Incursions Over the Grid: The Infrastructure Operator's Design-Basis Event

A Blackgrove Global Risk analytical essay for utility chief risk officers, nuclear operators, and grid-security leadership. Posture: null-first and tiered. The overwhelming majority of incursions are conventional; the operational exposure holds regardless of origin. The exotic-origin question is held open and below the line, and the one historically disputed case here is presented as disputed.

TL;DR

  • The documented record of unattributed incursions over nuclear and sensitive energy sites makes this an operational-continuity and force-protection problem now, and the problem is decoupled from the origin question. Whether an object over a reactor is an adversary probe, a criminal drone, a hobbyist in violation, or something unresolved, the continuity and security exposure is the same, and it is real.

  • The operator's binding constraint is a gap in capability, policy, and law. Federal restrictions limit an operator's and even the military's ability to detect, attribute, or bring down a drone over a domestic site absent an immediate threat, and aerial surveillance does not qualify. The record is a series of incursions that responders could observe and could not stop.

  • The design-basis event is not an exotic craft. It is a multi-day, multi-drone incursion that degrades airspace over a plant or a substation, defeats the site's detection, and cannot be lawfully countered, occurring against a backdrop in which the responsible agencies have repeatedly failed to identify or attribute the intruders. Plan for that event, and the origin question becomes irrelevant to the plan.

Key Findings

  1. The incursion record over nuclear infrastructure is documented and substantial. Nuclear Regulatory Commission records released under FOIA describe at least 57 drone incursions over 24 US nuclear sites between 2015 and 2019, including a swarm of five large drones over the Unit 3 reactor at the Palo Verde Nuclear Generating Station, the largest US nuclear plant, in September 2019, with a further overflight that December.

  2. The pattern continued into the current period and reached the weapons complex. Department of Energy operations reports released in September 2023 document suspected drone incidents near Lawrence Livermore National Laboratory, and the Nevada National Security Site, which supports the nuclear Stockpile Stewardship Program, recorded five uncrewed-system sightings over three days in October 2023 whose origins law enforcement could not determine.

  3. The legal-authority gap is the core exposure. Federal law restricts bringing down drones over domestic sites absent an immediate threat, and aerial surveillance does not meet that bar. Senior commanders have described gaps in capability, policy, and law, and a federally coordinated jamming attempt during one military incursion did not succeed. An operator can watch an incursion it cannot lawfully stop.

  4. Most incursions are prosaic, and that is precisely why the exposure is real. The NRC, NASA, and AARO emphasize that recent incursions are overwhelmingly conventional drones. This does not reduce the exposure; it defines it. A conventional drone that an operator cannot detect, attribute, or counter is a continuity and force-protection problem whatever its operator's intent.

  5. The one exotic-linked historical case is disputed, and the operational fact survives the dispute. The 1967 Malmstrom missile shutdowns are cited for decades by former officers as a UAP event; AARO's 2024 historical review concluded there is no evidence of UAP causation. We hold the causation question as disputed. The risk-relevant fact, a documented simultaneous loss of strategic alert status, is real regardless of what caused it, and that is the lesson an infrastructure operator should take from it.

Details

The documented record: incursions over the nuclear fleet

We assess that the incursion record over US nuclear and energy infrastructure is documented, substantial, and sufficient on its own to make this an operational risk, before any question of origin arises. Nuclear Regulatory Commission records obtained under the Freedom of Information Act describe at least 57 drone incursions over 24 US nuclear sites between 2015 and 2019, many involving small uncrewed aircraft operating in coordinated patterns and loitering for extended periods. The most prominent single episode is documented at the Palo Verde Nuclear Generating Station in Arizona, the largest nuclear plant in the country, where a swarm of five large drones flew over the Unit 3 reactor in September 2019, followed by a further unauthorized overflight that December despite heightened security. The events were serious enough that the NRC now requires licensees to report drone sightings and has issued public briefings as the pace of reports increased.

