In January I sat down to write a post about something completely different and instead spent forty-five minutes rereading the same paragraph from the New York Times’ January 17 story: US officials, briefed on the operation, confirmed that hackers operating on behalf of the US government were able to “not only shut off the power in Caracas but also restore it within a few minutes.” I’ve been in this industry long enough to remember when taking down a nation’s power grid was considered a near-impossible feat that required nation-state resources and years of access. And Trump announced it at a Mar-a-Lago press conference while his cabinet nodded along. The lights went off. The lights came back on. The dictator was in handcuffs. And now every adversary intelligence service on earth has updated their threat models with the same question: if they can do that to Caracas, what can someone do to us? What can someone do to you?

What’s Actually Happening

On January 3, 2026, the United States launched Operation Absolute Resolve — a multi-domain military operation that captured Venezuelan President Nicolás Maduro at Fort Tiuna in Caracas and transported him to New York to face federal narcoterrorism charges. The operation involved US Armed Forces bombing Venezuelan air defence infrastructure, EA-18G Growler electronic warfare aircraft jamming radars, special operations ground forces extracting Maduro, and — per NYT reporting confirmed by SecurityWeek on January 19 — US Cyber Command executing offensive cyber operations that took down power in specific areas of Caracas and restored it within minutes.

At the Mar-a-Lago press conference on January 3, President Trump stated: “It was dark — the lights of Caracas were largely turned off due to a certain expertise that we have.” General Dan Caine, Chair of the Joint Chiefs, confirmed that Cyber Command, Space Command, and other combatant commands “began layering different effects to create a pathway” for US forces. Global internet monitoring organisation Netblocks confirmed loss of internet connectivity in Caracas coinciding with the power cuts. The NYT reporting nailed what Trump alluded to: cyber weapons were used to both disrupt power and restore it on demand, with the restorable-on-demand element being particularly significant.

Per the RUSI analysis by their cyber and technology team, the operation raises four structural points that deserve attention beyond the immediate military outcome. First, Venezuela’s infrastructure was already a strategic vulnerability — the 2019 blackouts demonstrated systemic fragility that made exploiting it in 2026 an operation requiring good timing more than exceptional technical capability. Second, the US almost certainly maintained persistent access to Venezuelan networks for intelligence purposes prior to the operation. Third, even if cyber caused the blackout, the decisive operational factors lay elsewhere — cyber enabled and supported but did not replace kinetic effects. Fourth, the political objectives of Operation Absolute Resolve — primarily oil access — situate the cyber operations within a broader coercive toolkit, not as a standalone cyber offensive.

CyberScoop’s forensic analysis is instructive on the attribution question. Physical damage to at least three Venezuelan substations was documented in videos and photographs from Caracas, consistent with the use of Blu-114 graphite bombs that short-circuit electrical equipment. A Venezuelan digital rights engineer who was in the city told CyberScoop that power loss “was never a thing” across large portions of the city — only specific areas lost power, consistent with targeted disruption rather than grid-wide collapse. Dragos CEO Robert Lee’s contemporaneous assessment, per SecurityWeek, was “completely reasonable to assess” that cyber was used, and his best guess was “Ukraine 2015 style” — abusing native functionality — rather than Ukraine 2016 style custom OT malware. The operational picture that emerges from all of this is a layered multi-domain operation where cyber, kinetic, electronic warfare, and human intelligence were all simultaneous components, not sequential ones.

What this means operationally: the US demonstrated the ability to surgically disrupt grid infrastructure in a specific area, restore it on demand (preventing collateral civilian damage beyond the operational window), and integrate that capability seamlessly with kinetic air and ground operations. The fact that this was announced publicly is itself operationally significant. As the RUSI analysis notes, “boasting about capabilities is not the usual game” for offensive cyber operations. The disclosure was deliberate. Its audience was not the press conference room.

My earlier analysis of the cyber-kinetic war that erupted following Operation Epic Fury on February 28 detailed how conventional military operations are now indistinguishable in practice from cyber operations in the opening phase. Operation Absolute Resolve, which preceded Epic Fury by nearly two months, was the live demonstration that made that analysis accurate.

