How Exposed are Key U.S. Airports, Oil refineries, and Nuclear Power Plants to Drone Threats?

Despite escalating warnings from federal agencies and a documented surge in drone incursions across the homeland, the vast majority of US critical national infrastructure (CNI) remains unprotected against unmanned aerial system (UAS) threats. To understand the true extent of this gap, we have evaluated the current state of counter-UAS (C-UAS) deployment across three high-risk categories in this analysis: the top 30 US airports by passenger volume, the top 20 oil refineries by capacity, and the 54 operating commercial nuclear power plants.

The findings reveal a severe vulnerability gap. While federal authorities have initiated test-bed programs and limited deployments, an estimated 93% of the 54 nuclear sites, 90% of the top 20 oil refineries, and 63% of the top 30 airports lack comprehensive, layered C-UAS protection. 

The financial barrier to closing this gap is substantial but quantifiable. Modeling the cost of layered RF detection, command and control, and non-kinetic mitigation systems indicates that securing these 104 critical sites would require approximately $189.6 million in Year-1 capital expenditure, with a five-year total cost of ownership (TCO) reaching $355.1 million. 

The recent passage of the SAFER SKIES Act provides a legislative pathway for state and local law enforcement to mitigate drone threats, but without dedicated, large-scale funding and accelerated deployment timelines, the airspace above America's most vital economic and security assets remains dangerously porous.

Are Drone Threats Differerent Across Critical Industries?

The threat posed by unauthorized UAS operations is now an active, daily operational hazard. Drones are inexpensive, highly capable, and easily modified to bypass traditional ground-based physical security measures. The Department of Homeland Security (DHS) 2025 Homeland Threat Assessment explicitly highlights the risk, noting continuous and concerning UAS activity over sensitive critical infrastructure sites. These incursions have the potential to interfere with regular facility operations, disrupt emergency responses, and provide malign actors with intelligence.

The threat vector is not uniform; it spans a spectrum of risks, from careless hobbyists to coordinated espionage and potential kinetic attacks. In the aviation sector, drones present a direct collision hazard to commercial aircraft during critical phases of flight.

For the energy sector, the risk profile includes the delivery of explosive payloads or the disruption of highly volatile industrial processes. The ongoing conflict in Ukraine and the recent Iran war have provided a stark demonstration of this capability, where long-range drone strikes have systematically targeted and severely damaged oil refineries and energy infrastructure.

Domestically, the threat is characterized by a high volume of surveillance and reconnaissance flights, which security experts assess as potential precursor activity for more coordinated disruptions. The regulatory environment has historically compounded this vulnerability. Until the enactment of the SAFER SKIES Act in December 2025, the authority to actively mitigate (jam, seize control of, or destroy) a drone was strictly limited to a narrow set of federal agencies under 6 U.S.C. § 124n.

This left critical infrastructure operators and local law enforcement in a position of passive observation, legally prohibited from intervening even when a clear threat was identified. While the new legislation expands mitigation authority to authorized State, Local, Tribal, and Territorial (SLTT) agencies, the physical deployment of the necessary technology lags significantly behind the evolving threat.

How Vulnerable are Major U.S. Airports to Drone Threats?

The airspace surrounding major commercial airports represents the most acute intersection of high-volume drone activity and catastrophic risk. The Federal Aviation Administration (FAA) receives over 100 reports of UAS sightings near airports each month. An analysis of aviation safety databases revealed that in 2024, drones were involved in nearly two-thirds of reported near-midair collisions at the 30 busiest US airports.

Current Airspace Security Baselines at Airports

Despite the clear and present danger, comprehensive C-UAS deployment at major US airports remains in its infancy. The FAA and the Transportation Security Administration (TSA) have established C-UAS Test Bed Programs to evaluate technology in operational environments. However, these are primarily evaluative rather than permanent, comprehensive defensive postures.

