Skip to content

Photo illustration by iStock; Security Management

Substation Attacks Heighten Scrutiny for U.S. Electric Grid Risks

Authorities arrested two men charged with vandalizing electrical substations in the U.S. state of Washington—attacks which knocked out power for more than 15,000 people during the holidays—allegedly to break into a business and steal money, federal prosecutors announced on 3 January.

Matthew Greenwood, 32, and Jeremy Crahan, 40, are believed responsible for vandalizing four Tacoma Power electrical substations on 25 December in Washington. The suspects broke into fenced areas and damaged equipment, causing a fire in one of the substations, The News Tribune reported. The damage to the substations is estimated to be at least $3 million and time-consuming to fix—the damaged transformers will need to be replaced, which could take up to 36 months.

The newly unsealed complaint charged Greenwood and Crahan with conspiracy to damage energy facilities, and Greenwood was also charged with possession of a short-barreled rifle and a short-barreled shotgun, the Associated Press reported. The suspects were tied to the attacks by cell phone location data, surveillance footage, and other evidence, the complaint said.

“We have seen attacks such as these increase in western Washington and throughout the country and must treat each incident seriously,” said Seattle U.S. Attorney Nick Brown in a news release. “The outages on Christmas left thousands in the dark and cold and put some who need power for medical devices at extreme risk.”

The Washington attacks followed a similar incident in North Carolina on 3 December where attackers—as of yet unidentified—drove up to two substations, breached the gates, and opened fire on electrical equipment, the AP said. More than 45,000 people lost power as a result.

Attacks, vandalism, and suspicious activity around power stations were already on the rise before these incidents. U.S. federal energy reports through August 2022 showed an increase in physical attacks at electrical facilities that year, continuing an upward trend that began in 2017. In the first eight months of 2022, there were at least 108 human-related incidents affecting the electric grid, compared with 99 in all of 2021, USA Today reported.

The incidents have prompted calls for more physical power grid protection, but industry experts warn that such calls have echoed through the industry for more than 30 years—improving security requires far more than a simple upgrade.

The North American electric grid is geographically widespread and complex, including more than 7,300 power plants, 160,000 miles of high-voltage power lines, and 55,000 transmission substations. To make matters more complicated, no single entity bears responsibility for the entire system, leaving some energy companies and infrastructure more vulnerable than others.

Attacks against critical infrastructure—when successful—have inspired more destructive campaigns. Radical far-right groups and individuals cheered the shootings at the Duke Energy substations in North Carolina, calling for larger targeted attacks on U.S. infrastructure. According to reporting from Newsweek, radical groups shared dozens of threats online against critical infrastructure sites, as well as materials designed to advance these plots.

Neo-Nazi groups online praised the North Carolina attackers, claiming they were motivated to attack infrastructure to shut down a drag show (officials have not linked the incident to the drag show). Newsweek cited a neo-Nazi post on Telegram that celebrated the “magnificent act of sabotage” as a “beautiful escalation” in a broader culture war in the United States.

Rita Katz, founder and executive director of the SITE Intelligence Group, told Newsweek that, “the sabotage against the North Carolina substation aligns perfectly with directives and methods seen in accelerationist neo-Nazi communities, which we at SITE have exhaustively reported on.”

"If this was indeed a far-right terrorist attack, my worry is that it will serve as a proof of concept for other far-right extremists," Katz said. "Immediately after the reports about the attacks, we at SITE saw such communities praise what happened in North Carolina and call for more, while sharing more directives about what to target and how to do so. Some have specifically suggested large cities."

A neo-Nazi publication from earlier in 2022 made the rounds on online message boards, offering guidance to domestic violent extremists (DVEs) on what to target when shooting at substations and how to inflict maximum damage to critical infrastructure.

