Substation Intrusion: Are You Ready To Response?

It’s 2 a.m. on Christmas morning. Your physical protection system (PPS) has detected movement outside the perimeter fence of your substation. The object identification technology in the video surveillance system (VSS) has identified the movement as human in nature, so it has alerted the security operations center (SOC). The SOC operator has assessed that there are two men outside the fence with bolt cutters and backpacks. They are busy cutting through the chain-link fence. The operator concludes that an attack on the substation by two intruders is underway.

Now what?

Many security plans instruct the operator to “call 911” at this point and leave it at that. They are assuming that the police will arrive and the intruders will either run away or be arrested.

It’s not that easy.

The issues the police need to know must be covered long before the emergency call goes in. How do we do this? We meet with local law enforcement agency (LEA) leadership to explain our needs and coordinate our activities.

First, they need to know how important our substations are to the community. We can tell them that they are critical infrastructure, but it helps if they know what that means. If substations are damaged, what is the potential impact? Would local hospitals, shopping centers or other public infrastructure be left without power? How many residences might go dark? What would the impact be, especially during peak power usage times? During very hot or very cold weather?

The police will need to know what the typical threats to a substation are: trespassing, vandalism, theft of metals such as copper and aluminum, firearm attacks and sabotage. You should share details of recent attacks on substations in the area.

You know which of your substations are the most important, and you must share this information with the police. They need to know which substations have the greatest impact on the community for their own planning.

Discussions should include the need for elevated responses for gunfire or explosion reports; intrusions at high-voltage or transmission substations; and multiple intrusions across sites, as this suggests a coordinated attack.

If your procedures include dispatching a mobile patrol from a security company to assess the situation prior to calling 911, the police need to know so they don’t confuse the mobile patrol with the intruders.

You should explain that we don’t usually know the motive for the intrusion until after the damage is done, so any intrusion should be treated as a high-priority call due to public safety and grid stability risks.

In preparation for the meeting, you should be ready to give them maps or GPS coordinates for all your substations. Tell them what the best access routes are, any lock or gate systems, and who holds keys and access codes.

You should ask them if they use a mapping application called what3words. If they do, then give them the substation location data using that system. It allows much more precise description and coordination of staging areas, rendezvous points and gates. As of March 2025, more than 4,800 911 emergency coordination centers in the U.S. and Canada have access to what3words via integration partners RapidSOS and CAD providers. (For more information, visit what3words.com. If you aren’t using what3words, you should consider it.)

Tell the police the types of alarms you use, such as motion, infrared or gunshot detection. What does the security monitoring center see? What is the process they follow to assess an intrusion and verify that it is a security event?

Is it possible to give the police real-time access to your camera feeds? How can you facilitate this?

Do you expect the police to enter the site? Most police departments will refuse to enter an energized substation, so you will need an internal procedure to deenergize a site. Who is involved? How will you make the decision to deenergize the site in the middle of the night? Who needs to be involved? How will you contact them?

A good way to structure the discussion is through scenarios. Walk through typical intrusion scenarios with the police and both sides will learn what the other needs.

One of the most important pieces of information you can get from the police is how long they expect it to take to respond to a security event at a substation. This information is important to the design of a site’s PPS, as it tells you how long your perimeter barriers will have to delay the intruders.

This brings us to the 911 call.

The 911 operator is your connection to the police response. If the SOC operator doesn’t convey the importance of the substation and the danger that an intrusion poses to both the intruders and public safety, there is a risk that the incident will be logged and treated as a simple trespassing. With that assumption can come a long police response time. Talk to the police about what language the operator needs to use to ensure a priority response, and create scripts for your SOC operators to ensure that nothing is missed.

Several years ago, I was part of a substation security workshop in a small town in the Pacific Northwest. Besides the leadership from the local Public Utility District (PUD), participants included five members of the local police department and two people from the town emergency management department. 

At the beginning of the workshop, the police estimate for the response time to the site we were using as a training aid was 12 minutes. By the end of the workshop, the police, emergency management and PUD personnel had sat down together and coordinated their information requirements, response protocols and identified the substation information to be preloaded into the 911 system. This effort reduced the response time to only five minutes.

Good outcomes follow detailed preparation, coordination and unimpeded communication between the utility and the police. It all starts with a meeting.

About Ross Johnson:

Ross Johnson has over four decades of experience in all aspects of security management, including tenures as a professional security manager where he oversaw regulatory requirements, budgets, personnel shortages and an endlessly expanding threat portfolio. Having spent much of his career in the high-impact/low-frequency quadrant, he now assists organizations by developing programs that help them define the appropriate level of attention and resourcing that their risks need. Johnson has worked in the electric sector since 2006 and held executive committee positions on NERC and Electricity Canada’s security and infrastructure protection committees, including representing Canada on the CIP-014 Standards Drafting Team. He is currently the chair of E-ISAC’s Physical Security Advisory Group and co-facilitates the DBT/VISA workshop for NERC’s E-ISAC. He is also a Senior Fellow at Electricity Canada, and advises them on security and emergency management. Reach him at ross@bridgeheadsecurity.com.