The Cyber Layer Nobody Is Writing About

The mainstream coverage has focused almost entirely on the operational outcome — Maduro captured, Venezuelan oil trade restored, strategic victory for the Trump administration — and the legal controversy around whether the operation required congressional authorisation. All legitimate stories. The story that is not being written is the enterprise security implications of a publicly confirmed, surgical offensive cyber operation against grid infrastructure, demonstrating on-demand restoration capability.

Here’s the threat model every adversary security service updated on January 4: offensive cyber against grid infrastructure is not a once-in-a-decade Stuxnet-level event requiring five years of development. It is an operational tool in the multi-domain toolkit. The US disclosed it, which means adversaries who were uncertain whether this capability existed at the tactical level now have public confirmation. And the countries with the most developed offensive cyber capabilities — China, Russia, Iran, North Korea — all have existing pre-positioned access in infrastructure whose vulnerability profiles resemble Venezuela’s in important ways: legacy equipment, mixed-vintage control systems, limited OT-specific visibility, and IT-to-OT network segmentation that was never designed to stop a determined state actor.

The Venezuela grid was described by a critical infrastructure security expert cited by Axios as having “legacy stuff from 50 years ago still operating right next to a brand new controller.” That description applies to a startling proportion of the world’s operational energy infrastructure. The US demonstrated that mixed-vintage OT environments with fragile telemetry are exploitable for precision effects — specific areas, specific duration, reversible. That capability doesn’t belong only to the US. Russia demonstrated something similar in Ukraine in 2015 and 2016. China’s Volt Typhoon has spent years establishing exactly the kind of persistent access that would enable the same operation.

The “reversible within minutes” detail from the NYT reporting is the operationally sophisticated part that I haven’t seen anyone discuss properly. A reversible disruption is more strategically flexible than a permanent one. It can be used as a signal. It can be used to create a specific operational window. It can be turned off before civilian hospitals exhaust their generator capacity. It leaves attribution ambiguous — was the power out because of the operation or because Venezuelan grid infrastructure fails routinely? The reversibility suggests access to the grid at a level that allows controlled manipulation, not just destruction. That capability, applied by an adversary against your grid infrastructure during a crisis, is not detectable by the ICS security configurations that most utilities have deployed.

The legal and normative implications are significant and are being discussed at the strategic level — per CyberScoop, the operation “blurred legal and political boundaries and prompted demands from lawmakers for congressional oversight.” What it did not do was establish a norm against this kind of operation. If anything, it demonstrated that politically successful multi-domain operations can incorporate offensive cyber against civilian infrastructure without generating sustained international legal challenge. That’s a data point every offensive cyber program in the world will incorporate into its doctrine.

The submarine cable and satellite communication infrastructure sits in the same risk category. The Venezuela operation demonstrated integration of Cyber Command, Space Command, and electromagnetic warfare. Space-based infrastructure — GPS, satellite communications, timing signals — is directly relevant to grid operations. GPS timing is used in power grid synchronisation. An adversary that can operate against Space Command targets simultaneously with cyber operations against grid infrastructure can generate compounding effects that are significantly harder to recover from than either in isolation.

Why It Matters Beyond the Conflict Zone

Your organisation almost certainly depends on grid infrastructure. That dependency is not abstract — your data centres, your operational technology, your communications infrastructure, and your supply chain all require continuous power. The Venezuela operation demonstrated that grid infrastructure can be surgically targeted for specific-duration outages by an adversary operating remotely, that restoration capability indicates deep access to control systems, and that the political calculus for using this capability is evidently lower than previously assessed.

The enterprise parallel is not “your grid will be attacked.” The enterprise parallel is: organisations that have not modelled grid disruption scenarios in their business continuity planning are operating with an incomplete threat model as of January 3, 2026. The capability exists. The attribution threshold for using it has been demonstrated to be lower than previously assumed. And the adversaries who have pre-positioned access in critical infrastructure — as confirmed by the ODNI assessment published four days after this post — have had months to study the operational template.

The secondary implication is for OT security investment prioritisation. For years, the argument for hardening OT environments against cyber threats has been “theoretical” or “nation-state only.” A nation-state just publicly confirmed doing it. The theoretical has a press conference.

