In 2017, it can sometimes seem like power grids are practically crawling with digital intruders. Over just the past four months, news has emerged that Russian hackers penetrated a nuclear power plant, that the same group may have had hands-on access to an American energy utility's control systems, that another group of Kremlin hackers used a new form of automated malware to induce a power outage in Ukraine—and now, this week, that North Korean hackers breached an American energy utility. Reading those headlines, you'd be forgiven for thinking that hacker-induced blackouts were a near-weekly occurrence, not a twice-ever-in-history event.

But as real as the threat of power-utility hacking may be, not every grid penetration calls for Defcon 1. Responding to them all with an equal sense of alarm is like conflating a street mugging with an intercontinental ballistic missile attack. What's publicly referred to as a "breach" of an energy utility could range from something barely more sophisticated than a typical malware infection to a nation-state-funded moonshot months or years in the making. Those incidents could also have vastly different consequences, from mere data theft to a potentially catastrophic infrastructure failure.

It's true that the last several years have seen a "stark spike" in hacking attempts on industrial control systems like power utilities, water, and manufacturing, says Rob Lee, a former NSA analyst who now runs the critical-infrastructure-focused security firm Dragos, Inc. But Lee says it's crucial to keep a sense of proportion: Of the hundreds of well-funded hacker groups that Dragos tracks globally, Lee says that roughly 50 have targeted companies with industrial control systems. Of those, Dragos has found only six or seven groups that have reached into companies' so-called "operations" network—the actual controls of physical infrastructure. And even among those cases, Lee says, only two such groups have been known to actually trigger real physical disruption: The Equation Group, believed to be the NSA team that used the Stuxnet malware to destroy Iranian nuclear enrichment centrifuges, and the Sandworm team behind the blackouts in Ukraine.

So when news arises that hackers have merely "penetrated" an energy utility—as North Korean hackers recently did—receive it with those numbers in mind, and not with the assumption that the next Stuxnet or Sandworm has dropped. "This is a world where people can die," Lee says. "If we come out and say it’s a big deal, it should be a big deal."

To that end, here's WIRED's guide to the different gradations of grid hacking, to help you dial in your panic to the appropriate level for the power-grid penetrations to come. And there will be more.

Step One: Network Breach

When government agencies or the press warn that hackers have compromised a power utility, in the vast majority of cases those intruders haven't penetrated the systems that control the flow of actual power, like circuit breakers, generators, and transformers. They're instead hacking into far more prosaic targets: corporate email accounts, browsers, and web servers.

Those penetrations, which typically start with spearphishing emails, or "watering hole" attacks that infect target users by hijacking a website they commonly visit, don't necessarily differ from traditional criminal or espionage-focused hacking. Most importantly, they don't generate the means of causing any physical damage or disruption. In some cases, the hackers may be performing reconnaissance for future attacks, but nonetheless don't get anywhere near the actual control systems that can tamper with electricity generation or transmission.

'This is a world where people can die. If we come out and say it’s a big deal, it should be a big deal." Rob Lee, Dragos Inc

Earlier this week, for instance, a leaked report from security firm FireEye raised alarms when it revealed that North Korean hackers had targeted US energy facilities. A followup report from security news site Cyberscoop asserted that at least one of those attempts successfully penetrated a US utility. But a subsequent FireEye blog post indicated that its analysts had only found evidence that the hackers had sent a series of spearphishing emails to its intended victims—a fairly routine hacking operation that doesn't appear to have come close to any sensitive control systems.