Who turned the lights out?
The US power grid and the power plants that it relies on are vulnerable to disruption by hackers, which could potentially lead to the lights going out over a large part of the continent, according to a new report from Lloyd’s.
The July 2015 report—Business Blackout; the insurance implications of a cyber attack on the US power grid—was produced with the help of the University of Cambridge’s Centre for Risk Studies and looks at the implications of an organised hacker attack on US power stations, inserting custom-made malicious software (malware) into control rooms that would then make power generators operate in such a way that they would seize up or even catch fire.
According to the report, a successful malware attack that disabled just 50 major generators would overload the system and cause a cascade failure across an entire region. Under this scenario, which would be difficult but not impossible to carry out, this would leave around 93 million people without power for anything from a few days to a few weeks.
“We were trying to convey how hard it is actually to carry out a successful cyber attack on this scale,” says Andrew Coburn, director of the advisory board at the Centre for Risk Studies and senior vice president of RMS.
“Lloyd’s asked us to help raise awareness with insurers that physically destructive attacks are possible. The attack is quite plausible, but it is also quite an extreme one. We analysed what it would take to bring down a region of the US power grid. You have to remove more generating capacity than can be replaced by the ‘spinning and frequency response reserve’—the spare capacity in the system,” he says.
“This would trigger a failure that would then cascade and cause an outage across an entire region. You’d have to take out at least 50 large generators, which means that you’d need to infect quite a large number of control rooms, and do it without detection. The whole scale and ‘logistical burden’ of the attack would be a challenge.”
Costly implications
The bill from such an attack would be a substantial one. Lack of power would shut down businesses all over the affected area, with everything from computers to machine tools to refrigerators all shutting down. Ports would be frozen for lack of power to the cranes used to unload ships, telephone systems would go dead, traffic lights would go dark, causing chaos on the streets and water supplies would fail.
Although some buildings would have backup generators, these might not have the fuel to stay on for very long. And if the blackout occurred during a heatwave then air-conditioning would go off.
The study looked at three different scenarios, in which the power was off for differing periods of time. The first scenario, mentioned above, would lead to economic losses of $60.9 billion (£39 billion).
In scenario two, with the restoration of full power across the region taking an additional week, the economic losses would amount to $130.2 billion; in the third (and most extreme) scenario, with four weeks to full power restoration, the bill would come to $222.8 billion.
Insured losses for the three scenarios would also be substantial. The first scenario might see insured losses of up to $21.4 billion, with the other two producing losses of $39.9 billion and $71.1 billion, all from a combination of property damage, business interruption, liability, contingent business interruption, D&O liability, household contents and event cancellation.
The likelihood of such an attack is higher than many might think. In 2009 word started to circulate in the cyber community of a new and highly advanced piece of malware that was later named Stuxnet.
Where it originated is still a hotly debated mystery, but it seems to have been deliberately targeted at computer systems that were linked to centrifuges used to enrich uranium in nuclear facilities in Iran, in order to make as many machines as possible malfunction and then break down.
“Stuxnet was the highest profile of a whole category of operational technology (OT) attacks,” says Coburn. “Most cyber attacks people think of are information technology (IT) attacks—attacks on digital assets. With OT attacks you’re targeting the control systems of physical assets, where you’re attacking objects in the real world.
“There have been several hundred of these attacks in the past few years, of which Stuxnet is high profile now because it was very effective in taking down centrifuges in the Iranian nuclear development process.
“As we increasingly put control systems online, more attacks are occurring because they’re more accessible. Attackers are gradually seeing more opportunity in OT attacks, as there are more targets to attack.”
Widespread attacks; unknown attackers
Other attacks have followed in recent years. According to the Lloyd’s report, from 2010 to 2014 a number of defence, aviation and energy companies reported malware attacks that amounted to espionage from unknown hackers, while in August 2012 oil company Saudi Aramco reported a cyber attack that left 30,000 workstations knocked out due to data being wiped off them.
One more recent attack was not listed in the Lloyd’s report, but has been reported by numerous media sources. In December 2014 an unnamed German steel mill sustained severe damage to a blast furnace after a hacker gained access to the control room and downloaded malware.
“There are two key reasons for the report,” says Nick Beecroft, manager, emerging risks and research at Lloyd’s of London. “One is that we are seeing demand for insurance cover against cyber attacks increasing and also broadening to include an increasing range of different types of impacts that cyber attacks can have, so partly it’s about this demand.
