The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


The North Carolina substation attacks

Tom Alrich's picture
Supply chain Cyber Risk management - emphasis on SBOMs and VEX documents Tom Alrich LLC

I provide consulting services in supply chain cybersecurity risk management and am now primarily focused on software bills of materials (SBOMs) and VEX (Vulnerability Exploitability eXchange). I...

  • Member since 2018
  • 371 items added with 120,083 views
  • Dec 5, 2022


Yesterday, I was asked by a couple of reporters how the NC attacks differ from the 2013 sniper attack on the Metcalf substation in California, and whether the NERC CIP-014 standard (which was developed as a result of that attack) was applicable to the NC substations – as well as whether it would have prevented the attacks if it was applicable. Here is my take on this situation, acknowledging there still isn’t a lot of information available on the NC attacks:

There’s a big difference between the attacks in NC on Saturday and the 2013 sniper attack on the Metcalf substation near San Jose, California:

  1. Metcalf is an important high-voltage transmission substation. The NC substations appear to be much lower voltage, and were primarily for power distribution, not transmission (although a lot of substations combine transmission and distribution functions).
  2. The Metcalf attack was meticulously planned and executed by the team of snipers that carried it out, using military grade weapons. There seems to have been much less planning in the NC attacks, although there’s not enough known yet to say that for certain.
  3. While there were some short local outages after the Metcalf attack, power was quickly restored. However, since the interstate power transmission system (known as the Bulk Power System) has redundancy built into it at all levels, there was no widespread or prolonged outage at all.
  4. On the other hand, the power distribution system is very localized and has much less redundancy built into it. Thus, even though there was probably much less damage to equipment in NC, the fact that the distribution system was damaged led to a widespread and continued outage, since there wasn’t enough redundancy to prevent this (and since it seems multiple substations were attacked, the fact that similar equipment might have been damaged in those substations may have reduced the redundancy that would otherwise have come into play).
  5. After the Metcalf attacks, federal regulators ordered rigorous (and expensive) protections for certain strategic transmission substations, including Metcalf. It’s just about certain that the NC substations were not in scope for that standard, called NERC CIP-014.
  6. However, even if the NC substations had been in scope, it’s doubtful these attacks could have been prevented, although they might have had less impact. NERC CIP-014 is designed to protect against large-scale coordinated attacks, not impulsive ones by individuals who don’t consider risk carefully before going ahead. Probably the reason that there haven’t been any attempts (that have been publicized, anyway) to build on the Metcalf attack template is that whoever planned that attack (and it had all the earmarks of just being a trial run – a proof of concept, if you will) realized that CIP-014 had turned the odds against them in general. However, a couple of guys with shotguns, perhaps motivated by the desire to make a point on a culture war issue, aren’t likely to carefully balance risks and benefits in this way.

Local outages happen all the time. One of the biggest causes of these is squirrels chewing on the conductors. Another important cause is thieves stealing copper. The main goal with local outages is to minimize their impact and quickly remediate them. The biggest question about the NC attacks is why these measures didn’t work. I’m sure there will be an investigation to answer that question.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at

Matt Chester's picture
Matt Chester on Dec 5, 2022

Thanks for this rundown, Tom. This incident in NC is an unnerving reminder that utilities really do have to plan for anything and everything

Tom Alrich's picture
Tom Alrich on Dec 7, 2022

Yes, and the problem is now a much bigger one. Please approve the post I just submitted to you!

David Svarrer's picture
David Svarrer on Dec 30, 2022

Important to weigh the risk of repeat against wide spread counter measures against a non existing or even dysfunctional enemy.

In my humble opinion attacks on larger power installations ie a sub station (in comparison with just cutting some last mile wires) should always be analyzed in the context of : What is in it for them (the culprits).

I could think of a few things: Switching off lights so that thieves can achieve what they want in the dark. Stealing wire as mentioned. More direct benefits in general. 

Otherwise my thoughts are more in the direction of some localized insanity. Weapon and explosives are common property for Americans, so the US simply has to live with the facts of what happen when the usual 0.1% of the population who are insane, makes use of their apportioned share of weaponry. 

Even insane people weigh their options. 

Furthermore if it is professionals as alluded to, even they weigh their actions against the result.


In the light of that maybe the effect of "hitting" any power structure did not achieve what the insane person wanted, or what the professional wanted, maybe not the right time to create a lot of fuzz.

And as said before: The grid as we know it, is dead. It may take maybe 50 years until the last masts have fallen, but in the wake of local energy production and that we do Not need power 24/7 and that even an advanced modern life with all sorts of technical amenities is possible with even power accessible 25% of the time, I would vote for a wait and see approach.

After all. True. It is likely dramatic with destruction of a powerstation or 10. But even this comes to an end. 

Sometimes the best is to leave the drama seekers alone. Ignore them. 

/My 50 cents 

David Svarrer 

Rational Intuitive ltd 






Tom Alrich's picture
Tom Alrich on Jan 3, 2023

The NC attacks definitely caused serious outages. Even if the WA ones didn't, the fact is that transformers are very expensive (sometimes in the millions of dollars apiece) and can take months or even a year or more to replace (because they usually have to be custom-made, and often in some place like Germany). This hardly warrants benign neglect.

Julian Silk's picture
Julian Silk on Dec 30, 2022

The professionals here might respond to my idea that people who can't confront those in a particular neighborhood the substation powers might attack it to strike their enemies, and be unconcerned about the suffering of others.  So measures to install cameras and possibly laws to advance prosecution might help.

Tom Alrich's picture
Tom Alrich on Jan 3, 2023

These people are trying to cause outages, in order to further some sort of social disorder that will lead to overthrow of the government. The more prosecution, the better, IMO.

Tom Alrich's picture
Thank Tom for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »