Modern critical infrastructure — power grids, water treatment systems, fuel pipelines, financial networks — is increasingly dependent on networked control systems that are vulnerable to cyberattack. The 2021 Colonial Pipeline ransomware attack disrupted fuel supply to the Eastern US for 6 days, causing widespread gas shortages and price spikes. The 2015 and 2016 attacks on Ukraine’s power grid demonstrated that adversaries can cause targeted, extended blackouts. This guide covers what infrastructure cyberattacks look like from a civilian perspective and the specific preparation actions that provide resilience.
Critical Infrastructure Attack Scenarios
| Target | Real-world precedent | Civilian impact | Duration risk |
|---|---|---|---|
| Fuel pipeline | Colonial Pipeline (2021) — ransomware; 6-day shutdown | Gas shortages, price spikes, supply chain disruption | Days to weeks |
| Electric grid (regional) | Ukraine grid attacks (Dec 2015, Dec 2016) — 6–8 hours each | Blackout, cascading effects on water, heat, communications | |
| Electric grid (transformers) | Metcalf substation attack (2013) — physical; 27 days to partial repair | Multi-week or longer blackout; transformer replacement takes months | Weeks to months |
| Water treatment | Oldsmar FL (2021) — sodium hydroxide manipulation attempt (caught) | Contaminated or unavailable water supply | Hours to days if caught; weeks if not |
| Financial system | Multiple bank DDoS attacks; Bangladesh Bank heist ($81M, 2016) | ATM and card system disruption; account freezes | Hours to days |
Important context: Cyberattacks on infrastructure that cause extended disruption are relatively rare events. The more common scenario is a criminal ransomware attack (profit-motivated, often resolved quickly when ransom is paid or systems are restored from backups) rather than a nation-state attack designed to cause maximum damage. But the Colonial Pipeline incident showed that even a brief shutdown of a key node creates outsized civilian disruption.
Power Grid Vulnerability: What You Need to Know
The US power grid is operated by approximately 3,300 utilities using hundreds of thousands of networked control points. Key vulnerabilities:
- SCADA systems: Supervisory Control and Data Acquisition systems control grid operations remotely. Many run on legacy software with known vulnerabilities. Physical separation (air-gapping) from the internet is inconsistent across utilities.
- High-voltage transformers: The ~2,000 extra-high-voltage transformers that move power across the US are manufactured in limited quantities, mostly overseas, with lead times of 12–18 months. Physical damage to these — whether from attack or geomagnetic event — is extremely difficult to repair quickly.
- The good news: The US grid’s distributed, partially redundant architecture makes nationwide simultaneous failure unlikely. Regional attacks (affecting one geographic area) are more realistic than full-national scenarios.
Water System Cyberattacks: Contamination Risk
Municipal water treatment systems use SCADA control systems to manage chemical dosing (chlorine, pH adjustment), pumping, and distribution. The Oldsmar, Florida incident (February 2021) showed an attacker remotely accessing the system and attempting to increase sodium hydroxide (lye) from 100 parts per million to 11,100 parts per million — a concentration that would have caused serious chemical burns if consumed. An operator noticed the change within minutes and reversed it.
Water system attack preparation:
- long-term water storage for sizing and treatment.
- Point-of-use water testing: Basic water test kits (LaMotte ColorQ, $20–40) can detect extreme pH changes, chlorine levels, and some contaminants — not a comprehensive safety test, but can catch severe contamination.
- Water filtration: A quality countertop filter (Berkey, Sawyer gravity filter) removes most chemical and biological contaminants. Not a substitute for stored water but adds a defense layer.
Financial System Disruption
Financial system attacks range from ATM network disruptions (common in DDoS attacks) to more severe scenarios involving settlement system failures. Household preparation:
- Cash on hand: $500–1,000 in small bills. During the Colonial Pipeline crisis, gas stations went cash-only in some areas. ATMs empty quickly during bank runs and extended outages.
- Offline financial records: Printed copies (updated monthly) of bank statements, investment account numbers, insurance policies, and mortgage documents. If digital systems go offline for an extended period, these provide proof of assets and obligations.
- Diversification across institutions: Accounts at 2–3 different financial institutions (different banks, credit unions) reduce the risk that a single institution’s outage freezes all your funds. FDIC insurance covers $250,000 per depositor per institution.
Fuel Supply Disruption: Colonial Pipeline Lessons
The Colonial Pipeline attack demonstrated how quickly fuel shortages can develop after a pipeline disruption:
- Day 1–2: Minimal consumer impact; pipeline operators and government managing the response.
- Day 3–4: Panic buying begins as news spreads; stations in affected states (GA, NC, SC, VA) begin running out.
- Day 5–6: 70%+ of stations in some areas reported out of fuel. Price spikes to $3.00+/gallon (from ~$2.80 average).
Fuel preparation: Maintaining at least a half-tank of fuel at all times (not the common habit of running near empty and filling up) provides 150–200 miles of range during the early phase of a fuel disruption. Add 20–30 gallons in approved containers with stabilizer for households with generators or critical evacuation needs.
Communications During Infrastructure Failure
Internet infrastructure (ISPs, cloud services, DNS) can be disrupted by large-scale DDoS attacks or physical infrastructure damage. Resilient communications options:
- Cell service (SMS specifically): SMS texts route through different systems than data and often continue working when internet and voice calls fail. Text when everything else fails.
- Satellite internet (Starlink): Operates independently of terrestrial internet infrastructure. Not immune to cyberattack (SpaceX terminals were targeted by Russia’s Viasat attack in Ukraine) but more resilient than ground-based internet for most civilian scenarios.
- Ham radio: Completely independent of internet infrastructure. A Technician-class license enables access to local VHF/UHF repeaters; General-class enables HF communication across the country without any internet infrastructure.
- Offline information: Downloaded copies of critical documents (local maps, medical references, contact lists) stored on a device that doesn’t require internet access. A waterproof flash drive with key documents costs under $20.
Where to Go Next
Extended power outage preparation — covering cyberattack-induced blackouts — is in extended power outage: grid-down preparedness for 14-day blackout. Financial resilience for economic disruption scenarios is covered in economic collapse preparedness: financial resilience, supply stockpiling, and barter economy.