“It’s also about wanting to investigate the uncertainty that exists around the idea that cyber is a peril that could trigger losses across a wide spectrum of insurance classes, so we wanted to devise a scenario that we thought was representative of the sort of event that insurers should be considering for their own portfolio of exposure management and also representative of the sort of perils and impacts that clients are exposed to and seeking solutions for.
“It’s about investigating new capabilities and the new vulnerabilities that are emerging. As more aspects of our society become connected to digital networks it opens up opportunities for a whole variety of different actors with different motivations, and the potential for serious disruption through cyber attacks is growing,” Beecroft adds.
“We’ve also seen new threats in terms of the growing sophistication of attacks, as the tools and attacks used by them are more sophisticated. The trend in attacks we’ve been seeing seems to be indicative of new emerging threats and vulnerabilities and the challenge for insurers is to respond to those attacks.”
Exposure will only increase as the ‘internet of things’ becomes a reality, and the scale of the challenge is only going to increase.
“We think that the next challenge for insurers is not to ignore cyber, but to make sure that across the entire portfolio it’s actively managed as a potential source of loss,” he says.
“We are seeing an increasing amount of attention being paid to it, so I would hope that any complacency there would be is quite rapidly being eliminated.
“We’re fortunate in that we’ve not yet seen what we would consider to be a truly catastrophic cyber event. What we’re trying to do through our report is to try to build resilience in the insurance market before such an event happens—we don’t want to learn how to manage cyber exposure through the experience of an event that we’re not prepared for.”
Innovate to reduce uncertainty
The Lloyd’s report comes to some firm conclusions, stating that the likelihood and impact of severe attacks such as the scenarios from the report are subject to much uncertainty, and that the pace of insurance innovation should be linked to the rate at which this uncertainty can be reduced.
Cyber attacks are something that the market has already been looking at.
“What do these systemic events mean for our clients in terms of the application of their insurance policies, particularly the exclusions that apply within existing lines of business such as the LM 2914 and CL380 exclusions and the broader interpretations of those policies?” asks Stephen Wares, cyber risk practice leader, Marsh.
“For us as a client adviser our focus naturally is drawn to policy interpretation and whether a client can get a consistent and reliable outcome from its existing insurance policies rather than solely a focus on the cyber insurance policy.
“We obviously were aware of those exclusions and the potential for them to be used long before this report came out and we have been doing a number of things to try to address those exclusions in the insurance market. There is very strong interest, for example, from our energy sector clients in insuring their operational technology exposure for property damage and business interruption losses that are mentioned in the report. Power generation companies have been interested in seeking alternative cover for those losses as well as other energy sector clients.
“We have for the past year been in the market with our own proprietary product to add back the exclusions to those property insurance policies, gathering support from the insurance market to affirmatively write them back in.
“There is good awareness about cyber attacks. Various insurers have a function established within their organisations to look at cyber exposure across the different classes of insurance they write. The insurance market is at a point where there is not yet a complete understanding, but they are involved in a process to obtain that understanding as to what the exposure could be under different classes.
“One thing to highlight is that this report looks at things from the insurers’ perspective, but from the clients’ perspective as things become more connected so new cyber exposures will emerge and they will inevitably seek risk transfer solutions from the insurance market.
“The insurance market has an opportunity to respond positively to those new risks that are unfolding and it would be a shame if the sector did not seize that opportunity but reacted solely with exclusions,” says Wares.
Another point that the report makes is that the kind of malware attack the report looks at is very hard to carry out—such an attack would need a large team of people to pull off, rather than the average IT attack, which can be created by a small group or even an individual. OT attacks often require a physical presence within the targeted industrial centre.
“These things are very hard to do, but they are plausible,” Coburn says. “The scale of the operation would require a sizable investment for a group to carry out, so it comes back to who has the motivation to do an attack like this.
“We considered several different threat actors—groups with different motivations. These include cyber-criminals who carry out about 95 percent of cyber attacks, people such as so-called hacktivists, who have a particular issue to draw attention to, and then the most capable groups—state-sponsored groups from other countries.
“We know that the Russians have an active ‘cyber defence’ group, we know that the Chinese have a particularly strong cyber team and there are groups operating in Iran and North Korea, for example. Any military cyber group particularly hostile to the US might get political permission to carry out this kind of attack—and most important it could be non-attributable. If you are carrying out an attack you could cover your traces pretty easily, so that no-one would know who did it. That’s a particular issue with cyber that the insurance industry will need to deal with.
“There’s a huge amount of focus on this issue in the insurance industry at present—I’m certainly not aware of any complacency around it. People are often surprised to realise the potential for this kind of attack, but there are a lot of people working in the insurance industry to address this, to develop insurance products and services to meet the demand for cyber protection in all aspects of business activity.”
