The Time Has Come to Gauge the Financial Risk of a Major Grid Cyberattack: Lloyd’s

Share Button

grid cyberattackA massive grid cyberattack may sound like the stuff of an apocalyptic movie. But for insurance giant Lloyd’s the prospect carries enough probability to carefully weigh the financial risk.

The cost? As much as $1 trillion if hackers take down just 50 generators out of 700 in 15 states within the Eastern Interconnection, according to a study by Lloyd’s and the University of Cambridge’s Center for Risk Studies.

“Business Blackout: The Insurance Implications of a Cyberattack on the US Grid” is meant to challenge assumptions made within the insurance industry about grid cyberattack. The report depicts in detail what would happen if hackers shutdown the power grid in one-third of US states.

“This scenario shows the huge impact and havoc that could result from a major cyberattack on the US. The reality is that the modern, digital, and interconnected world creates the conditions for significant damage, and we know there are hostile actors with the skills and desire to cause harm,” said Tom Bolt, director of performance management at Lloyd’s.

Lloyd’s is not alone in its concern. Homeland Security has reported that energy infrastructure is a major target of hostile foreign hackers. Meanwhile, the military has made energy independence a priority for military bases, and has become a major advocate for microgrids and distributed generation. President Obama raised concern about grid hackers in his 2013 State of the Union address.

The report offers a blow-by-blow account of a carefully planned cyberattack that would knock out 18,000 MW in key cities, among them New York and Washington, D.C.

The scenario is disturbing, fortunately improbable, but not impossible, according to Lloyd’s.

With no electricity flowing to 93 million people, the U.S. economy would face a $243 billion loss, rising to more than $1 trillion in the most extreme version of the scenario.

But of course loss of money is only part of the result; heath and safety would be jeopardized too.

“The scenario predicts a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses,” the report says.

grid cyberattackThe attack would not be the work of teen-agers in a basement but of a highly sophisticated, dispersed team that spends months studying U.S. electric markets, control systems, and networks.

“Cyberattacks are often treated as a problem of technology, but they originate with human actors who employ imagination,” said the report.

In the Lloyd’s scenario the hackers install malware that spreads in generator control rooms and sits dormant for months collecting information. The hackers identify and target laptops used by key personnel, phish for routes from corporate computers into control rooms, hack remote systems, or even intrude physically to make system changes.

Free Resource from Microgrid Knowledge White Paper Library

Microgrid Utility Requirements
Navigating Local Utility Requirements for Microgrids: Lessons from New York
Microgrids represent a relatively new concept that requires adapting existing frameworks. Because of that, projects must involve careful coordination between the developer, utility and the developer’s energy consultant to ensure a successful outcome. Download the new white paper from Velioa that explores how to navigate local utility requirements for microgrids.

Read about how to keep the power on when the grid goes down in the Microgrid Knowledge guide,  Reciprocating Engine Generators and Microgrids: The Last Defense Against a Power Outage, available for free download courtesy of Fairbanks Morse Engine.

Within 90 days they identify vulnerable generators, and schedule their attack for a hot July moment when the grid is operating at high capacity so is most vulnerable to failure.

The hackers covertly disable safety devices and send control signals “which open and close the generator’s rotating circuit breakers in quick succession, using the inertia of the generator itself to force the phase angle between supply and load out of sync,” the report said.

The hackers use an approach known as ‘pivoting,’ which describes the ability to establish chain attacks through multiple compromised machines.

Generators catch fire and engines blow apart; grid operators shut down unaffected facilities until they can figure out what’s going on. As more generators go off line, grid frequency destabilizes causing a cascade of more outages. Some generators are out for up to four weeks.

The report envisions few people are hurt at first, but injury and even death occurring as the outage continues through car accidents and heat stress (especially in nursing homes and hospitals where back-up generators fail). Others become sick from contaminated water or by eating spoiled or improperly cooked food, as a two-week supply of diesel fuel runs out for back-up generators at cold storage facilities.

The report cites possible industrial accidents, riots, looting and arson. Sewage overflows as treatment plants fail.

grid cyberattack

The report depicted an outage in the NPCC and RF areas, as defined by the North American Electric Reliability Corp. (NERC).

The economy, of course, takes a beating since most of us rely on electricity to work. Gas stations have no power, so once people run out of fuel they have trouble getting to work. Manufacturing shuts down or operates partially with back-up generators. Maritime port operations are suspended during the power outage, since electricity is needed for loading and unloading container ships.

In all, the report predicts a 100 percent shock to exports and a 50 percent drop in labor productivity as well as consumption — people can’t get cash or use credit cards to buy food and supplies.

Relief efforts become difficult since cell phone batteries have died and there is no electricity for television or the Internet. Airports, trains and subways are shutdown.

This type of hacking would be so complex, it would take months for engineers and government officials to retrace exactly what happened, and a year to fix all of the damage.

Lloyd’s created the report to prepare insurers for what it described as an “improbable but not impossible” scenario and to evoke debate and discussion. We don’t know if such a dramatic event will happen; we do know that the U.S. government, military and industry are engaged in a counter offensive as hackers consistently try to breach utility computers systems.

For the power industry, the report underscores the push for decentralized energy already under way.

The full report is available here.

Share Button

Sign up for our newsletter and get the latest microgrid news and analysis.
Elisa Wood About Elisa Wood

Elisa Wood is the chief editor of MicrogridKnowledge.com. She has been writing about energy for more than two decades for top industry publications. Her work also has been picked up by CNN, the New York Times, Reuters, the Wall Street Journal Online and the Washington Post.

Comments

  1. Elisa,

    Brava!

    These huge exposures exist – perhaps China is testing us. Thanks for bringing energy cyber security to our attention.

    Keep it coming.

    Cameron Carey
    Sustainable Energy Solutions, Inc.

Trackbacks

  1. […] already been spurring microgrid development in the United States — the need for resiliency, cybersecurity, energy efficiency, and remote access to […]

  2. […] Sponsored by Sen. Lisa Murkowski, a Republican from Alaska, who heads the Senate Energy and Natural Resources Committee, and Sen. Maria Cantwell, a Democrat, the bill pushes a range of technologies to upgrade the US energy system, such as microgrids, energy storage and energy efficiency, as well as efforts to improve cybersecurity. […]

  3. […] have already been spurring microgrid development in the United States — the need for resiliency, cybersecurity, energy efficiency, and remote access to […]

Leave a Comment

*