Simon Ruffle and Lee Coppack investigate the possible consequences of cyber-attacks on electricity networks
Modern economic activity depends on a continuous supply of electricity, and any significant interruption to the supply has severe economic consequences. Governments around the world are, therefore, greatly concerned about the economic threat posed by a cyber-attack on such critical infrastructure.
At the Cambridge Centre for Risk Studies, we have created two scenarios to examine the potential financial and economic consequences of sustained power failure resulting from a cyber-campaign against regional electricity distribution networks: one in the UK and one in the US.
Developing a severe cyber-attack scenario without a probabilistic description of expected severities from future events is a statistically challenging task. There is no database containing a century's worth of detailed cyber-attack history to draw upon in designing this study; computers have been with us since the 1940s but have only been ubiquitous since the 1980s.
The rapid pace of change and the increasing interdependency between different sectors of the economy also means that it is difficult to fully predict how technical, social and economic systems will react to large power system failure. Among the methods we used to build these scenarios are:
- Extreme event analysis of available power outage data
- Risk and vulnerability modelling, using a system-of-systems model, to assess how a cyber-attack on electricity distribution substations could lead to failure in other critical infrastructure systems
- Supply-side input-output modelling to capture the economic interdependencies between sectors that feature the largest losses in economic output
- Macroeconomic modelling, using our standardised [email protected] metric, to quantify direct and indirect economic consequences of systemic power-system failure to reveal the overall, long-term effect on the country's economy.
When it came to possible but very unlikely events, we considered: the potential geographical extent of the attack, the regional resilience of the grid, limitations on damage severity and diversity in vulnerabilities. In terms of the attackers, we looked at their access to control systems, their ability to achieve simultaneity and their overall logistics burden - that is, the skills and resources they would need to be successful.
We ran three variants of the principal scenario, designed to correspond roughly to the severity of conventional power capacity losses that might occur as a result of accidental causes or severe weather events with an annual probability of 1-50 years (S1 or standard), 1-100 years (S2), and 1-200 years (X1 extreme).
The results show an enormous range in the economic losses and [email protected] across the three variants, but all indicate how damaging a successful attack could be, even at S1 level. Society, therefore, needs to address the issue of how best to calculate return on investment (ROI) from cyber-security measures for operational technology (OT). With only a brief history of OT attacks, individual organisations can find it difficult to justify investment in cyber-security using traditional ROI thinking.
Evidence from historical outages and indicative modelling suggests that power interruptions already cost the US economy roughly $96bn a year, although the range of estimates is wide. This is an annual figure, not an extreme event. The majority of these costs (67%) are from short interruptions lasting no more than five minutes, and more than 95% of the costs are borne by the commercial and industrial sectors.
An extended and more widespread power loss would have a much more significant effect on the population and business, and hence on the economy.
The categories of economic loss are:
- Direct damage to assets and infrastructure
- Direct loss in sales revenue to electricity companies
- Direct loss in sales revenue to other businesses
- Indirect losses through value chains
- Long-term economic impact as a result of changes in behaviour of market participants.
The economy would suffer both supply- and demand-side shocks. On the supply side, labour would suffer either because people would be unable to get to work, or because their productivity depended on electrically powered technology.
Consumption would drop because people would be unable to complete economic transactions. They could not travel to buy goods and could not make online purchases. Trade would be badly affected as ports would not be able to load and unload goods, and there would be many aviation and railways cancellations and delays.
Social disorder would be likely to follow extended blackouts. Criminals would exploit the lack of lighting and security systems, and people would turn to looting as they ran low on food and water. The death rate would rise from factors like contaminated water and food, lack of heating or air conditioning, difficulties securing repeat prescriptions, and poor emergency response.
All of these factors would have serious negative consequences on market confidence.
Insurers are increasingly offering affirmative cyber-insurance cover for IT risks. Cover for affirmative operational technology (OT) risks is much less common, though such risks may be covered 'silently' if cyber is not excluded in existing 'all risks' property policies.
In our scenarios, claims would come primarily from six classes of policyholder:
- Power generation companies for physical damage and loss of revenue
- Companies supplying power generation companies and defending themselves against liability for their clients' losses
- Organisations that are customers of the electricity companies suffering physical damage and business interruption
- Homeowners who have incurred damages resulting from loss of power, such as loss of freezer contents
- Companies that suffer indirect losses, primarily from business interruption
- Contingency claims for losses such as event cancellation.
