As the last US National Security Agency director warned in alarming comments last month, China is hacking into American electrical infrastructure. Public reporting and government advisories also point to China pre-positioning backdoors in power grid control systems and electrical power supply chains. Through these means, China is establishing leverage over critical infrastructure, and it could use this leverage to threaten, disrupt, or degrade services in a crisis, especially if Beijing seeks to block US involvement if it moves against Taiwan.
This kind of access gives China options for coercion, deterrence, and signaling, pursued through temporary and targeted effects in a “gray zone” crisis, as well as for conducting larger-scale attacks in the event of a major conflict. With this in mind, it is essential that the private sector—not just the US government and military—better prepare for attacks on the US electrical grid resulting from a geopolitical crisis or conflict in the Indo-Pacific. Importantly, this preparation should include both assessing the geopolitical risks and practicing what to do in a crisis.
During a recent industry forum in California, we heard from senior utility executives, grid operators, market strategists, and other experts about the range of complex challenges that the energy sector faces. Utilities must, for example, keep costs in check, meet regulatory standards, manage load growth, and advance the energy transition. At the same time, we contend that they need to treat Chinese cyber and supply-chain exposure as a standing threat—part of the context of overall strategic planning and risk mitigation—given the geopolitical risks the United States faces. During the forum, we discussed a pressing question on a panel with an unusual focus for industry: how to protect the mission to deliver reliable, safe, and affordable power as geopolitical risks rise, particularly the threat China could pose to US electrical infrastructure in the context of a regional crisis or conflict. Based on our discussions, we came to three overall takeaways.
First, utilities should identify practical geopolitical crisis indicators to monitor that, when the indicators occur, should move utility leaders from watchful to active measures. One such indicator is Chinese military exercises that move beyond the routine and are on a scale indicative of invasion preparation and/or involve live-fire training that interferes with access to Taiwan. Other indicators could be narratives from Chinese official sources that aim to justify imminent “defensive” military action, sudden pressure on key vendors, or export controls that signal possible supply disruptions. None of these signposts require classified sources, as they are visible in publicly available information and sector channels.
Second, utility leaders need to take action now. Addressing cyber and supply chain infiltration risks to power infrastructure is not only a job for cybersecurity professionals and government officials, nor can it wait until a geopolitical crisis or attack. Grid operators, supply-chain leaders, control system engineers, and procurement officials each have roles in ensuring resilience.
A range of actions can help mitigate risk. For example, contract language can clarify product security and transparency requirements. Steps can be taken to harden control system equipment and network pathways, particularly for China-sourced devices. And utilities should regularly and thoroughly test controls on vendors’ remote access to operational technology. More broadly, utilities should seek to de-risk: diversify suppliers before a crisis, keep targeted spares for the most critical equipment, and engineer by focusing on addressing high consequence events so the most important grid functions have robust fail-safe controls.
The third—and clearest—takeaway from our conversations in California was about the need for preparation rather than prediction or reaction. Regular, realistic, leadership-level tabletop exercises are the single best way to build discipline for the first forty-eight hours of a fast-moving event, especially since misinformation is likely to surge.
Tabletop exercises, long used by the US military and government as a low-cost way to improve preparedness for a high-intensity crisis or conflict, can serve the same purpose for the private sector. Comprehensive exercises expose single points of failure, validate who decides what, test communications, and force hard choices on where to deploy resources. They also create a common picture of risk and available response options that hold under pressure.
These issues have important implications for a broader audience, given the potential implications of energy disruptions for all aspects of the United States’ national security and economy. This basic three-point approach is simple and practical, even if implementing it while balancing other considerations will be complex for the industry:
- Watch for indicators that geopolitical risks are rising;
- Keep sharing and implementing best practices within the energy sector and with its partners to strengthen resilience; and
- Run regular leadership-level tabletop exercises that simulate the key decisions that leaders in a vital sector will face in a geopolitical crisis.
Introducing this three-step approach into response systems and building on it will go a long way toward making sure that essential services stay running, even if a crisis erupts halfway around the world.
Victor Atkins is a nonresident fellow with the Indo-Pacific Security Initiative at the Atlantic Council’s Scowcroft Center for Strategy and Security, where he specializes in cyber intelligence, national security, and industrial cybersecurity issues. A former Department of Energy official, he served as deputy director for operations of its Cyber Intelligence Directorate, and after details to the National Security Council staff and US intelligence community. He is the director for critical infrastructure security consulting at 1898 & Co., part of Burns & McDonnell.
Markus Garlauskas is the director of the Indo-Pacific Security Initiative at the Atlantic Council’s Scowcroft Center for Strategy and Security. He is a former senior US government official with two decades of service as an intelligence officer and strategist, including twelve years stationed overseas in the region.
The Best Practices Forum that helped inform this analysis, and the authors’ participation in it, was hosted and sponsored by Burns & McDonnell. The event adhered to the Chatham House Rule to foster transparency, candor, and forward-thinking approaches. The views expressed here are the authors’ own.
Further reading
Mon, Jun 9, 2025
China is carrying out ‘dress rehearsals’ to take Taiwan. Here’s how the US should respond.
New Atlanticist By Adam Kozloski
With China escalating its operational tempo in the Taiwan Strait, the United States must enhance its forward defense posture in the Indo-Pacific.
Tue, Feb 27, 2024
To combat Chinese cyber threats, the US must spearhead a new Indo-Pacific intelligence coalition
New Atlanticist By Victor Atkins
Such a coalition would help disrupt cyber threats, signal US resolve, and ideally help deter future cyberattacks from China.
Thu, Jun 5, 2025
Cyberattacks are hurting US businesses. Here’s how Congress can upgrade cybersecurity information sharing.
New Atlanticist By
Hackers are targeting small and medium-sized businesses, and the existing framework for sharing important information is leaving these US companies out of the loop.
Image: May 7, 2025, Barstow, California, USA: In Barstow, this compact Southern California Edison substation sits tucked between homes and quiet streets near Hutchison and Fifth. Credit Image: © Ian L. Sitren/ZUMA Press Wire.
