“If you want to weaken a nation without firing a shot, start by flipping the switch.”
Hello Cyber Builders 🖖,
In Part 1 of this series, I shared my personal experience during the Spanish blackout and explored past grid-targeting attacks, including Ukraine 2015.
But today’s story goes deeper. It’s not just about outages. It’s about strategy. You might ask yourself: Why would a threat actor care so much about targeting a Power Grid? What’s in it for them?
Well, the answer is simple. It’s about deterrence, retaliation, and leverage.
Taking down a nation’s Power Grid is a bold, visible move. It disrupts daily life, sows panic, and sends a clear message without firing a single missile.
State-sponsored actors are quietly breaching the networks that control power, water, and transportation — not for money, but for leverage. To send signals. To prepare for a future where wars start with keyboards, not missiles.
In this post, I’ll unpack:
-
Why grids matter strategically — and how attacks create pressure without bloodshed.
-
What a power grid actually is (and why fragmentation increases cyber risk).
-
How China’s Volt Typhoon campaign infiltrated the U.S. Grid via telecom systems.
In December 2015, Ukraine was hit by one of the first confirmed industrial cyberattacks in the world, shutting down part of the country’s power grid substations. Three regional electricity distributors were simultaneously targeted. Attackers remotely controlled SCADA systems, cut off power to more than 230,000 people, and even locked out engineers by wiping firmware on substation equipment.
The attack was sophisticated:
-
Spear-phishing was used to gain access.
-
Malware called BlackEnergy and KillDisk helped pivot and wipe systems.
-
Manual remote access was used to flip circuit breakers.
It was surgical, coordinated, and state-backed. Most experts, especially given the geopolitical tensions at the time, point to Russia as the likely actor.
For many in the cybersecurity world, this was a 9/11 moment. It proved that bits could crash infrastructure, not just computers. My analysis is in a PDF report in the first post, where I also shared my personal feeling being in Spain during the apagòn :
When the media talks about “the Power Grid,” it often sounds like one big, monolithic system—as if a single switch controls all the electricity in a country.
The Power Grid is a highly complex, layered, and increasingly fragmented ecosystem. To understand its cybersecurity risks, we first need to understand its architecture.
So let’s break it down.
This is the first step in the system: creating electricity from various energy sources.
Traditionally, this meant large centralized power plants:
-
Coal plants
-
Natural gas plants
-
Nuclear plants
-
Hydroelectric dams
Today, the landscape is far more diverse:
-
Wind farms (both onshore and offshore)
-
Solar farms
-
Biomass generation
-
Even small-scale generation (such as rooftop solar on homes or businesses)
-
The latest innovation in our energy-hungry world is Small Modular Reactors, mini nuclear plants you can deploy near factories or data centers.
In many countries, power generation is now highly decentralized. A private citizen, a business, or a municipality can now contribute electricity to the grid. This means many more actors, each with their systems and networks.
2️⃣ Power Transmission (The “High Voltage” Grid)
Once electricity is generated, it must be moved long distances—from power plants (often outside cities) to major consumption centers.
This is done through the transmission grid:
Large national or regional operators usually run transmission networks. In Europe, examples include RTE (France) or TenneT (Germany/Netherlands); in the U.S., regional transmission organizations (RTOs) manage these systems.
This part of the grid is still relatively centralized but increasingly dependent on automated control systems (SCADA and ICS; more on this below). Computers, networks, and telcos are indeed running the grid.
These systems control the physical process of the grid: Opening/closing breakers, adjusting voltage, Monitoring load, and faults. They were designed for reliability and uptime, not for cybersecurity. Many run on old protocols with no encryption and weak authentication.
Finally, electricity reaches the distribution network:
-
Local substations step down the voltage again
-
Distribution lines carry electricity into neighborhoods, homes, offices, and factories
This is the “last mile” of the grid—what directly connects to your wall socket.
In many countries, this layer is now more fragmented than transmission: Local utilities, Municipal operators, Private distribution networks in industrial zones
Another layer of complexity is introduced by:
-
Smart meters in homes and businesses
-
Two-way communication between the grid and devices
-
Consumers are becoming “prosumers” (both consuming and generating electricity)
Historically, one big state-controlled utility handled all three layers—generation, transmission, and distribution.
