
Critical infrastructure physical security planning is the disciplined process of identifying an operator’s most consequential assets — substations, pump stations, treatment plants, switching centers, pipelines — and protecting them with layered controls that deter, detect, delay, and respond to physical attack, while building the redundancy and recovery capacity to keep essential service running if a site is lost. For energy, water, utility, and telecom operators, it is where security engineering, regulatory compliance, and resilience planning converge.
The assets that keep the lights on, the water clean, and the network connected were, for decades, protected largely by obscurity and a chain-link fence. That era is over. Publicly reported attacks on electrical substations, coordinated vandalism against water and telecom facilities, the proliferation of consumer drones, and a persistent insider-threat problem have moved physical security from an afterthought to a board-level and, in some sectors, federally mandated concern. This guide is written for the utility executive, critical-infrastructure security director, general counsel, and municipal or cooperative leadership responsible for these assets. It explains how the threat landscape actually looks, what CISA and NERC-CIP expect, how layered protection applies to unmanned remote sites, and why resilience planning — not hardening alone — is what separates a credible program from a compliant one.
What counts as critical infrastructure, and why is its physical security different?
Under U.S. policy, formalized in Presidential Policy Directive 21, critical infrastructure spans sixteen sectors — energy, water and wastewater, communications, transportation, chemical, and others — whose incapacitation would have a debilitating effect on national security, economic security, or public health and safety. The Cybersecurity and Infrastructure Security Agency (CISA) coordinates protection across them. What sets these assets apart from a corporate campus or a warehouse is not merely their value but their consequence: the target is not the equipment’s resale price, it is the service it delivers to millions of people who have no alternative.
Three characteristics make critical-infrastructure physical security a distinct discipline. First, many of the highest-consequence assets are unmanned and remote — a transmission substation, a well field, a cellular switching hut — sitting for months without a human present, which inverts the usual security model built around staffed sites. Second, the assets are often interdependent: a substation failure can cascade into water pumping, telecom, and hospital operations, so protecting one site is really about protecting a network. Third, a subset of these assets is subject to enforceable federal or state regulation, meaning security decisions carry compliance and liability weight that ordinary commercial security does not. Planning must reflect all three from the outset.
What does the critical-infrastructure threat landscape actually look like?
Credible planning starts from an honest threat model, not fear. Four vectors dominate the current landscape for energy, water, utility, and telecom operators.
Physical attacks on substations and equipment. The 2013 sniper attack on the Metcalf transmission substation in California — widely reported and the direct catalyst for federal physical-security rulemaking — demonstrated that a determined attacker with a rifle could disable high-voltage transformers and threaten regional grid stability. The coordinated 2022 attacks on substations in Moore County, North Carolina, which knocked out power to tens of thousands, showed the pattern repeating and drawing copycats. Transformers are the vulnerability: they are enormously expensive, custom-built, carry long replacement lead times, and are frequently exposed behind nothing more than a fence. Ballistic damage, arson, and forced-entry sabotage are all in the observed threat set.
Insider threat. Employees, contractors, and former staff possess exactly what an external attacker lacks: knowledge of which asset is single-point-of-failure, where the cameras do not cover, and how to disable an alarm. Insider risk spans the sabotage-minded, the coerced or recruited, and the negligent who props a gate or shares a code. Because critical-infrastructure operators grant deep physical and system access to a large workforce and contractor base, personnel security — screening, access governance, and behavioral monitoring — is not an HR footnote but a core control.
Unmanned aircraft systems (drones). Inexpensive drones now conduct reconnaissance over restricted facilities, carry payloads, and have caused documented disruptions near electrical infrastructure. They defeat the traditional perimeter entirely by approaching from above, and counter-drone response is legally constrained — most mitigation authorities are reserved to specific federal agencies — so operators must focus on detection, reporting, and hardening rather than assuming they may simply neutralize an intruding aircraft.
Theft, vandalism, and reconnaissance. Copper and metal theft, cut fences, and probing intrusions are the high-frequency baseline. They matter beyond their direct cost because they double as hostile reconnaissance — testing response times and mapping blind spots — and because the same weak controls that permit a copper theft permit a sabotage attempt.
What do CISA and NERC-CIP require of operators?
The regulatory picture is uneven by sector, and planning must map to the operator’s actual obligations. For the bulk electric system, the enforceable standard is NERC Reliability Standard CIP-014, adopted in the wake of Metcalf. CIP-014 requires transmission owners to perform a risk assessment identifying stations and substations that, if rendered inoperable, could cause instability or cascading outages; to obtain an independent third-party verification of that assessment; to evaluate potential threats and vulnerabilities to the identified critical facilities; and to develop, implement, and independently review a documented physical security plan for them. It is prescriptive about process and rigor, and non-compliance carries financial penalty — making the physical-security plan a compliance artifact as well as an operational one.
