The true cost of cyberattacks


Putting a true cost to cyberattacks is not an easy undertaking, but it is an increasingly important one according to researchers at the University of Oxford.

Cyberattacks on electricity networks in the UK could cost £111 million daily according to new research.

The research has been carried out by Dr Edward Oughton from the UK Infrastructure Transitions Research Consortium (ITRC) at the University of Oxford, and the Centre for Risk Studies at Cambridge Judge Business School.

This article was originally published in Smart Energy International issue 1-2020. Read the full digimag here or subscribe to receive a print copy here.

He said: “Critical national infrastructure such as smart electricity networks are susceptible to malicious cyberattacks which could cause substantial power outages and cascading failure affecting multiple business, health and education organisations as well as domestic supply.”

And he warns that such attacks are likely to become more and more prevalent.

In 2015, a cyber-physical attack took place on the Ukrainian electricity distribution network, leading to a loss of power for 225,000 people.

A Worldwide Threat Assessment of the US Intelligence Community report published earlier this year also notes that “China, Russia, Iran, and North Korea increasingly use cyber operations to threaten both minds and machines in an expanding number of ways – to steal information, to influence our citizens, or to disrupt critical infrastructure”.

In a new paper called Cyber-Physical Attacks on Electricity Distribution Infrastructure Networks, Oughton calculates what the GDP losses would be from a similar-sized attack and finds conservative scenarios ranging from £20.6 million for a four-substation event to £111.4 million for a 14-substation incident.

Even though the research focused on conservative scenarios similar in size to the Ukrainian attack, the paper demonstrates that 1.5 million people would be affected even by a relatively small attack.

Oughton said that until he and his fellow researchers carried out this study, little was known about the effects and costs of cyber physical attacks on electricity networks.

“Such networks are proving to be a point of failure which many people previously thought impermeable.”

Professor Daniel Ralph of the Cambridge Centre for Risk Studies said that the research “will be of interest to governments, private infrastructure operators, commercial consumers of infrastructure services and other stakeholders who want to understand systemic risks from cyber-physical attacks on critical national infrastructure.” Oughton explained: “Cyberattacks are on the increase and gathering data and modelling the effects of such cyberphysical attacks is essential to develop risk analytics for emerging threats on critical national infrastructure.”

The paper uses the UK as a case study and identifies the direct impact on household and business consumers of power; the indirect impact of a cyber-physical attack to infrastructure beyond electricity; and a greater understanding of systemic risk arising from cyber and smart energy systems.

The research demonstrates that these types of attacks on electricity distribution substations could lead to further indirect infrastructure cascading failure across telecoms, freshwater supply, wastewater and even railways.

Economic impacts and disruptive effects on consumption, labour supply and business confidence are also highlighted, identifying impacts on GDP, capital stock, investment, and other indicators. SEI

This article was originally published by Power Engineering International, a Clarion Energy media brand.