The pattern reached the weapons complex and continued into the current period. Department of Energy operations reports released in September 2023, filed by the Protective Force of the National Nuclear Security Administration, document suspected drone incidents near Lawrence Livermore National Laboratory between 2018 and 2021. More pointedly, the Nevada National Security Site, which supports the Stockpile Stewardship Program and is itself a premier location for testing counter-drone technology, recorded five uncrewed-system sightings along its southern border over three days in October 2023, and law enforcement could not determine their origin. When a site built to test counter-drone systems cannot attribute the drones over its own perimeter, the detection-and-attribution problem is established at the highest end of the security spectrum.

The November and December 2024 Northeast episode extended the same problem to civil critical infrastructure. Objects were reported over reservoirs, bridges, and nuclear power facilities; the mayor of one New Jersey township reported dozens hovering over local reservoirs in a day; state police briefed hundreds of local officials that the objects were roughly six feet long, often coordinated, and able to loiter for hours, and that the region's detection equipment could not reliably hold them. The interagency review of more than 5,000 reports found nothing anomalous and attributed the sightings overwhelmingly to lawful drones, manned aircraft, and misidentification. Both facts hold together: the origin was mostly mundane, and the infrastructure exposure was real.

The legal-authority gap: watching what you cannot stop

The operator's binding constraint is not detection technology alone; it is authority. Federal law restricts the circumstances under which a drone over a domestic site can be brought down, and aerial surveillance does not meet the immediate-threat bar that would permit interdiction. During the military incursions of this period, senior commanders described the problem plainly as gaps in capability, policy, and law, and a jamming attempt during one incursion, coordinated across federal agencies, did not succeed. The practical consequence for a civilian operator is sharper still: a utility or a plant operator has less authority than a military installation commander, and the same detection and attribution problems, which leaves the operator in the position of observing an incursion it can neither identify nor lawfully counter.

This is the exposure that matters, and it does not depend on the origin question at all. The counter-drone tools that can jam control frequencies also knock out the Wi-Fi, wireless, and navigation services on which surrounding communities and the operator itself depend, which is why their use over domestic infrastructure is constrained. The interdiction authorities that exist for a battlefield do not exist over a substation in a populated county. An operator planning for an incursion is planning within a legal envelope that currently favors the intruder.

The design-basis event: continuity, not the exotic

The event an infrastructure operator should design against is not an exotic craft. It is a multi-day, multi-drone incursion that degrades the airspace over a plant or a substation, defeats the site's own detection, and cannot be lawfully countered, occurring while the responsible federal agencies fail to identify or attribute the intruders. Every element of that event is on the documented record: the multi-day duration (the 17-night military incursion at Langley is the reference case), the detection defeat (the Nevada site and the New Jersey detection equipment both failed to hold the objects), the interdiction gap (the failed jamming attempt and the legal restrictions), and the attribution failure (the interagency inability to source the drones). An operator that plans for this composite event has planned for the exposure regardless of what any individual object turns out to be.

The continuity dimension is the part most under-modeled. A prolonged incursion that forces a precautionary posture, triggers a security mobilization, or degrades operations at a generating station or a grid node carries the same continuity consequences as any other multi-day operational disruption, and it does so whether the intruder is a foreign intelligence service, a criminal operation, or an unresolved case. The nuclear fleet has the added dimension that an incursion over a reactor is, at minimum, a nuclear-security and public-confidence event even when it causes no physical harm. The operator's plan has to cover the disruption, the security response, the regulatory reporting, and the public communications, none of which depend on solving the origin question.

