A cyber attack on the United States power grid, causing outages and damage to infrastructure, could have a major impact on the country’s economy, costing up to $1 trillion in the most extreme scenario.
A recent report, produced by the University of Cambridge’s Centre for Risk Studies and Lloyd’s of London insurance, outlines the potential implications of this hypothetical scenario, which is caused by a piece of malware infecting electricity generation control rooms across the east coast of the U.S.
“The scenario predicts a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses,” the Business Blackout report (PDF) explains.
In the “improbable” but “technology possible” scenario, the malware goes undetected until malicious actors trigger the release of its payload, taking control of generators with known vulnerabilities.
The result is the takedown of dozens of generators as they are forced to overload and burn out, leaving 93 million people in the dark across 15 states, including Chicago and New York, as well Washington D.C. Power is restored to some areas within 24 hours, while other parts of the region would remain without electricity for weeks.
“Economic impacts include direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business and disruption to the supply chain,” read the report.
According to the report, the total financial impact to the United States economy is estimated at between $243 billion to more than $1 trillion in the most catastrophic situation.
The report states that the US Industrial Control System Cyber Emergency Response Team (ICS-CERT) reported that 32 percent of its responses to critical infrastructure cyber security threats occurred in the energy sector last year, making it the most impacted industry compared to other services and utilities.
“Cyber attacks are often treated as a problem of technology, but they originate with human actors who employ imagination and surprise to defeat the security in place,” said Lloyd’s Director of Performance Management Tom Bolt.
“The evidence of major attacks during 2014 suggests that attackers were often able to exploit vulnerabilities faster than defenders could remedy them,” Bolt adds.
A recent Tripwire survey found that nearly half of energy executives and IT professionals believed their organization could detect a cyber attack on a critical system within 24 hours. Meanwhile, 86 percent said it would take them less than a week to detect the breach.
As Mark Weatherford, principal at The Chertoff Group explains:
“Cybersecurity within energy companies is stronger than it has ever been, yet growing bodies of evidence indicate that it’s still far too easy to compromise the energy infrastructure.”