A Return to Asymmetric Warfare And A New Threat
I have talked at length about various forms of asymmetric attacks, and how offensive security professionals need to be uniquely focused on and interested in these attack vectors.
Asymmetric attacker use minimal resources, yet achieve significant disruption by targeting vulnerabilities that inflict large-scale damage with little risk, effort, or cost on their part. In the article "Asymmetric Warfare: An Evolving Threat", we discussed how this type of warfare capitalizes on vulnerabilities across both cyber and physical domains, from cyberattacks on data centers to physical assaults on power infrastructure.
In essence, an asymmetric attack is one where the threat actors can use a small amount of: risk, time and effort to accomplish monumental or catastrophic damage.
We’ve previously focused on how critical infrastructure—especially substations within the power supply chain—represents a prime target for these attackers. The rational as to why substations are regularly targeted, is because they are the bottleneck of the power supply chain, and happen to have the least security surrounding them.
In previous articles, focusing on substations makes a lot of sense, and still does. A guy with a gun in the middle of nowhere shouldn’t be able to bring down an entire city’s power supply … but as I have outlined it can be done and is attempted on a shockingly regular occurrence. The graph below shows that there were 60 attacks on the US power supply chain in the first 3 months of 2023.
And you can see that in that same year there were 185 total attacks on the power grid, which means that on average once every 2 days someone is attempting to destroy or disrupt power within the US.
I typically look upon major stations like power plants as being out of the realm of asymmetric attacks because they would take a great deal of damage and effort to harm or destroy and therefore violate the concept, but that is starting to change.
In war zones like Ukraine, we are seeing a disturbing rise in the use of drones to target and damage high-value assets such as power stations, bridges, and critical infrastructure. This development in asymmetric warfare introduces a new and increasingly accessible weapon that complicates the challenge of securing critical infrastructure.
FPV Drones: The New Asymmetric Threat
The evolution of drones as a weapon system has transformed them from simple surveillance tools to highly effective offensive assets. In conflict zones, FPV drones have been used with growing frequency to inflict precise and targeted damage on infrastructure that was once considered secure or difficult to access.
In the Ukraine conflict, drones have been deployed against a range of targets, including bridges, power stations, and even dams, causing millions of dollars in damage and creating substantial downstream impacts.
“Made of “milled sheets of plywood from a network of furniture factories,” the drone is more scalable for mass production than 3D printing or other drones made of materials such as fiberglass, the outlet wrote, citing company officials.
It can cover a distance of 750 to 900 kilometers (466 to 559 miles), depending on the engine, putting a large swathe of Russian territory and all of Crimea within range.
The drone can be outfitted with domestic or imported engines.
Its cruising speed is 140 kilometers (85 miles) per hour, increasing to 200 kilometers (124 miles) per hour in the terminal stage.” - thedefensepost
You may be asking how these attack vectors fit within the concept of asymmetry, and the same article has the answer,
”Similar to the Iranian Shahed drone, it features a 42-kilogram (92-pound) warhead, including a local mass-produced thermobaric warhead or a pair of 122mm artillery rounds that spray shrapnel, Forbes wrote, citing Serra-Martins.
Its modular bay allows a range of mission-specific payloads, and its compact design allows 30 drones to be stacked in a shipping container.
It costs $15,000 or $30,000 with guidance, and can take off from short runways, including roads, or deployed through rocket-assisted take-offs where runways are unavailable.”
Power stations on the other hand, depending on their type can cost approximately:
Natural Gas Power Plants: The construction cost for combined-cycle natural gas power plants in the U.S. generally averages around $812 per kilowatt (kW), which translates to about $650 million for an 800 MW plant. These plants are relatively affordable to build and are often favored for their moderate construction costs and shorter build times
Nuclear Power Plants: Nuclear facilities are among the most expensive to construct, with recent estimates showing costs ranging from $14 billion to $30 billion for a typical 1,000 MW plant. This figure accounts for extensive safety, engineering, and construction requirements unique to nuclear plants
Renewables: Solar and wind plants have seen decreasing costs due to advancements in technology and scale. Solar power plants in the U.S. average about $2,921 per kW, with the total cost for a large 1,000 MW solar facility reaching approximately $2.9 billion. Wind plants generally cost around $1,661 per kW, making them more affordable to construct at around $1.6 billion for 1,000 MW
So here we have an attack vector that costs around $20,000, where the attacker can be hundreds of kilometers away from the target (safety) and bring down a system that costs billions.
