Critical Infrastructure Protection · Grid Security · 2026
The U.S. grid has approximately 55,000 transmission substations. Many lack robust physical hardening against deliberate attack. Attacks are accelerating. Ukraine has been under sustained assault since February 2022 on its power infrastructure and developed the most battle-tested substation hardening doctrine on earth. This report covers the threat landscape, the U.S. regulatory gap, Ukraine's battle-tested lessons under sustained attack, the layered protection architecture, and the companies that can help.
The Security Gap
The threat actors are diverse: domestic violent extremists (DVE) targeting grid infrastructure as a force multiplier for other criminal activity; far-right extremists sharing targeting guides on online forums; disgruntled individuals; copper thieves who cause collateral damage; and nation-state actors who have already demonstrated they can penetrate utility SCADA systems. Russian hackers compromised several U.S. electrical utilities in 2017-2018, breaching air-gapped security networks. The Russian PIPEDREAM malware, designed specifically to compromise OT systems, came dangerously close to disrupting a significant portion of U.S. electric supply in 2022.
The problem is not lack of awareness. NERC CIP-014 has required risk assessments and security plans for the most critical substations since 2015. The problem is scope — CIP-014 only applies to the highest-voltage, highest-impact transmission substations. Thousands of distribution substations that serve hospitals, emergency services, and dense population centers are entirely outside the mandatory framework. And even where CIP-014 applies, the standard mandates a plan, not a specific protection level — leaving enormous variation in actual security posture across the industry.
Documented Incidents
The pattern is clear and consistent: rifle fire at transformers from outside the perimeter, cutting communications first, targeting equipment with no line-of-sight protection. The Moore County attack is the operational template that threat actors are replicating.
Battlefield-Proven Protection Doctrine
Russia has attacked Ukraine's power infrastructure with cruise missiles, ballistic missiles, kamikaze drones, and fiber-optic FPV drones on 30+ separate large-scale coordinated strikes since February 2022, and on hundreds of additional localized strikes. Ukraine has lost 70% of its pre-war generating capacity. A substantial portion of Ukraine’s high-voltage transmission infrastructure has been damaged or degraded by repeated attacks. And yet the grid is still running. The lessons Ukraine has developed — under live fire, under existential pressure — are the most operationally relevant substation hardening doctrine available anywhere in the world. They are directly applicable to U.S. grid security.
Key Ukraine Finding — Directly Applicable to U.S. Grid
Concrete and steel structures have proven effective in shielding power transmission substations from attacks. This is confirmed by the Wilson Center, IEA, Atlantic Council, and Congressional Research Service — all citing Ukraine's operational experience. The U.S. grid faces a less kinetically intense but increasingly frequent threat from rifle fire, drone payload delivery, and coordinated multi-site attacks. An effective countermeasure is ballistic-rated protection around critical components, combined with concealment, detection, and layered defenses. The physics does not change because the attacker's nationality does.
Defense Architecture
No single measure is sufficient. The correct architecture is layered — each layer provides redundancy against failure of the layer before it. Ukraine proved this under live fire. The architecture below is applicable to U.S. substations now, at varying cost levels, without waiting for regulatory mandates.
Sequencing Principle — CoreBastion
Most substation hardening programs jump straight to fencing and hardware. That is the wrong starting point. The correct sequence begins with a question: how visible is this site to someone who wants to attack it?
Start with concealment. Obscuring the site is the highest-leverage, lowest-cost intervention available. An attacker cannot effectively target what they cannot identify, locate, or observe. Visual screening, thermal masking, non-reflective coatings, and vegetation management remove the targeting information before any physical hardening is even needed. This applies equally to ground-level reconnaissance and drone-borne EO/IR sensors.
Apply CPTED principles next. Crime Prevention Through Environmental Design is directly applicable to substations. Controlling sight lines, eliminating standoff shooting positions, managing vegetation and terrain around the perimeter, and designing access routes that force visible, controlled approach all reinforce concealment while adding physical deterrence. CPTED interventions are low-cost, durable, and often achievable without major construction.
Then layer the physical hardening. Once concealment and CPTED are in place, the passive physical layers below build on a foundation that has already reduced the attacker's information advantage. Perimeter hardening, ballistic equipment protection, detection, drone countermeasures, and restoration readiness each reinforce one another. The six layers below should be read in that context.