What Went Wrong

Venezuela is easy. The grid was fragile, under-maintained, documented as vulnerable since at least 2019, and operated with equipment that mixed legacy SCADA systems with modern components without the network segmentation that would make surgical disruption difficult. The critical infrastructure security expert cited by Axios described the architecture accurately: old and new systems sitting side by side, connected in ways that were never designed to be isolated from each other in an emergency.

The harder answer is the one that applies everywhere: the OT security posture of most energy infrastructure globally was designed around the assumption that physical isolation was the primary security layer. Once that assumption was broken — once remote management, digital telemetry, and IP connectivity became standard features of grid operations — the physical isolation assumption no longer held, and the security architecture needed to change with it. It changed in some places. In most places, the IP connectivity arrived and the security architecture update followed somewhere between “years later” and “never.”

The Fix — Fixer’s Advice

The enterprise response to Operation Absolute Resolve is not to solve the security problem for the national grid. That’s someone else’s job, and they should be working on it urgently. The enterprise response is to make sure your operations can continue during a grid disruption scenario.

Power resilience planning:

Audit your backup power infrastructure. Specifically: how long can your critical operations run on UPS and generator power? What is the starting reliability of your backup generators — when did you last test them under full load? What fuel supply do you have on-site, and what is your resupply chain? For a targeted disruption of the duration demonstrated in Venezuela — minutes to hours — the question is whether your backup power is reliable and tested, not whether it exists on paper.

Identify your single points of failure in power dependencies. Data centres with N+1 power feeds from the same substation are not as resilient as they appear if that substation is the target. Geographically diverse power feeds from different substations on different grid segments are materially more resilient to targeted disruption.

OT and ICS security posture:

If you operate any OT or ICS environment — manufacturing, utilities, building management, industrial equipment — conduct a network segmentation assessment. The question is whether your OT network can be isolated from your IT network at the boundary without disrupting essential operational data flows. If the answer is “we’d have to manually disconnect cables,” your segmentation is a design intent that hasn’t been built.

Deploy OT-specific visibility tooling. You cannot detect manipulation of industrial control systems with IT-centric security tooling. OT protocols — Modbus, DNP3, BACNET, OPC-UA — require OT-native analysis. The absence of alerts in your SIEM does not mean the absence of activity in your OT network if your SIEM isn’t ingesting OT telemetry.

For any organisation operating critical infrastructure: review your remote access architecture. Remote management of grid equipment is operationally necessary. It is also the attack surface that Venezuela’s operation exploited. Remote access that uses long-lived credentials, weak authentication, or standard IT VPN architectures for OT network access is an attack surface that adversaries with pre-positioned access have already mapped.

Business continuity for grid disruption:

Run a scenario exercise: “Grid power unavailable to our primary and secondary sites simultaneously for twelve hours.” What do you do? Who decides what stays running? What is the manual fallback for processes that require power you won’t have? The exercise is less about solving the problem on the spot and more about identifying which processes have documented offline procedures and which ones someone assumed would never need them.

Communications resilience: if your voice communications depend on VoIP infrastructure that requires continuous power and network connectivity, and your network depends on grid power, your communications architecture has a single-point dependency on grid availability. Identify out-of-band communication options — cellular, satellite, dedicated radio — that function without the primary infrastructure.

Vendor and supply chain review:

Third-party vendors with remote access to your OT or grid-connected infrastructure should be assessed with the same lens as your own security posture. The mixed-vintage architecture problem that made Venezuela exploitable applies to any environment where an equipment vendor’s remote management capability connects to systems that were not originally designed for IP connectivity. Review those access paths. Review whether those sessions are logged and monitored. Review whether the vendor credentials are subject to the same rotation and MFA requirements as your own privileged accounts.

Final Call-Out

The United States confirmed it turned off the lights in an adversary’s capital city using cyber tools, restored power on demand within minutes, and announced it at a press conference. Every offensive cyber program in the world updated its doctrine on January 4. Every adversary with pre-positioned access in critical infrastructure — and the ODNI assessment says they exist — now has a publicly confirmed operational template. Your business continuity plan should have been updated on January 4 as well. If it hasn’t been, the operational lesson from Caracas is available. Use it.