Outside the bulk power system, the mandate is generally lighter but tightening. Water and wastewater utilities serving larger populations have obligations under the America’s Water Infrastructure Act to conduct risk and resilience assessments and maintain emergency response plans that explicitly include physical security. Communications and other sectors rely more on voluntary frameworks and CISA guidance than on hard mandates. Regardless of sector, CISA offers a common backbone through its assessment services, sector risk-management guidance, and the deter-detect-delay-respond doctrine. A sound plan treats the applicable regulation as the floor, not the ceiling: CIP-014 tells a transmission owner that it must have a plan and how to structure the process, but the quality of the plan itself is where risk is actually reduced.
How does layered protection apply to a remote, unmanned site?
The professional model is defense in depth — independent layers that collectively deter, detect, delay, and respond, so the failure of any one control is not a breach. At a staffed facility, humans provide much of the detect-and-respond capacity. At an unmanned substation or pump station, the layers must do that work autonomously and buy enough delay for a response force that may be many minutes away.
Deter. Site selection and Crime Prevention Through Environmental Design (CPTED) principles, conspicuous lighting, signage, and a visibly hardened perimeter raise the perceived cost of an attempt. Detect. Because no one is watching, detection must be technological and reliable: perimeter intrusion detection, video analytics tuned for line-crossing and loitering, gunshot-detection and ballistic-event sensors at high-consequence electrical sites, and drone-detection where the airspace threat is credible — all feeding a monitored, verified alarm so response is dispatched on a real event, not a false one. Delay. This is where critical-infrastructure hardening diverges most from ordinary commercial security: ballistic barriers or opaque walls shielding transformers from a line of sight, anti-ram vehicle barriers, hardened enclosures, and control-house and relay protection are engineered to add minutes an attacker does not have. Respond. A pre-arranged, exercised response — law enforcement coordination, a mobile guard or quick-reaction capability, and clear escalation — must be able to reach a remote site fast enough to matter, which is itself a planning input that shapes how much delay the physical layers must provide.

Compliance-minimum versus resilience-grade posture: what is the difference?
Many operators satisfy the letter of a standard while leaving real consequence-risk on the table. The table below contrasts a checkbox posture with a resilience-grade program so leadership can identify which one they actually run.
| Dimension | Compliance-minimum posture | Resilience-grade program |
|---|---|---|
| Driver | Pass the audit | Reduce consequence of an attack |
| Asset scope | Only regulated critical facilities | Full network, including interdependencies |
| Perimeter | Fence, gate, signage | Barriers, ballistic shielding, anti-ram, clear zones |
| Detection | Cameras recording for review | Analytics, gunshot and drone detection, verified alarms |
| Insider risk | Standard pre-hire check | Access governance, contractor vetting, behavioral monitoring |
| Response | Call police after the fact | Exercised plan, dispatch timed against delay |
| Recovery | Assumed, undocumented | Spare equipment, mutual aid, tested restoration |
| Standard | NERC-CIP / AWIA as ceiling | Regulation as floor; CISA doctrine layered on |
Why does resilience planning matter more than hardening alone?
No perimeter is impregnable, and a determined, well-resourced attacker willing to accept risk can damage almost any single site. That reality is precisely why elite critical-infrastructure planning refuses to stop at hardening. Resilience — the capacity to absorb an attack and restore essential service quickly — is the discipline that limits how much a successful strike actually costs the public. It answers the question hardening cannot: what happens after the fence is breached and the transformer is destroyed?
Resilience planning has several pillars. Redundancy and network design ensure no single asset is an unbackstopped point of failure, so load can be rerouted and service maintained. Spare-equipment strategy addresses the transformer problem directly — through in-house spares, participation in industry spare-transformer sharing programs, and standardized designs that shorten replacement from a year to weeks. Mutual-aid agreements — long standard in the utility sector — pre-arrange crews, equipment, and support across operators when one is overwhelmed. Tested restoration plans convert a paper procedure into a rehearsed capability, because the time to discover a gap in a recovery plan is a tabletop exercise, not a live outage. Hardening reduces the probability of a successful attack; resilience reduces its consequence. A plan that invests only in the first is brittle, and brittleness in critical infrastructure is a public-safety exposure, not merely an operational one.
How do you build a critical-infrastructure physical security plan? A seven-step framework
A defensible plan is built deliberately, from consequence outward. The sequence below reflects the discipline that both satisfies standards such as CIP-014 and produces genuine risk reduction.
- Identify critical assets by consequence. Inventory every site and rank it by what its loss would do to service and to interdependent sectors — not by its replacement cost. The output is a short list of facilities where failure is unacceptable, and this ranking drives every subsequent investment.
- Assess threats and vulnerabilities. For each critical asset, evaluate the credible threats — armed attack, insider sabotage, drone, vandalism — against current controls, and expose the gaps. Where regulation applies, obtain the required independent verification of the assessment.
