US power grid: Lloyd’s assesses an ‘improbable’ but possible cyber attack

Insurers' scenario of large-scale cyber attack on US power grid
US power grid: Lloyd’s and the Centre for Risk Studies at the University of Cambridge created a scenario that would result in outages in 15 US states, affecting 93 million people

Global insurance giant Lloyd’s and the University of Cambridge’s Centre for Risk Studies has released a scenario of a cyber attack on the US power grid.

The report aims to assess the insurance implications of a wide-scale attack that would affect many companies and therefore insurers.

The document – Business Blackout – uses a hypothetical scenario of an electricity blackout that plunges 15 US states including New York City and Washington DC into darkness and leaves 93 million people without power.

Business Blackout states while “improbable, the scenario is technologically possible and is assessed to be within the benchmark return period of 1:200 against which insurers must be resilient”.

Cyber attack on US power grid

The scenario imagines a piece of malware infects electricity generation control rooms in parts of the Northeastern United States.

The malware goes undetected until it is triggered on a particular day when it releases its payload, which tries to take control of generators with specific vulnerabilities.

In this scenario it finds 50 generators that it can control, and forces them to overload and burn out, in some cases causing additional fires and explosions.

This temporarily destabilises the Northeastern United States regional grid and causes some sustained outages.

While power is restored to some areas within 24 hours, other parts of the region remain without electricity for a number of weeks.

Economic impacts include direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business and disruption to the supply chain.

Under the scenario created by Lloyd’s and the Centre for Risk Studies, the total impact to the US economy is estimated at US$243 billion, rising to more than US$1 trillion in the most extreme version of the scenario.

The total of claims paid by the insurance industry is estimated at US$21.4bn, rising to US$71.1bn in the most extreme version of the scenario.

Using data to assess cyber attack risk

While the report is focused on considerations for employers, it highlights how a relatively small team is able to achieve widespread impact and how a cyber attack could trigger losses across multiple sectors of the economy.

A key recommendation for insurers is to enhance the quality of data available and to continue the development of probabilistic modelling, says the report.

It states: :”The sharing of cyber attack data is a complex issue, but it could be an important element for enabling the insurance solutions required for this key emerging risk.”