Hacking the grid: How digital sabotage turns infrastructure into a weapon

The modern power grid’s reliance on internet-connected computers makes it vulnerable to digital sabotage, where hackers can manipulate critical infrastructure without firing a shot.
Malware can compromise controller devices, creating a “split reality” where legitimate commands are replaced with malicious instructions, leading to physical damage and fires that can take months to repair.
The vulnerability of the power grid is further exacerbated by supply chain issues, as many critical devices run on outdated software libraries and modern features rely on third-party components that can be exploited by hackers.
Regulatory frameworks struggle to address the realities of the grid, with a “checklist mentality” that diverts resources away from effective security measures, leaving the US power grid vulnerable to attacks.
To defend against these types of attacks, a fundamental shift towards security measures that take into account how attackers could manipulate physical machinery is needed, verifying every component rather than relying on software and hardware alone.

Today's power grid equipment incorporates internet-connected – and therefore hackable – computers. Joe Raedle/Getty Images

The darkness that swept over the Venezuelan capital in the predawn hours of Jan. 3, 2026, signaled a profound shift in the nature of modern conflict: the convergence of physical and cyber warfare. While U.S. special operations forces carried out the dramatic seizure of Venezuelan President Nicolás Maduro, a far quieter but equally devastating offensive was taking place in the unseen digital networks that help operate Caracas.

The blackout was not the result of bombed transmission towers or severed power lines but rather a precise and invisible manipulation of the industrial control systems that manage the flow of electricity. This synchronization of traditional military action with advanced cyber warfare represents a new chapter in international conflict, one where lines of computer code that manipulate critical infrastructure are among the most potent weapons.

To understand how a nation can turn an adversary’s lights out without firing a shot, you have to look inside the controllers that regulate modern infrastructure. They are the digital brains responsible for opening valves, spinning turbines and routing power.

For decades, controller devices were considered simple and isolated. Grid modernization, however, has transformed them into sophisticated internet-connected computers. As a cybersecurity researcher, I track how advanced cyber forces exploit this modernization by using digital techniques to control the machinery’s physical behavior.

Hijacked machines

My colleagues and I have demonstrated how malware can compromise a controller to create a split reality. The malware intercepts legitimate commands sent by grid operators and replaces them with malicious instructions designed to destabilize the system.

For example, malware could send commands to rapidly open and close circuit breakers, a technique known as flapping. This action can physically damage massive transformers or generators by causing them to overheat or go out of sync with the grid. These actions can cause fires or explosions that take months to repair.

Simultaneously, the malware calculates what the sensor readings should look like if the grid were operating normally and feeds these fabricated values back to the control room. The operators likely see green lights and stable voltage readings on their screens even as transformers are overloading and breakers are tripping in the physical world. This decoupling of the digital image from physical reality leaves defenders blind, unable to diagnose or respond to the failure until it is too late.

people wearing hardhats in front of electrical equipment the size of a small house — Today’s electrical transformers are accessible to hackers.
GAO

Historical examples of this kind of attack include the Stuxnet malware that targeted Iranian nuclear enrichment plants. The malware destroyed centrifuges in 2009 by causing them to spin at dangerous speeds while feeding false “normal” data to operators.

Another example is the Industroyer attack by Russia against Ukraine’s energy sector in 2016. Industroyer malware targeted Ukraine’s power grid, using the grid’s own industrial communication protocols to directly open circuit breakers and cut power to Kyiv.

More recently, the Volt Typhoon attack by China against the United States’ critical infrastructure, exposed in 2023, was a campaign focused on pre-positioning. Unlike traditional sabotage, these hackers infiltrated networks to remain dormant and undetected, gaining the ability to disrupt the United States’ communications and power systems during a future crisis.

To defend against these types of attacks, the U.S. military’s Cyber Command has adopted a “defend forward” strategy, actively hunting for threats in foreign networks before they reach U.S. soil.

Domestically, the Cybersecurity and Infrastructure Security Agency promotes “secure by design” principles, urging manufacturers to eliminate default passwords and utilities to implement “zero trust” architectures that assume networks are already compromised.

Supply chain vulnerability

Nowadays, there is a vulnerability lurking within the supply chain of the controllers themselves. A dissection of firmware from major international vendors reveals a significant reliance on third-party software components to support modern features such as encryption and cloud connectivity.

This modernization comes at a cost. Many of these critical devices run on outdated software libraries, some of which are years past their end-of-life support, meaning they’re no longer supported by the manufacturer. This creates a shared fragility across the industry. A vulnerability in a single, ubiquitous library like OpenSSL – an open-source software toolkit used worldwide by nearly every web server and connected device to encrypt communications – can expose controllers from multiple manufacturers to the same method of attack.

Modern controllers have become web-enabled devices that often host their own administrative websites. These embedded web servers present an often overlooked point of entry for adversaries.