High-security perimeter fencing, anti-climb measures, vehicle barriers, and ballistic-rated perimeter gates. The goal at this layer is not to stop a determined attacker — it is to slow them, force closer engagement, and eliminate standoff shooting positions. In CoreBastion’s assessment, chain-link fencing alone is not an adequate security measure for critical substations. Ballistic-rated perimeter walls and high-security mesh systems with intrusion detection are the correct answer for critical substations.
Ballistic-rated walls, panels, and enclosures directly around transformers, control houses, breaker/transformer cabinets, and SCADA/communications equipment. In CoreBastion’s assessment, this is among the highest-priority hardening measures available. The Moore County and Metcalf attacks succeeded because transformers had zero ballistic protection and direct line-of-sight from outside the perimeter. Concealment reduces targeting opportunities at relatively low cost; ballistic protection provides the final passive defense if a site is identified and attacked. Eliminating line-of-sight eliminates the primary attack vector. Ukraine's three-layer concrete and steel protection of autotransformers reduced equipment loss by approximately 50% during peak attack periods.
Non-reflective coatings, thermal masking fabric, and visual screens prevent drone-borne EO/IR reconnaissance from identifying high-value equipment. Ukraine lesson: drone operators target what they can identify from above. Remove identifying equipment signatures — distinctive transformer shapes, heat signatures from cooling systems — and you reduce the targeting information available. This applies to both ground-level standoff attacks and drone reconnaissance.
Multi-layer detection: radar for drone and ground intrusion detection at extended range; AI video analytics for perimeter intrusion and loitering detection; acoustic sensors for gunshot detection, drone audio signature, and glass break; thermal cameras for 24/7 perimeter coverage in darkness and adverse weather; Remote ID monitoring for drone identification; SCADA-integrated sensors for equipment tampering. The Meerkat ballistic line-of-sight tool (IEEE Spectrum 2025) specifically models substation vulnerability to ballistic attack — identifying which equipment is exposed from which external positions.
Drone delivery of explosive or incendiary payloads, drone reconnaissance for pre-attack intelligence gathering, and drone-based electronic warfare are all documented threats to energy infrastructure. Detection at this layer is legal for any U.S. utility. Defeat requires federal authorization under current law — but the NDAA FY2026 SAFER SKIES Act and the pending Tom Cotton bill may extend defeat authority to designated CNI operators including energy utilities. Anti-drone netting over critical equipment (same architecture as data centers) is the passive defense that is legal and immediately deployable.
Spare transformer pre-positioning. Distributed backup generation. Microgrid islanding capability. Mutual aid agreements for rapid equipment transfer. Transformer replacement lead times can exceed 12-18 months for custom high-voltage units — the Strategic Transformer Reserve (STR) program and NERC's spare equipment database exist to address this. Ukraine's key insight: speed of restoration is a resilience multiplier that reduces the strategic value of any single attack.
Vendor Intelligence
Vendors operating in U.S. substation physical security, organized by protection category. Most products apply to any hardened site — the substation application is not fundamentally different from data center hardening in the passive protection layers.
| Company | Product / Solution | Category | Key Capability | Market / Certification | Notes |
|---|---|---|---|---|---|
| BALLISTIC PROTECTION — Transformer and Equipment Hardening | |||||
| Southern States LLC U.S. | Ballisti-Wall® / Ballisti-Cover® | Ballistic enclosure | UL-752 Level 10 certified ballistic protection for transformers, control houses, breaker/transformer cabinets, SCADA equipment. Designed for straightforward installation and removal. | U.S. utility market — NERC CIP-014 applications | Most deployed purpose-built transformer ballistic protection product in U.S. utility market. Georgia-based manufacturer with established utility customer base. |
| Oldcastle Infrastructure U.S. | Defender Walls | Precast concrete walls | Purpose-built precast concrete substation security walls. Heavy protection for highest-threat environments. Scalable for large transformer yards. Ukraine equivalent: Level 2 concrete protection. | U.S. utility market — CIP-014 and voluntary hardening | Large-format precast concrete — best for new construction or major retrofits. Used by multiple large U.S. utilities post-2022 attack series. |
| Permacast Walls U.S. | Precast concrete security walls | Precast concrete walls | Custom precast concrete ballistic wall systems. Substation-specific design capability. | U.S. utility market | Custom design capability — useful for non-standard site geometries. |