- Design layered protection to a delay-versus-response standard. Engineer deter, detect, delay, and respond for each site so that the delay the physical layers provide exceeds the time your response force needs to arrive — the single most important design equation for a remote, unmanned asset.
- Address the insider threat explicitly. Implement personnel screening, least-privilege physical and system access, credential governance with prompt revocation, contractor vetting, and a process for reporting and acting on concerning behavior.
- Plan for the airspace and reconnaissance threat. Deploy drone detection and reporting where credible, treat theft and probing as reconnaissance indicators, and integrate these signals into the monitoring picture rather than dismissing them as nuisance events.
- Build resilience into the plan. Establish redundancy, a spare-equipment strategy, mutual-aid agreements, and documented restoration procedures so that a successful attack degrades service briefly rather than catastrophically.
- Exercise, review, and improve. Run tabletop and functional exercises, obtain the independent plan review that standards require, treat every incident and near-miss as a diagnostic, and revise the plan on a fixed cadence as threats and the asset base evolve.
How does Honeybadger support critical-infrastructure operators?
Honeybadger Solutions supports energy, water, utility, and telecom operators nationwide with an integrated approach that treats physical security, compliance, and resilience as one program rather than separate purchases. Through our industrial and manufacturing security practice we conduct consequence-ranked asset identification, threat and vulnerability assessments, and layered protection design engineered to a delay-versus-response standard, and we align that work to the applicable regulatory framework — including the risk-assessment, verification, and documented-plan expectations of NERC CIP-014 for transmission owners. Our security consulting practice builds and independently reviews the physical security plan itself, and structures the resilience elements — redundancy, spare-equipment strategy, mutual aid, and tested restoration — that keep essential service running when a site is lost.
Because our investigations, background-intelligence, and cyber capabilities are handled in-house and delivered globally, we close the insider-threat and physical-cyber convergence seam that a guard company alone cannot — vetting personnel and contractors, governing access, and ensuring that a site’s own records stand up as evidence when sabotage or an insider breach must be proven. Headquartered in Arizona with offices in Casa Grande, Phoenix, and Oro Valley, we serve operators across all of Arizona, nationwide, and internationally. Physical guarding and protective response are delivered through our commanded, vetted-partner network — with established theaters in California, Texas, and Florida and other regions served on a mandate basis — all directed to a single, consistent program standard so a multi-state asset base is protected the same way everywhere.
Frequently asked questions
What is the single greatest physical vulnerability at an electrical substation?
The high-voltage transformer. It is custom-built, extremely expensive, carries a long replacement lead time, and is frequently exposed behind only a fence with a clear line of sight from outside the perimeter. Ballistic attack, arson, or forced-entry sabotage can disable it in seconds. The professional response pairs delay-focused hardening — ballistic shielding, opaque walls, and barriers — with a spare-equipment and resilience strategy so a destroyed transformer does not mean a prolonged regional outage.
Does NERC-CIP require a physical security plan?
Yes, for the bulk electric system. NERC Reliability Standard CIP-014 requires transmission owners to identify critical stations and substations through an independently verified risk assessment, evaluate threats and vulnerabilities to them, and develop, implement, and independently review a documented physical security plan for those facilities. Non-compliance carries financial penalty. Water utilities have parallel obligations under the America’s Water Infrastructure Act, while other sectors rely more on voluntary CISA frameworks.
Can we legally shoot down or jam a drone over our facility?
Generally no. Authority to disable, jam, or destroy an unmanned aircraft is reserved to specific federal agencies under narrow legal conditions; private operators face serious legal exposure if they attempt active mitigation. The practical, lawful posture for a critical-infrastructure operator is detection, documentation, hardening against overhead observation and payloads, and immediate reporting to law enforcement — building the airspace threat into the security plan rather than assuming self-help remedies.
How is resilience planning different from hardening a site?
Hardening reduces the probability that an attack succeeds — fences, barriers, ballistic shielding, detection. Resilience reduces the consequence when one does — redundancy, spare-equipment strategy, mutual-aid agreements, and tested restoration that keep essential service running or restore it fast. Because no single site can be made impregnable against a determined, well-resourced attacker, elite critical-infrastructure programs invest in both, and treat resilience as a public-safety obligation rather than an optional add-on.
About Honeybadger Solutions
Honeybadger Solutions is an Arizona-licensed security and investigations firm delivering intelligence-led physical security, security consulting, investigations, protection, and cyber services to critical-infrastructure operators in the energy, water, utility, and telecommunications sectors nationwide and internationally. Digital forensics, cybersecurity, financial investigations, and background intelligence are handled in-house and delivered globally. Physical security and guard operations are delivered through a commanded, vetted-partner network with established theaters in California, Texas, and Florida, directed from Arizona home command.
Offices: Casa Grande (HQ), Phoenix, and Oro Valley, Arizona.
Phone: 602-725-2818
Confidential consultation: discuss a critical-infrastructure physical security and resilience plan with our team.