In the early morning hours of January 3, 2026 the darkness which enveloped the Venezuelan capital signaled an important shift in modern warfare: The convergence of cyber and physical war. As U.S. Special Operations forces stormed the Venezuelan capital to seize President Nicolas Maduro in a dramatic takeover, an equally destructive offensive took place on the unnoticed digital networks which run Caracas.
This blackout wasn’t caused by bombed towers and severed powerlines, but by a precision and invisible manipulation to the industrial control system that controls the flow of electricty. The synchronization between traditional military actions and advanced cyberwarfare represents a whole new chapter of international conflict. Lines of computer code manipulating critical infrastructure is now one of the most powerful weapons.
You have to examine the controls that control modern infrastructure to understand how one nation can shut down an enemy’s power without shooting a single shot. These are the brains of modern infrastructure, responsible for spinning turbines, opening valves and routing electricity.
Until recently, control devices were considered to be simple and insular. Modernization of the grid has, on the other hand, transformed these devices into internet-connected sophisticated computers. In my role as a researcher in cybersecurity, I study how cyber-forces exploit modernization to manipulate the physical behavior of machinery using digital technologies.
Hijacked machines
We have shown my colleagues how malware could compromise a control system to create an alternate reality. The malware intercepts the legitimate grid operator commands and substitutes malicious instructions to disrupt the system.
Flapping is a method of malware that can be used to send commands for circuit breakers to open and shut quickly. The action could damage large transformers and generators, causing them overheat. This can lead to fires and explosions, which take many months to fix.
The malware also calculates the readings of the sensors if they were working normally, and then feeds this fabricated data back to the control rooms. Operators may see stable voltage and green lights on screens, even though transformers and breakers in the real world are overloaded. The decoupling between the digital and physical world leaves the defenders in the dark, incapable of diagnosing or responding to failure until too late.
Hackers can access the electrical transformers of today.
GAO
Stuxnet, a malware attack that was used to target Iranian nuclear enrichment facilities is an example of such a type of attack. In 2009, the malware caused centrifuges to spin dangerously fast while feeding operators false data.
Industroyer, a Russian attack on Ukraine’s energy industry in 2016, is another example. The Industroyer malware was used to attack Ukraine’s electricity grid. It did this by using industrial communications protocols that were built into the power grid. This allowed it to open circuit breakers directly and shut down power in Kyiv.
In 2023, China’s Volt Typhoon campaign against critical US infrastructure was revealed as a prepositioning operation. These hackers, unlike traditional saboteurs, infiltrated the networks and remained dormant, undetected. They gained the capability to disrupt United States communications and power during future crises.
Cyber Command, the U.S. Military’s Cyber Command, has developed a strategy to defend against such attacks. It actively hunts for threats on foreign networks, before they even reach U.S. territory.
The Cybersecurity and Infrastructure Security Agency in the United States promotes “secure by design” principles. It urges manufacturers to remove default passwords and utilities implement zero-trust architectures, which assume that networks have already been compromised.
Supply Chain Vulnerability
There is an inherent vulnerability in the current supply chain for controllers. When you dissect the firmware of major international vendors, it becomes clear that they rely heavily on software from third parties to provide modern features like encryption and cloud connection.
Modernization is not free. These devices are running on old software, and some have been out of support for years. It creates an industry-wide vulnerability. OpenSSL, an open source software toolkit that is used by almost every connected device and web server to encrypt communication worldwide, has a vulnerability which can be exploited to expose multiple controllers.
The majority of modern controllers are web enabled and host their administrative website. The embedded web server is a point of access that’s often missed by adversaries.
The attacker can use the controller’s web interface to infect it, which will allow the malware to run in the browser of an engineer or plant operator logging in to control the facility. The malicious code can piggyback onto legitimate sessions of users, bypassing firewalls to send commands to physical machines without needing to crack the password.
This vulnerability extends beyond power systems to include transportation, manufacturing, and water treatment.
My colleagues and myself have found that, using automated scanning tools to scan the internet for industrial control systems, the actual number is much higher than what industry experts estimate. Anyone with the correct search criteria can find thousands of devices that are critical, from substation relays to hospital equipment. The exposure of these devices provides an ideal hunting ground for enemies to perform reconnaissance, identify targets and gain access into more secure networks.
Success of U.S. Cyber operations has forced a hard conversation on the vulnerability of America. It is an uncomfortable fact that the American grid depends on the same protocols, technologies and supply chains used by the compromised systems abroad.
Hackers can compromise the U.S. electricity grid.
Misalignment of regulatory standards
However, the domestic risks are compounded because regulatory frameworks struggle to deal with the reality of the grid. My colleagues and myself conducted a comprehensive investigation of the U.S. electrical power sector. We found that there was a significant misalignment in terms of compliance with regulation and security. While regulations set a base, they can often encourage a checklist-like mentality. The excessive paperwork requirements of utilities diverts resources from more effective security measures.
The rapid technological evolution that links customers with the grid is a major concern for this regulatory gap. This is because the widespread use of residential solar inverters and other distributed energy sources has led to a decentralized vulnerability. Current regulations are barely able to address this.
These devices have been found to be insecure by an analysis supported by the Department of Energy. My colleagues and I discovered that by compromising only a small number of inverters an attacker can manipulate the power output in order to create severe instability across the entire distribution network. These devices are not centralized power stations protected by security guards or systems. They sit inside homes and small businesses.
Physical Accounting
To protect the American infrastructure, we must move beyond compliance checklists which currently dominate this industry. Defence strategies must now match the sophistication of attacks. It is important to consider how an attacker could use physical machines when implementing security measures.
Integration of computers connected to the internet into factories, power grids and transport networks has irrevocably blurred the lines between physical and code destruction.
To ensure the resilience of the critical infrastructure, it is necessary to accept this new reality. It’s important that we build defenses which verify each component rather than blindly trusting software, hardware or green lights in a control panel.