| ArmorCore by Waco Composites U.S. | ArmorCore® Fiberglass Ballistic Panels | Ballistic panels | UL-752 certified fiberglass panels, levels 1-8. Lighter than concrete. No ricochet or spalling — bullet captured and contained. ISO 9001:2015. 10-year warranty. | Retrofit applications — can be installed without specialized certification | Best for retrofit applications where weight is a constraint. Faster installation than precast concrete. More affordable entry point for smaller utilities or distribution substations. |
| PERIMETER SECURITY — Fencing, Gates, and Anti-Intrusion | |||||
| Guardiar U.S./Intl | Guardian Fence System 7000 / TurnkeyEPC | High-security perimeter | Double security mesh — 46-minute breakthrough delay (ASTM tested). NERC CIP-014 compliance capability. Full EPC (engineering, procurement, construction) turnkey. Betafence partnership for mesh. | U.S. utility market — large energy providers | Full turnkey EPC provider for utility substations. One of the few vendors that does the complete job — design through commissioning. Significant reference base with major U.S. energy providers. |
| FDC Security U.S. | Substation security systems | Perimeter + access control + detection integration | Threat assessments, risk modeling, ballistic gates and walls, StrongWeld Defender ballistic gate (UL 752 rated), NERC/FERC compliance tools, integration with Lenel/Genetec/Avigilon | U.S. utility market — Florida and Southeast | Full-service substation security integrator. One of the few firms that explicitly integrates ballistic perimeter protection with access control and video management for substations. |
| Dickerson Infrastructure U.S. | Substation security systems installation | Full security system integration | Switchyards, substations, fossil and nuclear sites. From initial grading through systems integration. Complete installation capability. | U.S. utility / nuclear / fossil fuel sites | Specialist contractor with nuclear site clearance. Relevant for highest-security transmission substations and nuclear switchyards. |
| Ameristar / ASSA ABLOY U.S. | Stalwart® high-security fencing | Perimeter fencing | High-security welded mesh fencing systems. Anti-climb. Crash-rated vehicle barriers. CIP-014 application experience. | U.S. utility / CNI market | Widely deployed for utility perimeter upgrades. ASSA ABLOY ownership brings integration with broader physical security ecosystem. |
| Gibraltar Perimeter Security U.S. | High-security fencing systems | Perimeter fencing | High-security welded wire mesh and anti-climb fencing systems designed for utility and CNI applications. Modular panel systems with intrusion-detection integration capability. | U.S. utility / CNI market | Representative example of U.S.-based perimeter fencing manufacturers serving the utility hardening market. This list is illustrative, not exhaustive — multiple qualified fencing manufacturers operate in this space. |
| DETECTION — Sensors, Video Analytics, and Gunshot Detection | |||||
| ShotSpotter / Motorola Solutions U.S. | ShotSpotter Respond for Critical Infrastructure | Acoustic gunshot detection | Real-time gunshot detection and geolocation. Mean alert time under 60 seconds. Distinguishes rifle fire from other sounds. Notifies SOC and law enforcement simultaneously. Deployed in 150+ cities and expanding to CNI. | U.S. utility / CNI — expanding from law enforcement market | One of the most valuable detection technologies for the rifle-fire threat vector observed in several documented U.S. substation attacks. Gunshot detection remains a gap in most substation security programs. |
| Specter | Long-range wireless sensing network | Perimeter detection + AI situational awareness | Software-defined long-range perimeter sensing beyond camera lines-of-sight. Natural language alert configuration. Real-time map-based situational awareness. Sensor-agnostic. | CNI / Data Centers / Substation perimeters | Addresses the detection gap at rural substations where cameras have limited effective range and intruders can approach from outside camera coverage zones. |
| Power Intelligence U.S. | Substation security protocol / detection systems | Substation-specific integrated security | Adaptable customizable substation security protocols. Developed specifically in response to 2022-2023 attack series. Fast deployment capability. | U.S. utility market | Purpose-built for the post-2022 attack environment. Focused specifically on substations — not a generalist security company applying generic solutions. |
| ZEI / Zimy Electronics U.S. | CIP-014 compliant perimeter security systems | Perimeter security integration | CIP-014 compliance design and deployment. Understanding of NERC audit requirements and documentation expectations. Utility-specific installation experience. | U.S. transmission owners — CIP-014 compliance programs | Specializes in the compliance layer — designing systems that satisfy CIP-014 audit requirements, not just security requirements. Distinction matters for NERC audit outcomes. |
