When the lights go out, most people assume it’s due to a storm. Not necessarily.

This year, Americans suffered from an uptick in malicious attacks on all 16 sectors of critical infrastructure (CI). Recent nationwide attacks highlighted severe vulnerabilities within the energy sector. We must act to protect our power substations so we won’t have to stay in the dark.

What’s a Substation?

The energy sector, referred to as the “Achilles heel of the United States,” is comprised of and interconnects power plants, transformers, substations, and wires, to the electrical grid via circuits. These circuits allow electricity to flow across 470,000+ miles—enough to circle the Earth almost 19 times. As more pressure is placed on the energy sector and as attacks on grid-related facilities rise, it’s safe to assume the nation’s grid will continue to weaken.

Substations are high-voltage electric systems used to switch generators, equipment, and circuits in and out of the grid. Some have one transformer; others have several.

>>> Texas’s Winter Electrical Grid Failures Highlight the Nation’s Vulnerability to EMP Attacks

Without substations, electricity cannot be measured, and voltage levels cannot be switched or regulated. When this occurs, the power goes out.

There are multiple ways for this to happen: a downed tree, a hurricane, simple voltage miscalculations, or, as in multiple cases across the nation, intentional attacks targeting substations with guns.

What’s Going On?

Substations are quite vulnerable to attack. Many of the nation’s 55,000 substations are in remote, rural areas, obstructed by foliage.

In Moore County, N.C., individuals shot at two substations, causing severe damage and knocking out power to more than 45,000 homes and businesses. Four days later, shots were fired near another substation in Ridgeway, S.C. Neither case has been solved.

These two incidents may not seem like much, until you realize that the intelligence community detected a significant uptick in chatter revolving around the grid system and the energy sector earlier in the year.

That is why, about a week prior to the N.C. and S.C. substation attacks, the DHS released a bulletin warning that the nation remains in a “heightened threat environment” and that CI facilities are potential targets of violence.

With a little digging, one can make a rough timeline of known substation attacks across the nation.

In February, three men pled guilty to recruiting and planning for a substation attack in Ohio.

In March, a transformer in Oklahoma was shot at, causing a massive oil leak.

In July, a transformer for the Keystone Pipeline in South Dakota was vandalized, resulting in reduced oil outputs.

Also in July, shots fired at the Pacific Gas and Electric facility in Wasco, California produced a massive chemical spill.

In early November, the Carteret-Craven Electric Cooperative in Maysville, NC, was vandalized, causing damages expected to exceed $500,000. Luckily, the 12,000+ people affected had their power restored in a matter of hours.

In mid-November, six substations were attacked in the Pacific Northwest. Substations in this region play a key role in transmitting power to hydroelectric dams.

Then came the attacks in the Carolinas.

Why Target Substations?

Some blame it on sheer boredom, troubled youth, or disgruntled employees. The Metcalf substation attack in 2013, which disabled 17 substations and caused more than $15 million in damages, most likely involved an angered employee.

The other attacks are not so straightforward. As the DHS bulletin states, CI is a target. But why?

The answer is fairly simple: when the power goes out, everyone is affected. That is the appeal: scrambling chaos. What’s more, it can be done with minimal effort and planning. There’s nothing complicated about shooting up a substation and rendering it useless.

The motive could be anything. Each attacker may have a different “justification” for his actions. Understanding motive may help, but it fails to address the core issue: Why are our substations so vulnerable? The U.S. grid consists of 6,400 power plants, 3,000 companies, and 55,000 substations, but they’re usually not manned.

What Can States and Companies Do?

The Metcalf sniper attack served as a blueprint for bigger CI facilities to follow. After the damage occurred, the Federal Energy Regulatory Commission (FERC) ordered the North American Electric Reliability Corp (NERC) to equip the Metcalf substation with more cameras, make it bulletproof, and barricade it with a wall.  This has worked for Metcalf. Smaller CI facilities should follow suit.

Some already are.

For example, after six substations in the Tampa Bay area were broken into this year, and the Oldsmar water treatment plant was hacked, (releasing increased amounts of sodium hydroxide [lye] into the city’s water), Duke Energy is fortifying the security of its facilities.

It’s far more cost-effective to beef up security proactively, rather than wait and react to future attacks. For every $1 invested in disaster mitigation, taxpayers save $6 in disaster response and recovery. An ounce of prevention really is worth a pound of cure.

But not all companies are eager to commit large amounts of resources to prevention. Many settle for half-measures. And, as Ted Krauthammer, the director of the University of Florida’s Center for Infrastructure Protection and Physical Security, has noted: “A chain-link fence around something is OK, but it does not prevent a sophisticated attacker.”

While government agencies may provide blueprints, private companies are not required to follow them. Krauthammer says those reluctant to pour more money into bulking up their security are “… play[ing] the ostrich game. It’s a disaster waiting to happen.”

What these “reluctant” private companies are failing to realize, is that, once an attack happens, and the power goes out, the reactive monetary response and recovery efforts far outweigh the mitigative security solutions that should have already been put in place.

When portions of the grid go down, having no access to electricity can be uncomfortable, but for some, it’s life-threatening. One person died as a result of the Moore County, N.C., attack. Nursing homes and hospitals must rely on generators; well pumps cannot run, and traffic lights go out. Moreover, schools, banks and other businesses close. The danger and hardships increase the longer the grid stays down.

>>> Could China Hack Our Electric Grid? Joe Biden Just Made It Easier.

Over the next ten years, Duke Energy facilities will spend $75 billion in grid improvements. Ideally, these improvements will include reinforcement of grid security (walls, cameras, etc.), implementation of more backup systems, and improved access to repair equipment.

What is Washington doing about it?

John Wellinghoff, former chairman of FERC, has expressed contempt for the grid’s makeup as a whole:

What is surprising is the nature of the grid itself: a hodge-podge of public and privately-owned, half-century-old tech, that is increasingly vulnerable to severe weather, cyber-attacks, and even physical assaults. …[And], no government agency, not even the Department of Energy, is truly in charge of protecting it.

Even with multiple incidents of targeted attacks toward CI, FERC has only asked that NERC determine whether grid security and reliability concerns are valid and in need of strengthening.

Given the lack of federal leadership, it is imperative that states protect their critical infrastructure. The grid is designed to localize blackouts, therefore preventing one shutdown from triggering another. This domino effect was seen during the 2003 Northeast Blackout, which left over 55 million Americans and Canadians without power for close to four days. Needless to say, crime and death rates skyrocketed.

This could happen again, at any moment, and at any time; in fact, experts state that the entire U.S. grid could be knocked out in less than 20 minutes. How vulnerable are we going to continue to be? If Washington refuses to step up and formulate consistent energy sector security regulations, (the last time it did was 8 years ago), the states must become self-reliant and do it alone. That’s the only way to ensure the protection of its citizens.