Based on current deployment data and federal testing locations, it is estimated that only 3 of the top 30 US airports possess a fully integrated, layered C-UAS capability that includes both advanced detection and authorized mitigation protocols.

An estimated 8 additional airports have deployed partial solutions, primarily focused on RF detection and early warning, but lack the capability or authority to actively neutralize a threat. The remaining 19 major hubs rely on standard FAA flight restrictions and visual spotting, leaving them fundamentally unprotected against a determined intrusion.

Collision Risks and Economic Impact of Drone Incursions

The primary risk at airports is a collision between a drone and a commercial aircraft during takeoff or landing. Beyond the kinetic risk, the mere presence of an unauthorized drone frequently necessitates the suspension of flight operations. The economic impact of these shutdowns is severe. A four-hour shutdown at a major international hub can disrupt hundreds of flights, affecting tens of thousands of passengers, and saddle airlines and airport operators with direct financial losses ranging from $5 million to $10 million per incident.

How Vulnerable are Major US Oil Refineries to Drone Threats?

The C-UAS architecture at major US oil refineries is alarmingly deficient. The US petroleum refining sector is highly concentrated, with the top 20 refineries accounting for a significant portion of the nation's processing capacity. These facilities are sprawling, complex industrial environments processing highly volatile and flammable materials.

The Lack of RF Detection and Mitigation Systems

Unlike the aviation sector, which benefits from direct FAA and TSA oversight regarding airspace security, the energy sector relies heavily on private-sector security initiatives guided by the Cybersecurity and Infrastructure Security Agency (CISA). CISA has issued "Be Air Aware" guidance, urging critical infrastructure operators to implement UAS detection technologies.

However, industry adoption has been slow, hindered by high costs and, until recently, the lack of legal authority to mitigate threats. It is estimated that none of the top 20 US oil refineries currently operate a full, active C-UAS mitigation system. Approximately 2 facilities are believed to have implemented advanced RF detection systems to monitor their airspace, while the remaining 18 rely entirely on traditional ground security and perimeter fencing.

Kinetic Risks to Energy Infrastructure

Refineries are high-value targets for both espionage and sabotage. Drones can be used to conduct detailed reconnaissance of facility layouts, security patrols, and operational vulnerabilities. More critically, the global precedent set by the systematic drone targeting of Russian energy infrastructure demonstrates the viability of using small, explosive-laden UAS to initiate catastrophic fires or disrupt critical processing units. A successful attack on a top-tier US refinery would not only cause massive localized damage and environmental hazards but could also trigger severe disruptions in regional fuel supplies and broader economic instability.

How Vulnerable are Key U.S. Nuclear Power Plants to Drone Threats?

The United States operates 54 commercial nuclear power plants, representing the most heavily guarded civilian infrastructure in the nation. While these facilities are designed to withstand extreme natural disasters and specific design basis threats, including armed ground assaults, they remain heavily exposed to hybrid drone threats. The airspace overhead these nuclear sites is inadequately equipped to respond to non-traditional aerial threats, becoming a critical vulnerability.

NRC Reporting and the Surge in Hostile Drone Reconnaissance

In 2024, the Nuclear Regulatory Commission (NRC) updated its regulations to mandate the reporting of drone sightings over nuclear facilities. The resulting data revealed a massive uptick in incursions. In just one week in December 2024, the number of reported drone flyovers nearly doubled, bringing the annual total to at least 26 official incidents.

Despite this surge in hostile reconnaissance, commercial nuclear power plants lack the authority to interdict or shoot down aircraft, including drones. The NRC explicitly states that nuclear plant security forces do not possess this authority. While the Department of Energy (DOE) is seeking authority to defend its own nuclear facilities under the FY26 National Defense Authorization Act, this does not extend to the civilian commercial fleet.

Consequently, an estimated 50 of the 54 operating sites have no dedicated C-UAS detection or mitigation hardware deployed. Approximately 4 sites have begun integrating basic RF detection capabilities, but zero sites possess a full, active defense system.