This meant: One set of systems, One security model, One set of operational policies, One trusted network perimeter, One CISO and his teams
Today, the reality is different:
-
Multiple actors at each layer
-
Private companies generating power
-
Cross-border interconnections in Europe
-
Third-party renewable energy providers plugging directly into the grid
-
Microgrids (local grids that can operate semi-independently)
-
Smart grids (grids with digital monitoring and dynamic control)
-
Renewable Energy that is injecting intermittent power to the grids (versus a power plant that sends a constant flow of power)
When defending a power grid, you are defending a complex system of which you can no longer trust a “perimeter”. Every new connection point—every wind farm, every solar array, every private generator—is a new potential attack vector:
Many of these parties have different IT/OT maturity levels. They may run different software. They may not have the same level of security controls. They may rely on remote access or cloud platforms to manage their systems. They are often connected via public telecom infrastructure (key point—this links to Volt Typhoon’s targeting of telecom)
The “Smart Grid” concept adds more IT systems, IoT devices, APIs, and remote management tools.
Security concerns include:
-
Authentication and authorization between all these parties
-
Identity and access management for thousands of new actors
-
Supply chain risk — many vendors provide components for smart meters, converters, inverters, etc.
-
Insecure IoT devices could be used as entry points.
I’ll provide more technical details in the last post of the series. But for now, let’s see who might be interested in hacking the power grids.
China’s state-sponsored cyber group, Volt Typhoon, has been actively infiltrating U.S. critical infrastructure sectors since at least 2021. Their operations are characterized by stealth and persistence, and they aim to establish long-term access to systems that control vital services (see here)
A video with several US officials at NYSE talking about the threats is highly informative.
In this video (a really good hour to spend), we are learning:
-
How the Chinese government-backed hackers have gained extensive capabilities and can scale attacks against hundreds of utilities.
-
Why it is essential to distinguish the CCP and government from the Chinese people.
-
“Russia is the hurricane, China is the global warming.”
-
Critical infrastructure and OT security continue to pose a significant threat. It is disheartening to still hear this more than 10 years after I started a specialized company—Sentryo, now part of Cisco.
-
IP theft is a major source of competitive imbalance between China and Western countries (the US and Europe).
I love how these former top national officials openly discuss the threats. Watch them out.
Volt Typhoon has primarily targeted sectors such as energy, communications, transportation, and water systems. Their approach involves “living off the land” tactics, utilizing legitimate network administration tools to avoid detection. This method allows them to blend in with normal system activities, making their presence difficult to identify.
One notable incident involved a Massachusetts power utility, where Volt Typhoon maintained access for nearly a year. During this time, they exfiltrated sensitive data related to operational technology (OT) procedures and the spatial layout of energy grid operations. Such information is crucial for understanding how to disrupt these systems effectively.
FBI Director Christopher Wray highlighted the severity of this threat, stating that Chinese hackers have “burrowed into U.S. critical infrastructure and are waiting ‘for just the right moment to deal a devastating blow.'”
The overarching goal of these infiltrations appears to be the pre-positioning of cyber assets that can be activated to disrupt during geopolitical tension. This strategy allows for the potential to incapacitate critical infrastructure swiftly, thereby gaining a strategic advantage without engaging in traditional warfare.
Under Jen Easterly, the CISA, a US Agency, has done a tremendous job explaining and providing details on these campaigns. You can read more here and also watch the video above.
The modern power grid is no longer a single entity — it’s a distributed, digitally connected battlefield. And here’s the real risk: the weakest actor in the chain may be the one that opens the door.
We used to think of the Grid as “critical infrastructure.” Now, it’s also a strategic weapon for those who defend it and those who aim to exploit it. Whether it’s Volt Typhoon silently embedding itself in telecom gear or fragmented energy providers exposing unpatched entry points, the new reality is simple:
Cyber deterrence starts long before the lights go out.
In Part 3, I’ll dive into the tactical layer — from SCADA protocol weaknesses to real-world remediation scenarios.
👉 Stay tuned. And if you’re in the business of defending infrastructure, it’s time to act like you’ve already been compromised.