Additionally, in the US, there could be claims against directors and officers of companies whose business continuity plan or insurance programme failed to prevent significant losses and the share price slumps.
The worst affected lines of business would be commercial combined (especially from business interruption), cyber-advanced property, and energy downstream and liability. The next tier is commercial facultative, general liability, contingency- film and events, and trade credit. By contrast, motor insurance is likely to see a reduction in claims as people drive less.
Events of the type set out in these scenarios pose a number of complex challenges for insurers that they will have to address for the market to develop new cyber-insurance products. Given the evolving threat landscape, particularly in the OT event domain, insurers need to assess cyber-risk technically rather than statistically. Nevertheless, insurance has the potential to be a valuable tool for enhancing the management of, and resilience to, cyber-risk.
These scenarios are not aimed at highlighting particular vulnerabilities. They are designed to challenge the assumptions of practitioners while highlighting issues that may need addressing in order to improve preparation for these types of events. The results emphasise the need for co-operation and transparent communication between IT and OT functions in order to minimise losses from cyber-attacks, and improve national security. This applies to individual organisations and across various sectors, industries and practices.
Cyber-security and physical security planning that takes place within silos cannot reconcile the systemic vulnerabilities of an interdependent national infrastructure. This is particularly true as natural resources, power, transportation and other aspects of daily life become more integrated in a digital network environment. The macroeconomic impact of an isolated incident does not remain isolated but affects multiple sectors in a multitude of ways.
Scenario 1: UK
In this scenario, a hostile national state with a geopolitical message compromises the electricity distribution network in South-East England with the help of a disgruntled employee within the distribution network service sector. He installs a 'Trojan horse', a rogue piece of hardware, in the operating systems of electricity substations. The Trojan allows the attackers to disable several substations simultaneously via mobile phone.
The attack begins during a winter period, when electricity demand is at its highest.
Using the 'insider', the hostile state is able to target key substations that supply electricity to elements of the UK's critical national infrastructure, including some airports, ports and the London financial district. It takes a week until an engineer discovers the malicious hardware. There is no physical damage to the power network, but rolling blackouts spread the impact beyond the compromised area for at least another week, possibly more.
Some 9 million to 13 million electricity customers are directly affected, depending
on the scenario variant. Knock-on effects include disruption to transportation, digital communications and water services for between 8 million and 13 million people.
Total economic losses to sectors are in the range of £11.6bn (S1 scenario), £29bn (S2) and to £85.5bn (X1). The worst affected business sector is expected to be financial services, with an estimated £1.3bn loss during the period of the outage.
Scenario 2: US
A piece of malware (the 'Erebos' Trojan) is introduced into electricity generator control rooms in north-eastern parts of the US. The malware goes undetected until it is activated one early summer's day. It takes control of 50 generators by exploiting the systemic importance of control rooms and forces them to overload. They burn out in quick succession.
Even unaffected generators across the region are shut down until the cause of the damage can be understood. It is eventually identified as a cyber-attack, but is never attributed to a perpetrator.
The attack triggers a widespread blackout. Fifteen states and Washington DC are plunged into darkness, and 93 million people are left without power. Factories and commercial activity responsible for 32% of the country's economic production come to a halt. Companies, hospitals and public facilities with backup generators are able to continue in operation, but all other activities requiring power are shut down. This includes phone systems, internet, television and radio, street lights and traffic signals.
Within three days, roughly half of the affected area is back on supply, but high-demand regions continue to suffer rolling blackouts for weeks while electricity companies work to repair power distribution. Some areas, including parts of New York City, remain without power for up to two weeks.
The total impact on business sectors is estimated at $60.9bn (S1), $130.2bn (S2) and $222.8bn (X1). Insurance claims would be expected to range from $21.4bn (S1) and $40bn (S2) to $71.1bn (X1).
Full scenarios are available at bit.ly/2aOfnXT
The Cambridge Centre for Risk Studies is part of the Judge Business School at the University of Cambridge
Lee Coppack is a writer on risk and insurance and senior adviser, communications, at the Cambridge Centre for Risk Studies