The Lloyds ‘Business Blackout' report was co-authored by the insurer and the University of Cambridge Centre for Risk Studies, whilst also seeking the advice of the Cabinet Office, the Department of Homeland Security and security firms including IOActive and Context, among many others.
The report sets out a scenario where a group of hackers, using the Erebos Trojan, seek to infect and take offline electricity generation control rooms to introduce an electricity black-out across 15 states including New York and Washington.
Researchers said that the attack, ‘improbable' but ‘technologically possible', would likely result in huge government and insurance pay-outs, as well as a rise in mortality rates, a decline in trade (as ports shut down), a disruption to water supplies (as electric pumps fail), and general chaos on transport networks.
The report, which cites Stuxnet and Shamoon as two high-profile critical infrastructure attacks in recent years, describes how the Trojan would be used to infect electricity generation control rooms in part of northern US, and would then lie dormant and undetected until instructed to take over the generators, by exploiting specific vulnerabilities.
Having taken control of these generators, the group could then, according to the researchers, force them to overload and burn out, causing fires and explosions. This would destabilise the regional grid and cause a power outage, which would last 24 hours in some areas, and weeks in others.
Lloyds and the University of Cambridge said that the attackers could either be cyber-criminals, terrorists or “disgruntled insider” attackers, who might damage anywhere from 50 to 100 power generators, taking them offline in the process.
The financial damage would be anywhere from US$ 243 billion (£157 billion), in immediate and tangential economic loss, up to US$ 1 trillion (£645 billion).
The report says that these hackers would be skilled reverse engineers with knowledge of domestic electricity and energy grid systems, and with the ability of writing malware that could spread to generator control rooms without alerting security teams.
They would likely use social engineering and phishing to target key personnel to pivot onto the corporate network, and would also hack remotely control systems, get physical intrusion into locations used for network monitoring and plant the malware.
After the blackout, the clean-up operation could take a year, but investigations, particularly into attack attribution, would likely take much longer.
The US government wouldn't be alone in taking a financial hit, according to the report, with the insurance industry also likely to pay anywhere from US$ 21.4 billion (£13.6 billion) to $71.1 billion in the event of an attack like this.
The paper proposes that insurers may have to pay power generation companies, due to damage to generators and business disruption, as well as incident response costs and fines from regulators.
There may also be property losses and claims for business interruption, perishable content and share price devaluation. Home owners may also have a claim, while speciality cases – like having to cancel a public event – would also have a case.
Despite these claims, researchers said they would avoid proposing the idea where US government would intervene to cover these costs.
“A cyber-attack of this severity is an unlikely occurrence, but we believe that it is representative of the type of extreme events that insurers should assess in order to understand potential exposures,” said Lloyds in its report summary.
“Insurers should consider cyber-attack to be a peril that could trigger a wide range of economic losses. Cyber-risk is already an embedded feature of the global risk landscape, and insurance has the potential to greatly enhance cyber-risk management and resilience for a wide range of organisations and individuals who are exposed to its impacts.”
Sarah Stephens, head of cyber, technology & media errors and omissions at JLT Speciality, told SCMagazineUK.com that the news was “interesting and timely” for a cyber-insurance market that is still developing.
“One of the biggest concerns right now is about aggregation, of one big systematic loss on a smart grid or cloud service provider, and how these may be paid by non-cyber policies,” she said, citing property and casualty policies as examples.
However, she added that a number of these have CL380 clause exclusions so to not include cyber-attacks in their policy coverage, and said that this is a challenge for insurers and underwriters in the face of growing cyber-risks and an immature cyber-insurance market.
“Can we, as a soft market, push for them to delete those exclusions or will they hold firm?” she asked.
Stephens said that the industry has other issues, namely on a lack of financial capacity in the event of a huge, wide-scale cyber-attack as documented in the report, as well as a lack of knowledge of cyber issues at underwriting level and a lack of data.
Asked of the likelihood such an attack could happen in the UK, she said that the market has the same “liability components” and that “it would have a relatively similar impact” to the US.
Nick Coleman, global head of cyber-security intelligence services at IBM, said that the report was further evidence that cyber-security is hard in the face of skilled and targeted attackers, but cautioned that “it's hard to be precise” on exact data breach numbers.
“It probably rolls into the billions,” he said of current data breaches.
He said the UK government has been aware of the issue since his work on the 2008/2009 ‘Coleman' report issued to Cabinet Office.
“Critical infrastructure has been highlighted as a challenge for several years, it's not something new per se.” He added that government recognised too that this was a public-private sector problem, seeing as much of the supply chain resides in the private sector.
Coleman added that national infrastructure attacks may be happening, but aren't necessarily reported, but said that could change under the draft new European NIS law.
Meanwhile, Chandra Sekar, director of security research at Illumio, said to journalists: "Legacy security solutions such as firewalls, used extensively by organisations responsible for protecting data and systems, are repeatedly failing to stop these large scale attacks. Research and observations we've conducted show that many attacks are sophisticated in nature and have the advantage of strong financial and nation-state backing, but in many cases simple, amateurish attacks can just as easily penetrate through perimeter defences and make their way deep inside data centres, where valuable information and systems are under protected."