Consider a critical transmission substation — 345/138 kV in North America or 400/230 kV in Europe — serving a hospital corridor, a rail supply point and a fast-growing digital load cluster. One autotransformer is already carrying elevated load because of planned work nearby. There is no transport-ready spare. An OT incident has degraded visibility and slowed operator confidence just as abnormal conditions begin to develop around the transformer. Protection operates. The fault is cleared. But the utility is left with the real resilience question: was the disturbance contained, or has the system just entered a multi-year asset-recovery problem?

That scenario is no longer far-fetched. Utilities on both sides of the Atlantic are operating older fleets, tighter spare strategies, more digital substations, more third-party access paths and more concentrated critical loads. At the same time, transformer replacement timelines no longer fit operating reality. For some assets, the real issue is no longer whether a fault can be detected and cleared. It is whether the utility can avoid the irreversible loss of one of the hardest assets in the network to replace.

Cyber risk sharpens that problem, but it should be described accurately. Cyberattacks do not “blow up transformers” in some simplistic sense. The more rigorous concern is that an OT compromise can reduce visibility, alter control, disrupt protection coordination, delay operator response or create abnormal operating conditions that increase the likelihood or severity of a damaging physical event. In utility terms, cyber risk matters here because it can compress decision time around an already critical asset.

That is why the resilience discussion has to move from the control-system level to the asset level. Relays, breakers, SCADA, diagnostics, site security, fire response and OT cybersecurity all matter. But they do not act on the same variable, and they do not act on the same timescale. Once a severe internal event is underway inside a transformer, the utility is no longer dealing only with detection and isolation. It is dealing with the possibility of rupture, burning oil, collateral damage, long restoration times and loss of system options.

Decision 1: Is this a transformer the system cannot afford to lose?

Not every transformer justifies the same resilience architecture. The first decision is therefore a prioritization decision.

The right candidates are usually not all transformers, but the smaller group whose loss would create disproportionate operational, public-safety or financial consequences. These are often transformers with no viable spare, long logistics, high loading, high fire consequence, difficult siting or strong dependence from critical loads. They may sit in urban substations, industrial hubs, offshore platforms, generation evacuation points, transport nodes or fast-growing digital corridors.

This is the point at which resilience planning becomes more disciplined. Instead of asking, “What is our general transformer protection philosophy?” the utility asks, “Which specific transformers would create a continuity problem if we lost them tomorrow?” That shift matters. If there is no viable spare and replacement takes years, total asset loss is no longer a maintenance event. It is a continuity event. 

Decision 2: If the event escalates, what is the real recovery path?

Utilities often have robust plans for clearing faults and restoring network function. But a cleared fault is not the same thing as a preserved asset.

In the critical-substation scenario above, the decisive operational difference is not only whether protection trips correctly. It is whether the transformer remains structurally intact, inspectable, recoverable and potentially repairable, or whether the utility is suddenly managing a destroyed asset, contaminated site conditions, fire damage, extended outage risk and a replacement timeline measured in many months or more.

That distinction is easy to underestimate in normal planning discussions. Yet it is exactly where the resilience gap often sits. A utility may successfully isolate the event from the network’s point of view and still lose the asset from a physical point of view. When that happens, the problem changes immediately. It is no longer primarily a protection problem. It becomes a restoration, logistics, engineering, insurance and public-service continuity problem.

For critical transformers, the correct recovery metric is therefore not only “Was the fault cleared?” It is also “Was the asset preserved from the rupture-and-fire pathway?”

Decision 3: What additional layer is justified for that subset of assets?

Once a utility has identified the transformers it cannot afford to lose, and once it has honestly assessed the real recovery consequences of total asset loss, the third question follows naturally: what additional layer is justified for that subset of assets?

This is where asset-level physical resilience enters the discussion.

In SERGI’s view, an Engineered Fast Depressurization System should be understood as a consequence-limitation layer, not as a cybersecurity control. It does not prevent intrusion, manage identities or secure OT architecture. It does something different. For applicable internal arcing scenarios, and with transformer-specific and site-specific engineering validation, it is designed to act in the first milliseconds to relieve internal pressure, reduce the risk of tank rupture and fire, and help preserve the possibility of recovery rather than total loss.

That distinction matters because it places the technology in the right utility context. It is not an alternative to relays, breakers, monitoring, fire protection or cybersecurity. It is a complement to them. It addresses the narrow but highly consequential window in which internal pressure escalation can determine whether the event remains a severe but manageable incident, or becomes irreversible asset loss.

This is also why the discussion should not turn into a debate between cyber and physical. The strongest resilience strategies require both. Utilities need stronger OT cybersecurity to reduce the probability of compromise, better visibility and coordination to improve response, and selective use of asset-level physical resilience where system consequence justifies it.

The ageing-fleet issue makes this even more pressing. Many utilities are already operating transformers that remain strategically important even if they are no longer young assets. In those cases, the real planning challenge is not simply replacement. It is preserving serviceable, difficult-to-replace assets for as long as system needs require, while avoiding failure modes that turn an operational event into a major reconstruction program.

The workforce issue matters too. When a critical transformer is lost, the problem is not just finding a replacement unit. It is mobilizing engineering judgment, transport, site work, repair resources and restoration planning under pressure. That makes preserved recoverability a strategic advantage. Spare time, spare skills and spare options are now as important as spare equipment.

The policy direction is moving the same way on both sides of the Atlantic. In Europe, NIS2 and the CER framework are making cyber and physical resilience of critical entities part of the operating baseline, while Horizon Europe is turning that agenda into concrete research and deployment themes such as critical-infrastructure stress tests and physical protection. In the United States, even at the proposal stage, H.R. 7977 is a signal that transformer resilience is rising on the public agenda. Utilities do not need to wait for legislation to understand the operational message: these assets are becoming harder to replace, more exposed and more strategic.

The practical conclusion is straightforward. OT cybersecurity remains indispensable. Electrical protection remains indispensable. Monitoring, site security, emergency preparedness and spare strategy remain indispensable. But for the subset of transformers the system cannot operationally absorb losing, an additional layer of engineered physical consequence limitation deserves serious consideration.

The critical-substation scenario at the start of this article is therefore more than a thought experiment. It is a planning test. If a severe event reaches one of your hardest-to-replace transformers tonight, what exactly happens next? Do you have visibility? Do you have control? Do you have a credible recovery path? And above all, do you have a realistic way to keep that asset out of the rupture-and-fire pathway?

For utilities, that is becoming one of the defining resilience questions of the next decade.

Author bio

Antoine Magnier is President & CEO of SERGI, a French engineering group focused on the protection of critical energy infrastructure and the physical resilience of strategic transformers. 

Explore SERGI’s engineering approach to critical transformer resilience>>