| Ambient.ai U.S. | Pulsar VLM | AI video analytics — perimeter and site | Vision language model (VLM) applied to physical security video. Understands context, not just motion. Differentiates threat-relevant behavior from benign activity. Reduces false positive alert load. Generally available as of 2025. | CNI / Data Centers / High-security perimeters | Represents the next generation of AI video analytics — semantic understanding of scene context rather than rule-based motion detection. Applicable to substation perimeter coverage where false positive fatigue is a documented problem with legacy analytics. |
| ENGINEERING AND CONSULTING — CIP-014 Compliance and Physical Security Planning | |||||
| POWER Engineers U.S. | Substation security engineering and CIP-014 consulting | Engineering / compliance consulting | Physical substation security expert services. Five-tier substation criticality ranking model (extending beyond CIP-014 scope to all substations). Digital twin simulation for security planning. | U.S. utility market — all substation tiers | Leading engineering firm for substation security. Recommends extending CIP-014 principles beyond mandatory scope to all substations — the only operationally correct approach given the attack surface. |
| TRC Companies U.S. | Layered risk-based substation security consulting | Security consulting / risk assessment | Layered risk-based approach to substation security. Regulatory framework navigation. CIP-014 compliance. Physical security plan development. | U.S. utility / CNI market | Published Nov 2025 analysis on why layered risk-based approach is essential — directly applicable to utility security programs updating post-2022 attack series. |
| Meerkat (IEEE Spectrum 2025) | Ballistic line-of-sight analysis tool | Security assessment software | Groundbreaking tool that identifies which equipment within a substation is exposed to ballistic attack from which external positions. Models line-of-sight vulnerabilities before an attacker does. | U.S. utility / security consulting | Proactive vulnerability identification — find the attack angles before the attacker does. Featured in IEEE Spectrum 2025 as a significant advance in substation security assessment methodology. |
| DRONE DEFENSE — Autonomous Aerial Surveillance and C-UAS | |||||
| Skydio U.S. | Skydio Dock / Skydio X10 | Autonomous aerial surveillance | Dock-based autonomous drone patrol with AI-powered obstacle avoidance. Conducts perimeter and site surveys on schedule or on-demand without a pilot. Persistent aerial awareness beyond fixed camera coverage. | CNI / Data Centers / Remote infrastructure | Particularly relevant for remote, unstaffed substations where camera coverage has gaps and guard response is slow. Autonomous aerial patrol extends detection reach at sites that cannot justify a staffed post. This list is illustrative — multiple autonomous drone platform vendors serve this space. |
| RAPID-DEPLOY PASSIVE PROTECTION — Ukraine-Proven Methods | |||||
| Hesco Bastion UK / Intl | RAID and Concertainer blast barriers | Rapid-deploy blast and ballistic barriers | Military-standard wire mesh and fabric containers filled with local soil or aggregate. Deployed in minutes. Proven in combat zones worldwide. Blast, ballistic, and fragmentation protection. Reusable and relocatable. | Military / CNI / Emergency hardening globally | Ukraine equivalent of Layer 1 gabion protection — already available in the U.S. Used by DoD at forward operating bases. Directly applicable to immediate emergency hardening of substations before permanent solutions are installed. |
| Saab Barracuda Sweden / Intl | Multi-spectral concealment systems | Thermal and visual concealment | Military-grade thermal masking fabric reducing equipment heat signatures. Visual concealment for aerial reconnaissance denial. Used by Ukraine and NATO forces. | Military / CNI internationally | Directly applicable to substation cooling equipment concealment. Reduces drone EO/IR targeting signatures. Available through defense supply channels. |
Regulatory Framework
CIP-014 is the mandatory physical security standard for U.S. bulk electric system transmission substations. It was a significant step forward when promulgated in 2015 — and it is insufficient for the current threat environment. Understanding both its requirements and its gaps is essential for any utility or CNI operator developing a substation security program.
What Is Coming — Regulatory Evolution
FERC has signaled it may revisit CIP-014 to expand scope to substations between 200 kV and 499 kV that currently do not meet the three-connected-substation threshold. The 2022-2023 attack series reinvigorated this discussion in Congress. The Tom Cotton bill (introduced April/May 2026), primarily aimed at private CNI operators, also strengthens the legal framework for energy infrastructure defeat authority. And the NDAA FY2026 SAFER SKIES Act now explicitly includes energy infrastructure among the CNI sectors eligible for FEMA C-UAS grants. The regulatory floor is rising — but the threat is already above it.
