In July of last year, a DJI Mavic 2 drone approached a Pennsylvania power substation. Two 4-foot nylon ropes dangled from its rotors, a thick copper wire connected to the ends with electrical tape. The device had been stripped of any identifiable markings, as well as its onboard camera and memory card, in an apparent effort by its owner to avoid detection. Its likely goal, according to a joint security bulletin released by DHS, the FBI, and the National Counterterrorism Center, was to “disrupt operations by creating a short circuit.”

The drone crashed on the roof of an adjacent building before it reached its ostensible target, damaging a rotor in the process. Its operator still hasn’t been found. According to the bulletin, the incident, which was first reported by ABC, constitutes the first known instance of a modified, uncrewed aircraft system being used to “specifically target” US energy infrastructure. It seems unlikely to be the last, however.

In a response to a request for comment, a DHS spokesperson wrote that the agency “regularly shares information with federal, state, local, tribal, and territorial officials to ensure the safety and security of all communities across the country.”

When it comes to the potential for consumer drones to wreak havoc, experts have sounded the alarm for at least six years, saying that their broad availability and capabilities provide opportunity for bad actors. In 2018, an explosives-laden drone carried out an apparent assassination attempt on Venezuelan president Nicolas Maduro. ISIS and other terrorist groups have used consumer-grade quadcopters for both surveillance and offensive operations.

But the Pennsylvania incident represents an alarming escalation in drone use stateside. The US has had incidents before: A drone landed on the White House lawn in 2015, and a recent surge in drone sightings near airports and other critical sites has sent the FAA scrambling. Until now, those intrusions could be written off as accidental. No longer.

“I am surprised it’s taken so long,” says Colin Clarke, director of policy and research at the Soufan Group, an intelligence and security consultancy. “If you have a modicum of knowledge of how drones work, and you can access some crude explosives or just ram it into things, you can cause a lot of damage.”

The operator of the Pennsylvania drone appears to have attempted a less brute-force approach. But efforts to hide the operator’s identity may have contributed to their failure to connect with the intended target. By removing the camera, the joint bulletin says, they had to rely on line-of-sight navigation, rather than being able to take a drone’s eye view. While this effort failed, the report’s analysts are clear that it’s unlikely to be an aberration; if anything, they expect to see drone activity “increase over energy sector and other critical infrastructure facilities as use of these systems in the United States continues to expand.”

That mounting threat has not been met with proportional mitigations. While the FAA does place limits on where consumer drones can fly, security experts and drone manufacturers alike have urged it to do even more. “Just like the manufacturers of pickup trucks or mobile phones, we have almost no ability to control what people do with their drones once they have them,” says DJI spokesperson Adam Lisberg. “DJI has long supported giving authorities the legal ability to take immediate action against drones posing a clear threat, and we have long supported laws to penalize some intentional misuse of drones.”