Anti Drone Defense
In Ukraine, defending against FPV drones has become a complex and evolving challenge, particularly given the drones' accuracy and ability to evade traditional defenses. The most effective methods currently include Electronic Warfare (EW) systems, which use jamming to disrupt the control signal between the drone and its operator. These systems target specific radio frequencies, forcing drones to lose connection or video feed, which can cause the drone to veer off course or crash. However, as both sides adapt by changing frequencies, EW’s effectiveness can be variable and is often described as a “cat and mouse” scenario on the front lines
To counter smaller FPV drones at the infantry level, portable “drone guns” are used by both forces to jam the signal within close proximity or simply shoot them down. These devices can redirect the drone to its takeoff location or force it to land, but their limited range and frequency sensitivity mean they are less effective against drones using advanced communication setups
In addition, physical defenses like slat armor, chain netting, and “turtle tank” modifications are being deployed on armored vehicles to pre-detonate drones before they reach the main structure. These physical defenses are especially useful for protecting valuable assets like tanks and artillery positions from FPV drone attacks
Despite these methods, the effectiveness varies. Ukrainian forces report that up to 90% of drones may be downed using EW in high-density areas, but portable EW devices and drone guns have lower success rates due to frequency adaptation by the opposition. This ongoing technological battle is pushing both sides to explore AI-guided drones that can self-navigate to targets without relying on signals from operators, making them resistant to jamming
The Devastating Impact on Critical Infrastructure
The strategic targeting of infrastructure with drones can produce long-lasting and costly impacts. A successful drone attack on a power plant, for instance, has ramifications that extend far beyond the immediate damage.
Keep in mind that nearly all power stations are not equipped to handle such attacks, and as such remain vulnerable. Further, power stations do not need to be completely destroyed to be taken offline, only damaged.
The destruction or disabling of a major power station not only causes a direct financial loss but also creates extensive downstream consequences. Power disruptions can lead to cascading failures in other essential services, including water treatment, telecommunications, and even healthcare. Entire cities could find themselves in the dark, forced to operate on backup systems or, in the worst-case scenario, left with no power source for extended periods while repairs are underway.
This level of destruction, achieved at such a low cost, perfectly exemplifies the essence of asymmetric attacks. By using drones to bypass physical defenses and precision-targeting essential infrastructure, attackers ensure they inflict maximum damage with minimal exposure to themselves.
And it is not just power stations within the critical supply chains that are being targeted, here you can see the Houthis using drones to destroy a cargo ship.
Conclusion
The rise of drones as weapons in asymmetric warfare is an unsettling development, especially for nations and organizations tasked with protecting critical infrastructure. These drones offer attackers an affordable, low-risk way to inflict high-cost damage, exploiting the vulnerabilities of aging or inadequately protected systems.
As we’ve seen, the low investment needed to acquire and deploy a drone stands in stark contrast to the massive financial and logistical cost of repairing or replacing damaged infrastructure.
As technology continues to evolve, so too must our approach to security. As I said at the beginning, defending against drone attacks may be the most complicated and costly resolution in preventing such asymmetric attack vectors.
However, addressing the threat posed by drones demands a comprehensive rethinking of critical infrastructure defenses. Anti-drone technology, advanced surveillance, and proactive security measures are becoming non-negotiable in a world where an attacker with a $30,000 drone can threaten multi-billion-dollar infrastructure all while sitting comfortably 700 kilometers away.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .