The cost? As much as $1 trillion if hackers take down just 50 generators out of 700 in 15 states within the Eastern Interconnection, according to a new study by Lloyd’s and the University of Cambridge’s Center for Risk Studies.
“Business Blackout: The Insurance Implications of a Cyberattack on the US Grid” is meant to challenge assumptions made within the insurance industry about grid cyberattack. The report depicts in detail what would happen if hackers shutdown the power grid in one-third of US states.
“This scenario shows the huge impact and havoc that could result from a major cyberattack on the US. The reality is that the modern, digital, and interconnected world creates the conditions for significant damage, and we know there are hostile actors with the skills and desire to cause harm,” said Tom Bolt, director of performance management at Lloyd’s.
Lloyd’s is not alone in its concern. Homeland Security has reported that energy infrastructure is a major target of hostile foreign hackers. Meanwhile, the military has made energy independence a priority for military bases, and has become a major advocate for microgrids and distributed generation. President Obama raised concern about grid hackers in his 2013 State of the Union address.
The scenario is disturbing, fortunately improbable, but not impossible, according to Lloyd’s.
With no electricity flowing to 93 million people, the U.S. economy would face a $243 billion loss, rising to more than $1 trillion in the most extreme version of the scenario.
But of course loss of money is only part of the result; heath and safety would be jeopardized too.
“The scenario predicts a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses,” the report says.
“Cyberattacks are often treated as a problem of technology, but they originate with human actors who employ imagination,” said the report.
In the Lloyd’s scenario the hackers install malware that spreads in generator control rooms and sits dormant for months collecting information. The hackers identify and target laptops used by key personnel, phish for routes from corporate computers into control rooms, hack remote systems, or even intrude physically to make system changes.
Within 90 days they identify vulnerable generators, and schedule their attack for a hot July moment when the grid is operating at high capacity so is most vulnerable to failure.
The hackers covertly disable safety devices and send control signals “which open and close the generator’s rotating circuit breakers in quick succession, using the inertia of the generator itself to force the phase angle between supply and load out of sync,” the report said.
The hackers use an approach known as ‘pivoting,’ which describes the ability to establish chain attacks through multiple compromised machines.
Generators catch fire and engines blow apart; grid operators shut down unaffected facilities until they can figure out what’s going on. As more generators go off line, grid frequency destabilizes causing a cascade of more outages. Some generators are out for up to four weeks.
The report cites possible industrial accidents, riots, looting and arson. Sewage overflows as treatment plants fail.
The report depicted an outage in the NPCC and RF areas, as defined by the North American Electric Reliability Corp. (NERC).
The economy, of course, takes a beating since most of us rely on electricity to work. Gas stations have no power, so once people run out of fuel they have trouble getting to work. Manufacturing shuts down or operates partially with back-up generators. Maritime port operations are suspended during the power outage, since electricity is needed for loading and unloading container ships.
In all, the report predicts a 100 percent shock to exports and a 50 percent drop in labor productivity as well as consumption — people can’t get cash or use credit cards to buy food and supplies.
Relief efforts become difficult since cell phone batteries have died and there is no electricity for television or the Internet. Airports, trains and subways are shutdown.
This type of hacking would be so complex, it would take months for engineers and government officials to retrace exactly what happened, and a year to fix all of the damage.
Lloyd’s created the report to prepare insurers for what it described as an “improbable but not impossible” scenario and to evoke debate and discussion. We don’t know if such a dramatic event will happen; we do know that the U.S. government, military and industry are engaged in a counter offensive as hackers consistently try to breach utility computers systems.
For the power industry, the report underscores the push for decentralized energy already under way.
The full report is available for free download here.
Elisa Wood is an editor at EnergyEfficiencyMarkets.com. She has been writing about energy for more than two decades for top industry publications. Her work has been picked up by CNN, the New York Times, Reuters, the Wall Street Journal Online and the Washington Post.