In November 2024, Skyler Philippi, a 24-year-old from Columbia, Tennessee, drove to a Nashville-area electrical substation with a drone loaded with C-4 plastic explosives and pipe bombs packed with black powder. He had already conducted in-person reconnaissance at the site two months earlier. His stated goal: attack the power grid to "shock the system" and cause cascading failures. FBI agents arrested him moments before launch. Philippi later pleaded guilty to attempted use of a weapon of mass destruction and attempted destruction of an energy facility.

"The FBI's swift work led to the detection and disruption of the defendant's plot before he could cause any damage. We are committed to holding accountable anyone who threatens the security of our critical infrastructure." — FBI Director Christopher Wray

The Nashville case was not the beginning of this threat—it was a confirmation of a trajectory that U.S. federal agencies had been tracking for years.

That trajectory has a formal start date. In July 2020, a modified DJI Mavic 2—a consumer quadcopter costing roughly a thousand dollars—crashed near a Pennsylvania electric substation. Trailing behind it were two four-foot nylon ropes dragging a length of copper wire, the apparatus apparently designed to drape across conductors and short-circuit transformers or distribution lines. The drone appeared heavily worn, suggesting prior reconnaissance flights. The operator was never identified.

More than a year later, in October 2021, an FBI/DHS/NCTC joint intelligence bulletin described the incident as “the first known case of a modified unmanned aircraft system likely being used in the United States to specifically target energy infrastructure.” Marty Edwards, a former DHS official, observed at the time: “All of the attention being paid to cybersecurity right now is important, but we have to remember that physical threats to the grid like this are quite real.”

The expectation has proved accurate. More than 13,000 drone incursions were recorded at U.S. power generation sites in 2024 alone. Analysts estimate that 60 new grid vulnerabilities are added every single day as drone capabilities proliferate.

An Infrastructure Built for the Last Century’s Threats

The scale of exposure is difficult to overstate. An analysis of 54 operating U.S. nuclear sites found that 50 have no dedicated C-UAS detection or mitigation hardware; approximately four have basic RF detection; and zero have full active defense capability. At least 26 official drone incursions were reported at nuclear sites in 2024. In March 2023, Los Alamos National Laboratory closed its airspace and issued warnings against unauthorized UAS operations due to escalating drone activity—the kind of response that indicates a problem serious enough to interrupt classified work at a weapons research facility.

The picture at oil refineries is no better. Zero of the top 20 U.S. oil refineries operate any active C-UAS mitigation system; approximately two have passive RF detection; the remaining 18 rely entirely on traditional ground security—perimeter fencing and cameras designed for a threat environment that predates affordable drones by decades.

Airports are marginally better positioned, but only marginally. Of the top 30 U.S. airports, just three have fully integrated, layered C-UAS capability; eight have partial detection-only solutions; and 19 major hubs rely solely on FAA flight restrictions and visual spotting. The FAA receives over 100 drone sighting reports near airports each month, and drones were involved in nearly two-thirds of reported near-midair collisions at the 30 busiest U.S. airports in 2024. A four-hour shutdown at a major airport hub carries an estimated $5 million to $10 million in economic losses.

Expressed as coverage percentages: an estimated 93 percent of 54 U.S. nuclear sites, 90 percent of the top 20 oil refineries, and 63 percent of the top 30 airports lack comprehensive, layered counter-UAS protection. The year-one capital cost to equip just 104 critical infrastructure sites with comprehensive C-UAS capability is estimated at $189.6 million—with a five-year total cost of ownership of $355.1 million. Congress has not appropriated that funding.

The Detection Problem: When the Sensor Stack Fails

Counter-UAS systems rely on layered detection—RF, acoustic, optical, and radar—but each technology has fundamental limitations that small drones exploit.

RF detection, the backbone of most deployed systems, depends on intercepting the radio signals a drone or its operator emits. It fails entirely against “dark drones”—platforms that operate autonomously using onboard AI for terrain mapping and target acquisition, requiring no GPS or radio link. The prevalence of dark drones is increasing precisely because defeating RF detection is now a design criterion, not an afterthought.

Acoustic sensors—microphone arrays that listen for rotor noise—have an effective range of approximately 500 meters, further degraded by wind, humidity, and urban ambient noise. Optical and infrared systems extend detection range to roughly three kilometers, but fog, rain, and haze all reduce effectiveness. Even radar, which is not fooled by darkness or weather, struggles with small platforms: the radar cross-section of some fixed-wing UAVs measures as small as 0.07 m², comparable to a large bird and below the detection thresholds of conventional ground radar.

