Report: Cyber attack on power grid could cost $1 trillion
Energize Weekly, July 22, 2015
The damage from a hack on the U.S. power grid could cost the nation’s economy more than $1 trillion, according to a new report by insurance market Lloyd’s and the University of Cambridge.
The report, titled “Business Blackout”, envisions a “plausible but extreme” scenario where part of the U.S. electrical grid between New York and Washington D.C. is compromised. Around 50 large industrial steam turbine generators are taken offline, causing widespread blackouts affecting 93 million people in 15 states. Mortality rates spike as health and safety systems fails, water supplies are disrupted as electric pumps go offline, ports shuts down and transportation networks plunge into chaos. Power is restored to about 90 percent of those affected within two weeks according to the report’s best-case scenario. In the worst-case scenario, it takes four weeks.
Economic impact from the hack include direct damage to assets and infrastructure, along with loss of sales revenue to businesses and a disruption in supply chain. The total cost to the US economy by the attack is estimated to be $243 billion, but in the most extreme version of the scenario, the cost could exceed $1 trillion.
“This scenario shows the huge impact and havoc that could result from a major cyber attack on the US. The reality is that the modern, digital, and interconnected world creates the conditions for significant damage, and we know there are hostile actors with the skills and desire to cause harm,” said Tom Bolt, Lloyd’s director of performance management.
The report lays out a number of well-known methods by which a hackers could gain access to power-plant control systems, including targeting laptops and personal electric devices used by key plant personnel as well as “phishing” attacks that compromise a plant’s corporate network then pivots into the control system. The team would then insert malware into targeted generator control rooms, which then reports back information and can receive commands from inside the network. The malware lies dormant for a unspecified period of time, whilst the team gathers critical information about the achievable range of control within the system. In the meantime, power companies may detect increased traffic on their systems, but do not share this with other companies due to concerns about revealing vulnerabilities.
Though in the scenario the team manages to achieve a 10% success rate, that is enough to successfully infect 70 generators. The hackers begin disabling safety systems, opening and closing circuit breakers, forcing the inertia of the generator itself to force the phase angle between supply and load out of sync. This causes the generators to catch fire, with one gas turbine facility completely destroyed in a explosion. The resulting chaos forces companies to start shutting down unaffected generators along with compromised systems until the cause of the attack can be understood.
Blackouts ensue, plunging 15 states and Washington DC into darkness. The attack shuts down factories and commercial activity responsible for 32 percent of the country’s economic output. While hospitals and other public facilities are able to run on backup systems, all other activities requiring power are shut down, including phone systems, internet, street lights, and public transportation systems.
Though the scenario is described as “extreme”, it is not unlike other attempted attacks on critical infrastructure over the past 15 years. There have been at least 15 suspected cyber attacks on the U.S. electrical grid since 2000, according to the report, while the U.S. Industrial Control System Cyber Emergency Response Team says 32 percent of its responses to cyber attacks over the past year have been in the energy sector.