Swarm Attack Risks to Ancillary Grid Systems

While the reactor containment buildings are robustly hardened and unlikely to be breached by a small commercial drone, nuclear facilities possess numerous vulnerable ancillary systems. Switchyards, transformer stations, and spent fuel storage areas are potentially susceptible to targeted drone strikes. A coordinated drone swarm attack, as simulated in recent North American Electric Reliability Corporation (NERC) grid security exercises, could target these external components to sever the plant's connection to the grid or disrupt critical cooling systems.

Quantifying the Solution: The Cost of Layered C-UAS Deployment at Critical Infrastructure Sites

To move beyond qualitative assessments, this analysis developed a cost-to-secure model to estimate the financial requirements for deploying a layered C-UAS defense across the identified infrastructure categories. The model assumes a comprehensive architecture comprising RF detection and sensor arrays (radar, electro-optical/infrared), a command and control (C2) software platform, a non-kinetic mitigation system (e.g., RF cyber-takeover or smart jamming), installation, and operator training.

The cost estimates are derived from industry pricing data, recent government contract awards, and total cost of ownership (TCO) analyses.

Extrapolating these midpoint costs across the unprotected and partially protected sites reveals the total financial commitment required to close the security gap. For sites with partial protection (detection only), the model assumes an upgrade cost equal to 50 percent of a full deployment.

The total Year-1 capital required to secure the 104 critical sites across all three categories is estimated at $189.6 million. Over a five-year period, factoring in maintenance, software licensing, and dedicated staffing, the Total Cost of Ownership reaches $355.1 million.

While these figures are substantial, they must be weighed against the cost of inaction. A single drone-induced shutdown at a major airport can result in $10 million in economic losses. A successful strike on a refinery or a disruption at a nuclear facility would carry economic and environmental costs orders of magnitude higher than the price of a defensive system.

How the US Can Better Protect its Critical Infrastructure Against Drone Threats?

The current trajectory of drone technology is outpacing the deployment of defensive countermeasures at US critical infrastructure. To close this gap, a coordinated effort between federal regulators, state and local law enforcement, and private industry is required.

1.Accelerate SAFER SKIES Implementation: The passage of the SAFER SKIES Act provides the necessary legal framework for SLTT agencies to mitigate drone threats. The Department of Justice and DHS must rapidly issue standardized operational guidelines and rules of engagement to allow local law enforcement to partner with critical infrastructure operators and deploy active mitigation systems without delay.

2.Expand Targeted Federal Funding: The $500 million FEMA C-UAS Grant Program is a critical first step, but its initial focus is heavily skewed toward high-profile public events (e.g., the FIFA World Cup). Congress should authorize a dedicated, multi-year funding stream specifically earmarked for the procurement and integration of C-UAS technology at high-risk fixed infrastructure, particularly airports and energy facilities.

3.Mandate Airspace Security Baselines: CISA and sector-specific agencies (TSA, DOE, NRC) should transition from issuing voluntary guidance to establishing mandatory airspace security baselines. Facilities designated as high-risk should be required to implement, at a minimum, continuous RF detection and tracking capabilities, integrated with local law enforcement response protocols.

4.Extend Mitigation Authority to Civilian Nuclear Operators: The NRC and Congress must address the glaring vulnerability at commercial nuclear power plants. Legislation should be drafted to grant civilian nuclear security forces the explicit authority to utilize non-kinetic C-UAS mitigation technologies to defend their airspace, mirroring the authorities currently being sought for DOE-operated facilities.

The data is unequivocal: the skies above America's most critical infrastructure are largely unprotected. The technology to secure this airspace exists, and the cost of deployment is quantifiable and justifiable. The remaining barrier is the political and institutional will to execute a comprehensive defensive strategy before the next drone incursion escalates from a nuisance to a national crisis.