The emergence of swarm attacks makes the problem categorical rather than incremental. Mobile counter-drone response teams are insufficient against three or more simultaneous attack vectors. A swarm doesn’t need to defeat the sensors—it needs only to exceed response capacity, a threshold that becomes easier to reach as drone hardware prices fall. A drone traveling at 200 km/h covers 15 kilometers in approximately four and a half minutes, compressing the detection-to-interdiction window to near zero even when detection succeeds.

The Authority Gap

Even where detection works, the response is legally constrained in ways most observers don’t fully appreciate. Under current U.S. law, counter-UAS interdiction authority is restricted to DHS and the Department of Justice. Private critical infrastructure operators—utilities, refineries, airports, and data centers—have no legal authority to detect RF signals, jam communications, spoof GPS, or physically interdict unauthorized drones over their own facilities. As one industry analysis notes, “Incorrect action can create safety risks, legal exposure, and a loss of public trust.”

The constraint extends to the military at the facility level. NORAD/NORTHCOM commander Gen. Gregory Guillot acknowledged after taking command in February 2024 that the scope of the problem surprised him. Since 2022, over 600 drone incidents have been reported at U.S. military installations, with more than 350 occurring in 2024 alone. Q1 2025 alone logged 400 or more illegal drone incidents nationwide.

The Langley Air Force Base episode makes the gap concrete. Starting on the evening of December 6, 2023, unauthorized drones began penetrating the airspace of Langley AFB—home to F-22 Raptor fighters and supporting NORAD/NORTHCOM homeland defense operations. The incursions continued across multiple nights throughout December. Response assets included F-16 combat air patrols with aerial refueling support and a NASA WB-57F high-altitude research aircraft. Early press reporting described the platforms as roughly 20 feet long, flying at over 100 miles per hour at altitudes of 3,000 to 4,000 feet.

The investigation concluded without publicly resolving the origin—no organized or unorganized foreign nexus was established. A Langley spokesperson acknowledged: “None of the incursions appeared to exhibit hostile intent but anything flying in our restricted airspace can pose a threat to flight safety.” Gen. Guillot later explained why NORAD could not simply act: “NORAD’s responsibility for countering UAS was very limited to something that would be an attack of national consequence”—meaning that short of a legally classified national-level attack, the command had no legal basis to engage small drones even within the perimeter of a major operational base.

Why It Matters

The cumulative picture is one of asymmetric vulnerability at scale. A $1,000 drone can cause millions of dollars in infrastructure damage, making the cost-threat ratio heavily favorable to adversaries, whether state-sponsored, radicalized domestic actors, or criminal networks conducting industrial espionage. The White House Domestic Counter-UAS National Action Plan noted in 2022 that “Malicious actors have increasingly used UAS domestically to commit crimes, conduct illegal surveillance and industrial espionage.”

The regulatory landscape is beginning to shift. The FAA Reauthorization Act of 2024 extended DHS and DOJ counter-UAS authorities through September 30, 2028. New legislation tied to the 2026 FIFA World Cup and America250 celebrations granted state and local law enforcement C-UAS mitigation authority for the first time—a meaningful expansion, though one scoped to specific events and venues. The Counter-UAS Authority Security, Safety, and Reauthorization Act (H.R.8610), introduced in the 118th Congress in June 2024, aims to further formalize and expand those authorities. The White House National Action Plan established three core strategies: extend UAS detection at critical infrastructure sites, place C-UAS mitigation equipment with authorized oversight, and close regulatory enforcement gaps.

Funding is following, slowly. The Army’s FY2026 budget includes $858 million for counter-UAS capabilities. DHS separately committed $115 million in counter-drone funding for the World Cup and America250 events. Gen. Guillot launched “Falcon Peak 2025,” a counter-drone demonstration evaluating directed energy, laser, and high-power microwave systems across multiple commercial vendors—the first systematic stress-test of layered defense options at scale.

What remains structurally unresolved is the private sector’s standing to protect itself. Multiple nights of drone incursions at one of America’s premier fighter bases, with F-16s and a NASA high-altitude aircraft unable to identify the operators—that is the most visceral illustration of where the detection and authority infrastructure currently stands. Until private operators gain legal interdiction rights, and until comprehensive C-UAS coverage reaches the 93 percent of nuclear sites and 90 percent of refineries that currently lack it, the sensor stack will keep improving while the authority to act remains frozen in place.

Sources