Attackers can infect the web application of a controller, allowing the malware to execute within the web browser of any engineer or operator who logs in to manage the plant. This execution enables malicious code to piggyback on legitimate user sessions, bypassing firewalls and issuing commands to the physical machinery without requiring the device’s password to be cracked.

The scale of this vulnerability is vast, and the potential for damage extends far beyond the power grid, including transportation, manufacturing and water treatment systems.

Using automated scanning tools, my colleagues and I have discovered that the number of industrial controllers exposed to the public internet is significantly higher than industry estimates suggest. Thousands of critical devices, from hospital equipment to substation relays, are visible to anyone with the right search criteria. This exposure provides a rich hunting ground for adversaries to conduct reconnaissance and identify vulnerable targets that serve as entry points into deeper, more protected networks.

The success of recent U.S. cyber operations forces a difficult conversation about the vulnerability of the United States. The uncomfortable truth is that the American power grid relies on the same technologies, protocols and supply chains as the systems compromised abroad.

The U.S. power grid is vulnerable to hackers.

Regulatory misalignment

The domestic risk, however, is compounded by regulatory frameworks that struggle to address the realities of the grid. A comprehensive investigation into the U.S. electric power sector my colleagues and I conducted revealed significant misalignment between compliance with regulations and actual security. Our study found that while regulations establish a baseline, they often foster a checklist mentality. Utilities are burdened with excessive documentation requirements that divert resources away from effective security measures.

This regulatory lag is particularly concerning given the rapid evolution of the technologies that connect customers to the power grid. The widespread adoption of distributed energy resources, such as residential solar inverters, has created a large, decentralized vulnerability that current regulations barely touch.

Analysis supported by the Department of Energy has shown that these devices are often insecure. By compromising a relatively small percentage of these inverters, my colleagues and I found that an attacker could manipulate their power output to cause severe instabilities across the distribution network. Unlike centralized power plants protected by guards and security systems, these devices sit in private homes and businesses.

Accounting for the physical

Defending American infrastructure requires moving beyond the compliance checklists that currently dominate the industry. Defense strategies now require a level of sophistication that matches the attacks. This implies a fundamental shift toward security measures that take into account how attackers could manipulate physical machinery.

The integration of internet-connected computers into power grids, factories and transportation networks is creating a world where the line between code and physical destruction is irrevocably blurred.

Ensuring the resilience of critical infrastructure requires accepting this new reality and building defenses that verify every component, rather than unquestioningly trusting the software and hardware – or the green lights on a control panel.

Saman Zonouz receives funding from the Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response (DOE CESER) and the National Science Foundation (NSF).

link

Q. What is the new chapter in international conflict that has emerged with the convergence of physical and cyber warfare?

A. The synchronization of traditional military action with advanced cyber warfare, where lines of computer code that manipulate critical infrastructure are among the most potent weapons.

Q. How do hackers exploit modernized controller devices to control the machinery’s physical behavior?

A. Hackers use digital techniques to create a split reality by intercepting legitimate commands sent by grid operators and replacing them with malicious instructions designed to destabilize the system.

Q. What is an example of malware that can cause physical damage to massive transformers or generators by causing them to overheat or go out of sync with the grid?

A. Malware known as “flapping” rapidly opens and closes circuit breakers, which can physically damage transformers or generators.

Q. How do attackers infect the web application of a controller, allowing malware to execute within the web browser of any engineer or operator who logs in to manage the plant?

A. Attackers infect the web application by exploiting vulnerabilities in modern controllers that often host their own administrative websites, allowing malicious code to piggyback on legitimate user sessions.

Q. What is the scale of the vulnerability in industrial controllers exposed to the public internet?

A. Thousands of critical devices are visible to anyone with the right search criteria, providing a rich hunting ground for adversaries to conduct reconnaissance and identify vulnerable targets.

Q. Why is the U.S. power grid vulnerable to hackers?

A. The American power grid relies on the same technologies, protocols, and supply chains as the systems compromised abroad, making it an attractive target for cyber attacks.

Q. What is the regulatory misalignment in the U.S. electric power sector that contributes to the vulnerability of the power grid?

A. Regulatory frameworks often foster a checklist mentality, diverting resources away from effective security measures, while also failing to address the realities of the rapidly evolving technologies that connect customers to the power grid.

Q. How can an attacker manipulate the power output of residential solar inverters to cause severe instabilities across the distribution network?

A. By compromising a relatively small percentage of these inverters, an attacker can manipulate their power output to cause instability.

Q. What is the fundamental shift required in defense strategies to defend American infrastructure against cyber attacks?

A. A level of sophistication that matches the attacks, requiring security measures that take into account how attackers could manipulate physical machinery and verify every component rather than unquestioningly trusting software and hardware.