Apr 14, 2026
Hardening Substations Against Modern Physical and Cyber Threats
Summary: The modern substation must be hardened against all sorts of threats engineers didn't even consider 50 years ago. In the 2020s and beyond, engineers cannot take any chances with their substations.
A half-century ago, protecting a substation against threats required little more than putting up a fence and posting 'Keep Out' signs. That will no longer do. Facility owners now must manage risk and ensure the long-term reliability of their investments through a series of security measures that protect against both physical and cyber threats.
Getting it right is about hardening the site with a layered defense strategy. In the industry, we call this 'defense in depth'. A multi-layered approach addresses physical threats, natural disasters, digital attacks, and anything else that might come at a substation.
The U.S. Grid Is Vulnerable
The need to harden substations against both physical and cyber threats is not imaginary. Our grid is highly vulnerable in its current state. It is aging, underfunded, and already being stressed to the limits by increasing power demands. Not only that, the emergence of AI and the need for super data centers makes it even more critical that substations be protected against attacks.
Experts have been warning against potential grid attacks for more than a decade. Back in 2017, the Council on Foreign Relations released a memorandum explaining its views on the various ways the U.S. power grid could be attacked. In that memorandum, the Council also clarified that it believed the likelihood of a crippling attack would only grow in future years. Not much has changed since then.
As leaders in substation design and engineering, we take physical and cybersecurity seriously. We are fully committed to defense in depth. We believe a multi-layered approach is best. The more layers, the better.
Physical Perimeter and Deterrence
Our industry essentially relies on four layers of obscurity. Each layer has multiple components. We begin with the physical perimeter and deterrence layer. The steps taken here are designed primarily to delay unauthorized facility breaches. Where we can fully prevent crimes of opportunity, we make every effort to do so.
The three components of this layer are:
Visual Barriers – Visual barriers, like screening, are installed to prevent people from seeing physical equipment. Equipment that cannot be seen cannot be easily targeted. Visual barriers include things like slatted fencing and dense landscaping that keep equipment and infrastructure out of sight from roads inside walks.
Ballistic Barriers – Ballistic barriers are installed to protect transformers and other critical components. Anything that might be subject to long-range gunfire must be protected. Ballistic-rated walls or similar shields protecting the most valuable assets on the site accomplish this sort of protection.
Smart Lighting – Lighting must be installed with sensitivity toward neighbors. Rather than installing constant high-glare lights that cause annoyance, smart lighting capable of activating security equipment is preferred. Lighting can remain mostly off until a potential security breach forces it on.
The physical barriers that keep intruders out of a substation perform much the same function as the security measures people take at home. We make it as difficult as possible to breach a substation as a means to deter people from even trying.
Surveillance and Detection
Even with physical perimeter and deterrence equipment in place, breaches can still happen. Therefore, the second layer of defense involves surveillance and detection equipment. In this regard, we consider technology a force multiplier. It gives facility owners real-time views of the site without having to staff it with a 24/7 guard. Again, there are three components:
Electronic Security – Electronic security systems include video cameras and advanced analytics capable of distinguishing between human intruders and stray animals.
Vibration Sensors – Vibration sensors can be attached to fences or buried underground. They primarily detect fence-climbing and tunneling attempts.
Ground-Based Radar – The most secure sites can be equipped with ground-based radar capable of monitoring movement hundreds of yards away. In the event of a potential breach, local law enforcement has a head start. They could be on site before a physical breach is actually realized.
Combining technology with physical barriers creates a more difficult scenario for would-be attackers. As a bonus, technology helps facility owners keep their sites safer without the need for additional personnel.
Protection Against the Elements
Substations are as vulnerable to the elements as they are to human threats. As such, the third layer of substation hardening involves creating resilient systems to protect against weather and other environmental damage. What we call environmental hardening ensures that a substation survives extreme weather. The two main components in this layer are:
Flood Mitigation – Flood mitigation is critical given electricity's relationship with water. To prevent a flood from taking out a substation, elevated pads keep equipment away from potential floodwaters while advanced drainage systems help keep sites safe against flash flooding.
Fire Protection and Suppression – High-voltage equipment carries with it an inherent fire risk. Therefore, sound substation design requires installing fire-resistant barriers that protect each piece of equipment. That way, a fire does not easily spread and take out the entire substation.
In areas prone to natural disasters like earthquakes, hurricanes, and wildfires, hardening against the elements requires very specific design features. Each new site design is considered in light of what the local environment could potentially throw at a substation.
Digital and Cyber Hardening
The fourth and final layer protects the substation against digital and cyberattacks. We use physical barriers to prevent physical intrusion. Likewise, we install digital barriers to prevent network intrusion. There are three key things in play here:
Access Control – Every entry point to a modern facility is protected by a digital access control system requiring unique credentials to deactivate. With this system, the property owner can always monitor who comes and goes.
Network Isolation – The facility's operational network is completely isolated from the corporate network. Even if the corporate network is hacked, each substation continues to operate independently.
Supply Chain Security – All software and hardware components used to build a new substation are verified and hardened at the factory. All vendors are vetted to ensure they are not security risks.
It is absolutely essential that we implement robust measures to safeguard the modern substation from any potential physical, environmental, or security threats. The bigger the grid becomes and the higher the demand we put on it, the more likely that it will be subject to significant threats. Those are the stakes. Commonwealth takes them seriously.
FAQs
What is a substation's defense in depth?
Defense in depth is a multi-layered approach to protecting a substation against all sorts of threats. Every layer makes the facility safer.
Why is ballistic protection necessary?
In an increasingly hostile world, long-range gunfire can take out a substation. Ballistic protection is necessary to prevent such attacks.
Why must substations be physically and logically isolated from other networks?
Physical and logically isolating a substation protects against catastrophic cyber-attacks. Through robust firewalls and other techniques, we make it extremely difficult to breach a substation's network from the outside.
Can a substation be protected against 100-year weather events?
In most cases, yes. For example, designing for a 100-year flood is quite common. Some designers are now even looking at 500-year events for design purposes.
Back to All Insights