CoreBastion Assessment
The U.S. grid physical security posture is inadequate relative to the documented and escalating threat. The following recommendations are practitioner-grade — not compliance-grade. They follow the concealment-first, CPTED-second, layered-hardening-third sequencing philosophy described in the protection architecture section above.
The single most underutilized intervention in U.S. substation security is also the cheapest. Visual screening, thermal masking, non-reflective coatings, and vegetation management around the perimeter reduce the targeting information available to any adversary — whether they are conducting ground reconnaissance, drone-borne EO/IR surveillance, or open-source research. An attacker cannot precisely target what they cannot clearly observe. This should be the first action at every critical substation, before any fencing or hardware investment is made. It is low cost, fast to deploy, and effective immediately.
Crime Prevention Through Environmental Design principles are directly applicable to substation security and are systematically ignored by most utility operators. Controlling sight lines from public roads and adjacent terrain, eliminating natural standoff shooting positions through landscaping and terrain management, designing access routes that force visible and controlled approach, and removing features that allow concealed observation of the site from outside the perimeter all reduce attack feasibility before any physical hardening is installed. A proper CPTED assessment of a substation will identify environmental vulnerabilities that no fence can fix — and fix them at a fraction of the cost.
The Moore County and Metcalf attacks succeeded for one reason: the transformers had direct line-of-sight exposure from outside the perimeter and zero ballistic protection. Once concealment and CPTED measures are in place, the next priority is eliminating that line-of-sight entirely through ballistic-rated protection. Southern States Ballisti-Wall, Oldcastle Defender Walls, or equivalent precast concrete protection eliminates the attack vector. It does not require regulatory mandate, government approval, or technology development. It requires capital allocation and a decision. Ukraine built Level 2 concrete protection around 63 autotransformers while under active missile attack. In CoreBastion’s assessment, U.S. utilities have ample documented justification to implement equivalent protection without requiring a warzone as motivation.
The rifle fire threat vector is the primary documented attack method in the U.S. Physical hardening slows the attack. Detection stops it — or at minimum compresses the response window dramatically. ShotSpotter Respond for Critical Infrastructure provides real-time acoustic gunshot detection and geolocation with under-60-second alert time. This is not expensive or complex. It is absent from the security posture of almost every substation in the country. It should be on every critical substation within 12 months.
Ukraine's three-layer passive protection doctrine is directly applicable to U.S. substations. Layer 1: Hesco-equivalent gabion/sandbag barriers around critical equipment — deployable in days, at low cost, before permanent solutions are installed. Layer 2: Precast concrete protection around autotransformers and critical control equipment. Layer 3: Iron-and-steel-reinforced structures for the highest-impact sites. Ukraine implemented all three while under active missile attack. U.S. utilities face a far less kinetically intense environment and have no operational excuse for not implementing at least Layers 1 and 2 at all critical substations now.
CIP-014 covers only the highest-impact bulk transmission substations. The POWER Engineers five-tier model is the correct approach: apply risk assessment and physical security planning principles to all substations, with protection levels proportional to criticality. The substations serving hospitals, emergency services, and data centers may not be CIP-014 mandatory sites — but an extended outage at a distribution substation serving a hospital system is a life-safety event. Voluntary adoption of CIP-014-equivalent planning for out-of-scope sites is the right answer. Most utilities have not done this.
U.S. utilities cannot currently deploy defeat technology. They can deploy detection. Dedrone, DroneShield, or Fortem detection systems at critical substations create the detection infrastructure needed for defeat when authority is extended via the Tom Cotton bill or future legislation. Anti-drone netting over control houses and critical equipment — legal today, no authority required — is the passive backstop. Do not wait for legislation to build the detection architecture. The drone payload delivery threat to transformers is real, it is documented in Ukraine, and it is coming to the U.S. Build the detection posture now.
The fundamental economics of substation security are challenging. The U.S. has approximately 55,000 transmission substations. Many are remote, unstaffed, and surrounded by open terrain that provides natural standoff distance for attackers. Full hardening of every substation is not financially or operationally achievable. The correct strategy is: tiered protection based on criticality, resilience investment (spare transformers, distributed generation, rapid repair capability) as a complement to hardening, and law enforcement coordination that gives local agencies the substation familiarization training they need to respond effectively. Ukraine's ultimate resilience came from redundancy and speed of restoration — not from protecting every asset. The U.S. grid should learn the same lesson.