Null-first: most of this is drones, which is the point

The discipline here is to hold the origin question open while taking the operational exposure with full seriousness, and the null-first posture makes both easier, not harder. The NRC, NASA, and AARO all emphasize that recent nuclear-site incursions are overwhelmingly conventional drones, whether adversary probes, criminal tools, hobbyists in violation, or misidentified conventional traffic. We assess that this is almost certainly correct for the bulk of the record. The consequence is not that the exposure shrinks. It is that the exposure is fully real on the most deflationary reading available, because a conventional drone that an operator cannot detect, attribute, or lawfully counter is a continuity and force-protection problem irrespective of the intent behind it. The operator does not need the exotic hypothesis to justify the investment; the drone hypothesis justifies it completely.

The disputed case, handled honestly

One case in the nuclear record carries a decades-long exotic association, and it is worth handling with precision rather than avoidance. In March 1967, Minuteman missiles at Malmstrom Air Force Base lost strategic alert status in an incident that former launch officers, most prominently Robert Salas, have described for decades as coincident with a UAP over the missile field. The claim is testimonial, consistent across many years, and made by personnel who were vetted under the Personnel Reliability Program, which is the strongest form the testimonial case takes. Against it, AARO's 2024 historical review concluded there is no evidence of UAP causation, and the FOIA record confirms the loss of alert status while noting the absence of unusual radar returns. We do not resolve the causation question, and we hold it as disputed, because the official analysis and the testimonial record diverge and neither is dispositive on the present evidence.

The point for an infrastructure operator does not require resolving it. A documented simultaneous loss of strategic alert status is a critical-systems event regardless of what caused it, and the useful lesson is about systems fragility and attribution difficulty rather than about the phenomenon. If a critical-infrastructure control system experienced a simultaneous, unexplained degradation during an aerial event, the operator's problem would be the degradation and the attribution, not the metaphysics. That is the correct reading of the case, and it is available without taking a side on the origin.

Recommendations

For utility and nuclear chief risk officers (immediate). Treat unattributed aerial incursion as a named continuity and force-protection exposure on the enterprise-risk register, sized to the documented composite event: multi-day duration, detection defeat, interdiction gap, and attribution failure. Do not condition the exposure on origin; the conventional-drone reading justifies the planning fully.

For site security (immediate). Map the detection-and-attribution gap at each critical site against the documented record, and assume the tools that exist may not hold a coordinated, low-signature intruder. Build the response plan around observation, reporting, and continuity under a prolonged incursion the site cannot lawfully counter, rather than around interdiction the law does not currently permit.

For continuity and communications planning (immediate). Pre-stage the operational, regulatory-reporting, and public-communications response to a prolonged incursion over a plant or a grid node, including the nuclear-security and public-confidence dimensions that apply even when no physical harm occurs. The cascade of a reactor overflight is a communications event before it is anything else.

For all (monitoring triggers and posture). Watch the legal and policy record: expanded counter-UAS authorities for critical-infrastructure operators would materially change the interdiction envelope and are the single development most likely to shift the posture from observe-and-report to detect-and-mitigate. Until then, plan within the envelope that favors the intruder.

Caveats

  • Tiering. The NRC incursion records, the Palo Verde and DOE Livermore reports, the Nevada National Security Site sightings, and the interagency findings are DOCUMENTED or DOCUMENTED-AS-REPORTED with locators. The Malmstrom causation claim is TESTIMONIAL and DISPUTED against AARO's 2024 review, and is held as disputed. The exotic-origin question is held open and below the line.

  • The exposure is origin-independent. This piece treats incursion as a continuity and security problem that holds on the conventional-drone reading. It asserts nothing about whether any incursion is exotic.

  • Authorities are in flux. The legal-interdiction envelope is the subject of pending legislation, and the analysis reflects the constrained authorities in effect. A change in counter-UAS law would alter the operator's options.

  • International parallels are noted, not relied upon. Incursions over nuclear infrastructure in France, Belgium, Ukraine, and India are part of the broader pattern; this analysis is anchored on the US documented record.

Previous
Previous

The Validated Fringe: Information Integrity After Official Acknowledgment

Next
Next

Inside the Waiver: Oversight Gaps and Contractor Exposure