“The utility sector has a real problem on its hands,” says Brian Harrell, CPP, former assistant secretary for infrastructure protection at the U.S. Department of Homeland Security (DHS). “Power stations are an attractive target, and domestic terror groups know that destroying this infrastructure can have a crippling effect on industry, citizens, and local governments. The Washington state suspects were careless and sloppy compared to the North Carolina attackers. I’m certain that the North Carolina attacker(s) have insider knowledge on substations and critical energy infrastructure and knew how to attack undetected.”

Moore County, North Carolina, Sheriff Ronnie Fields seemed to agree, telling reporters in December 2022 that whoever was responsible for the attack “knew exactly what they were doing to… cause the outage that they did.”

“We have seen a significant uptick in DVE chatter surrounding sabotage and physical attacks on distribution and transmission substations,” Harrell tells Security Management. “The utility industry is aware of these concerns, and over the years, proper investments have been made to mitigate such attacks. However, a determined adversary with insider knowledge as to what to shoot, and how to cripple key components, is difficult to stop. This is why the energy sector invests in resilience.”

Unfortunately, the digital, decentralized, and domestic nature of the threat is an ongoing challenge for both private and public investigators and security teams, Newsweek noted. More DVEs are radicalized individuals who do not belong to a formally structured group, making them harder to detect in advance of an incident.

These risks have also caught the eye of federal power regulators, including Richard Glick, chair of the U.S. Federal Energy Regulatory Commission (FERC).

“Is there something more sinister going on? Are there people planning this?” Glick said in a briefing covered by POLITICO. “I don’t think anyone knows that right now. But there’s no doubt that the numbers are up in terms of reported incidents.”

FERC announced in its December meeting that it would direct an industry standards-setting organization to analyze whether the commission should bolster regulations for protecting critical infrastructure. This would not affect local electrical substations and distribution lines, POLITICO noted. Smaller, rural facilities often do not meet the criteria for high levels of security requirements and are often subject to state or local regulations instead.

Regarding the North Carolina shooting, Harrell says he does not expect an individual or group to come forward to take responsibility. Instead, he anticipates the party responsible will be caught in a violent act.

“Law enforcement could have cell phone record leads, but that’s about it. If the attackers stay underground, don’t highlight themselves, and don’t get caught, they preserve their ability to attack again,” he explains. “This person or group likely has insider knowledge of energy infrastructure and knows, specifically, where to access sites and what to shoot at. I’m guessing they are a disgruntled former contractor, or someone who has working knowledge of substations and high-voltage transformers. Duke Energy is a world-class company, and they have the relationships and expertise to solve this problem.”

In the meantime, private organizations and critical infrastructure security managers can practice expanding their scenario planning exercises to account for multi-level risks, such as a power outage being linked to an attempted heist.

“Don’t think of the obvious, think of what else could be,” Anthony Hurley, CPP, PCI, PSP, tells Security Management.

Hurley, who wrote an article for our September/October 2022 issue on complex scenario planning (“While You Weren’t Looking”), notes that “security professionals must think of all of the reasons that an attack on their assets may have occurred. To jump to a conclusion without considering all options is a common mistake. Like in this situation, the motivation was not to attack the substation for any other reason than to create an outage so that they could execute a criminal act on another unrelated facility.”

In his article, Hurley noted that natural disasters, like derechos, earthquakes, and tornadoes, regularly disrupt operations around the globe.

“Critical incidents have similar divisions: human-caused accidents like train derailments or incident-triggered civil unrest can be unexpected, while other events like parades, sporting events, or festivals can be planned months ahead of time. Any of these events can impact staffing, disrupt public works, and impact the availability of first responders,” he wrote.

“If an organization is not prepared, these changes provide bad actors with the opportunity to take advantage of distractions to possibly gain access to a facility,” Hurley added. “Criminals may seek to steal products if the opportunity is right, or may take advantage of an event to conduct an orchestrated theft of intellectual property. On a larger scale, ideology-driven violent extremists are committed to disrupting and crippling critical infrastructure for their cause, and a major event often sparks concern that threat actors will attack during the confusion.”