Two recent patterns should jolt every utility executive and federal planner. First, state actors and their proxies are combining cyber operations with conventional strike campaigns to impose sustained, cascading damage on power systems. Second, attackers are optimizing low cost tools to exploit predictable weak points in modern grids. Those are not theoretical warnings. They are active playbooks that worked in Ukraine and nearly succeeded against Poland’s grid.
What we saw in Ukraine was an operational campaign aimed at the distribution layer, not just generation. Russia’s mix of cruise missiles, ballistic missiles and waves of inexpensive loitering munitions systematically struck substations, lines and distribution equipment so that power plants could not reattach to the grid even when generation remained available. The result was repeated blackouts and massive repair demands that taxed logistics and spare parts pools. That was the tactical logic. Attackers sought to create long outages through relatively low cost means.
Poland’s incident shows the mirror image of that logic in cyberspace. According to Polish officials, a major cyber operation in late December targeted communications between renewable generators and distribution operators. The intruders were not trying to blow up transformers. They were attempting to sever control and coordination functions that keep distributed resources aligned with grid needs. Had that intrusion succeeded, the outage impact and repair profile would have looked very different and far harder to recover from.
Those two campaigns share core design features. Attackers probe for single points of operational dependency. They favor targets whose loss creates disproportionate downstream effects, such as high voltage substations, control communications and SCADA interconnects. They mix modes of attack so defenders must split attention between physical repair, logistics and cyber incident response. And they exploit supply chain bottlenecks and aging equipment to magnify damage. These are classic hybrid operations optimized for attrition and cost effectiveness.
The takeaway for the United States is plain. Our critical infrastructure posture still assumes we will face either a cyber incident or a physical attack, not both at scale and in parallel. That assumption is dead. The U.S. must treat resilience as a multi-domain problem that starts with the risk picture and ends with the crew on the bucket truck who must splice a line in a blizzard. Federal strategy documents already push this integrated approach, but policy and procurement lag behind. We need to close that gap.
Concrete priorities for immediate action
1) Map operational dependencies end to end. Utilities, ISOs and federal partners must inventory not just generation and transmission, but the communications paths, spare parts, and vendor services required to restore service. This is a prerequisite to prioritized hardening.
2) Segment and harden control communications. Operational technology networks must be isolated, authenticated and able to fail safe. Where remote telemetry is required, assume the link will be contested and design fallback manual or local autonomous controls. Lessons from Poland show attackers target those very links.
3) Preposition repair caches and deploy rapid response teams. Ukraine’s outages were prolonged in part because replacement transformers, switchgear and skilled crews could not be delivered quickly. The U.S. needs regional caches, mutual aid agreements exercised for high-cadence attacks, and streamlined logistics authorities.
4) Run combined cyber and kinetic red teams and exercises. Tabletops are not enough. Simulate simultaneous drone or ground attacks on substations while adversaries execute ransomware or ICS intrusions. These drills expose coordination breakdowns between utilities, DOT, DOE, DHS and state emergency managers.
5) Raise the security baseline for distributed resources. As renewables and inverter-based resources proliferate, their control channels become attack vectors. Mandate authenticated control interfaces, enforce software supply chain hygiene and require vendors to provide timely patches and SBOMs for grid-connected equipment.
6) Improve information sharing and international cooperation. Adversaries operate across borders. CISA’s international strategy is the right direction. The U.S. must invest more in helping partner nations resist campaigns that can cascade into U.S. dependencies and in sharing threat indicators rapidly with industry.
Operational mindset changes
Stop treating resiliency as a checklist. Start treating it like a campaign you must win. That means accepting higher near-term costs to avoid strategic failure later. Harden the communication and control layer as aggressively as you harden physical perimeters. Build logistics resilience for the long war of attrition. Run public private exercises that force hard choices on triage, rationing and restoration priorities. If you want simple language: assume the attacker will not limit themselves to one lane of the road. Plan across the whole highway.
Final point. The Russia playbook in Ukraine and the cyber probing against Poland are warnings, not surprises. They highlight tactics that scale, they use inexpensive tools and they exploit common weaknesses. The U.S. is not immune. Fix the basics now. Increase redundancy where it matters. Preposition spares. Harden control channels. Exercise under realistic stress. Those steps will not stop every attack. They will make the difference between an outage and a collapse.