the probability and impact of coordinated substation attacks.

If you are a utility executive, regulator, or emergency manager, prioritize: identify your critical nodes, harden them, pre-position spares or contracts, and exercise the simultaneous-loss scenario with law enforcement in the lead. If you are a local official, ensure hospitals, water, and first responders have resilient power plans that do not assume immediate grid restoration.

We know the enemy and we know the weapons. The remaining question is whether public and private leaders will treat this as a strategic risk or an operational afterthought. Act like electricity matters because it does.