If the UK power supply were to be hit by a catastrophic cyber-attack, realistically, how might it happen and what would the economic consequences be? Those were questions that researchers at the Cambridge Centre for Risk Studies examined in a new report out yesterday: Integrated Infrastructure: Cyber resiliency in Society, funded by Lockheed Martin.
As always, the answers in our sector are, it depends – but in the worst case scenario looked at – losses over five years could total £442 billion wiped off UK GDP. And the most plausible route chosen was not a direct hit on a control centre, but bringing down substations and causing blackouts over several weeks with power down for half the period for up to 13 million people.
In all three scenarios, dubbed S1, S2 and X1, the impact on GDP was almost five times that of the direct costs, so in addition to power loss, the affected population suffered knock-on effects including disruption to transportation, digital communications and water services.
For the S1 scenario 65 substations serviced by one Distribution Network Operator are disabled during a three week attack causing a series of rolling blackouts for half the attack duration; S2 doubles to 95 substations under a single DNO over six weeks; X1 envisages 125 substations hit over 12 weeks, and goes beyond the DNO region to include substations serving Heathrow airport.
The losses were calculated by projecting expected GDP for five years, then projecting the impact of the attacks, and in simplistic terms, on a line graph, the difference between the two lines illustrates the extent of the loss. Obviously calculation of the extent of loss was far more complex as the report details.
In the worst case scenario projections may never return to their earlier position, for example if Heathrow were closed for an extended period its role in Europe it may be lost to its ‘temporary' replacement.
Among other knock-on effects would be the loss of up to a million train journeys per day, and the productivity loss of those workers not getting to work; up to 300,000 airport journeys per day could be lost, as well as 40 to 55 percent of UK port freight with shortages of food and fuel causing further economic damage.
For S1 the direct economic impact is estimated at £7.2 billion with an indirect impact of £4 billion in supply chains, and a £49 billion GDP loss over five years. For X1 this rises to £53.6 billion direct economic impact, £31.8 billion indirect impact, and £442 billion GDP loss over five years.
The scenario entailed a disgruntled employee of a sub-contractor teaming up with a hostile nation-state actor with commensurate capabilities, supplying the method and means, installing Trojan Horse rogue hardware over a six month period, able to take out several stations at once to overcome redundancy. Controlled by mobile phones, malware would infect the substations' control systems, preventing electricity distribution even when switched off. The attack would take place in winter, for peak demand, and defenders would not initially realise it was a systematic attack.
Cascading infrastructure failure would be caused until the first Trojan hardware is identified and removed, then subsequently others.
This is NOT a likely attack, even though theoretically possible. When asked by SCMagazineUK.com about the probability of such an attack, it was not quantified, but described as being in the order of a one in hundred years event. Daniel Ralph, academic director of the Centre for Risk Studies and Professor of Operations Research told SC: "These scenarios are deliberately extreme, but provide a good model for testing to help build reslience, to learn how to recover, or adapt. More requirements for reporting (of attacks by operators) will also help (though) electricity companies are already sharing information and this is helping setting standards."
A government official statement emailed to SC noted: “The scenarios set out in this report are hypothetical. The authors of this report are clear that it is improbable that a cyber-attack with implications matching those described could be launched in the UK.”
Dr Edward J Oughton, research associate at the Centre for Risk Studies, Judge Business School, University of Cambridge, explained to SCMagazineUK.com “In this report we have demonstrated an impact assessment methodology for understanding the disruption costs from this particular attack scenario. ... future research can utilise this methodology for assessing the potential costs associated with a range of cyber-attacks. Ultimately this quantification allows industry and government to begin to undertake more comprehensive cost-benefit analysis of risk mitigation strategies.” Oughton adds that the UK's Infrastructure Transitions Research Consortium (ITRC) - a research partner in the report, used analysis methods based on many years' work funded by the Engineering and Physical Science Research Council (EPSRC).
The extent of government responsibility for this risk was questioned, given that the infrastructure is most likely to be private sector owned and run, yet the country's broader interests are clearly at risk if critical infrastructure were to be hit in this way.
A government spokesperson present at the launch confirmed to SC that the government is indeed keen to play its part, telling SC: “Cyber-security is a top priority for the Government. We have already invested £860 million in defending the UK against cyber attacks, with a further £1.9 billion dedicated to this issue.
“We constantly work with industry to ensure we are prepared for, and can defend against, potential risk. The UK has one of the most reliable electricity systems in the world, with dedicated cyber-experts and teams in place to protect it.”
When asked what power companies should do to prevent such scenarios occurring, Eireann Leberett, senior risk researcher at the Cambridge Centre for Risk Studies and founder at Concinnity-risks told SC: "It will depend on the configuration of the set up at each company, but start with the basics, use pen-testers, speak with vendors in the sector, use best practice to identify insider threats, and look at where cyber-insurance can play a part, as well as liaising with the relevant government bodies."