< Back to Blog

It's time for CRE to pay attention to grid security

The future of the U.S. energy grid has never been so uncertain. On the one hand, the advantages of a smart grid are pushing us toward a further integrated and inter-reliant system. On the other, ecological and stability concerns are leading to the creation of self-reliant microgrids. In light of recent events, digital security may soon become another incentive for businesses and communities to insulate themselves from a potential grid failure.

Cybersecurity experts have warned about the potential for an attack on major electrical infrastructure for decades, but the first public case of it actually happening occurred at 3:30 p.m. on December 23, 2015, in Western Ukraine. An operator in the Prykarpattyaoblenergo control center watched in horror as his mouse was taken over remotely and used to open substation breakers one by one. Two other distribution centers were hit at the same time in a coordinated attack, and backup power to two of the distribution centers was taken off also, leaving a total of 230,000 residents without light or heat until the 30 odd power stations could be brought back online.

Then, on December 16, 2016, almost one year later to the day, it happened again. Hackers shut down a Kiev transmission station carrying 200 megawatts to the capital region, amounting to more power than was brought down by all three control centers in the 2015 attack combined. Power was down for only an hour, but the attackers appeared to have learned considerably more sophisticated techniques this time around. Even scarier - security experts who examined the digital attacks say that the hackers could have gone further than they did. They could very likely have kept power down for longer or even caused permanent damage to the grid, but instead opted to hold back.

Oleksii Yasinsky, a chief forensic analyst at a Kiev digital security firm, told Wired that the attacks so far amount to practice runs, like students “studying for an approaching final exam.” American experts that Wired spoke to concurred.


Assessing the threat to American infrastructure

The primary concern for American businesses is the possibility of a similar attack happening here. Infrastructure security experts believe that it could.

The second attack in Ukraine relied on a piece of malware known as “CrashOverride,” which was able to speak directly to the grid’s control system protocols. It was programmed to scan the Ukrainian network, choose targets, and then launch at a preset time without requiring further communication. Researchers explained that CrashOverride is designed to be modular, meaning that it could be retooled to disrupt grids all over the world with knowledge of the local control system protocols.

“The people who understand the U.S. power grid know that it can happen here,” Robert Lee, a digital security expert and former intelligence worker, told Wired.

While digital security is more robust in the U.S., especially for critical infrastructure, it is also a lot more digital. This means that there are more potential targets for sophisticated hackers. The alleged and most likely source of the attacks is Russia, which has already shown a willingness to turn its digital prowess against the U.S., so an attempt on American infrastructure is by no means out of the question.

A group of 19 U.S. Senators delivered a letter to the president Thursday outlining their concerns about the potential for just such an attempt. This letter followed up on a previous letter in which the Senators had requested a thorough analysis of Russian capabilities for conducting a cyberattack on energy infrastructure. Instead of conducting the assessment, the letter notes, the administration proposed a major cut to the budget for the Office of Electricity Delivery and Energy Reliability.

“How can our government protect our national security assets if the administration does not allocate the necessary resources?” the letter asks. “We are deeply concerned that your administration has not backed up a verbal commitment prioritizing cybersecurity of energy networks and fighting cyber aggression with any meaningful action.”


What this means for the CRE industry

The risk of a cyberattack on the grid isn’t going away anytime soon. Disruption to the grid affects industries across the economy, but commercial real estate is especially tied into the use of energy. Segments of the CRE industry that serve tenants that require a high level of reliability may in particular need to consider the potential for impact on their business models considering the prevalence of penalty clauses in these verticals.

In the short term, CRE leaders should consider making their concerns about the grid’s digital security known to government groups, including the current administration. Pressure from the business sector has proven itself to be one of the most effective means of enacting course corrections in recent years. In the long term, if grid attacks become more common, it may be time to start thinking about investing in mitigating strategies against disruption, like microgrids.

Microgrids are an increasingly popular strategy in verticals where total reliability is important, especially medical or scientific research, or in areas that lack reliable grid coverage. A microgrid is a localized grid that can disconnect from the larger grid and function autonomously, sometimes temporarily and sometimes on an ongoing basis. In areas with no grid coverage, microgrids can be built to operate in complete isolation.

Microgrids make up just 0.1 percent of the installed capacity in the U.S. - just about 1.3 gigawatts in 2015 - but that capacity is slowly increasing as profitable use cases are identified and costs come down. If grid instability becomes a way of life, they may find a larger role in the American real estate sector.

As of today, there are no adversarial powers with the capability to conduct a major grid attack against the U.S. and the will to face down the consequences afterword. The retribution that Russia or another power would face for disrupting the American grid is far greater than the retribution for disrupting the Ukrainian grid. As Thomas Rid, a War Studies professor at King’s College London pointed out, the Kremlin meddled in Ukrainian elections years ago, faced no consequences, and a short time later employed the same tactics in Germany, France, and the United States. Now, it appears to be testing grid disruption tactics. It isn’t hard to imagine that, absent a frank conversation and much need action on grid security, those tactics will be someday applied here as well.