The technical limitations of the Lloyd’s Cyber report on the insurance implications of cyber attack on the US Power Grid

The Lloyd’s report on cyber implications of the electric grid serves a very important need to understand the insurance implications of a cyber attack against the electric grid. There have already been more than 250 control system cyber incidents in the electric industry including 5 major cyber-related electric outages in the US. There have been numerous studies on the economic impact of various outage durations, but they have not addressed issues associated with malicious causes. Consequently, there is a need to address the missing “malicious” aspects of grid outages. Unfortunately, I believe the technical aspects of the hypothesized attack in the Lloyd’s study are too flawed to be used.

According to the Lloyd’s report, “the Erebos Cyber Blackout Scenario is an extreme event and is not likely to occur. The report is not a prediction and it is not aimed at highlighting particular vulnerabilities in critical national infrastructure. Rather, the scenario is designed to challenge assumptions of practitioners in the insurance industry and highlight issues that may need addressing in order to be better prepared for these types of events…. On the given day, the malware is activated and 50 generators are damaged in rapid succession.”

The Erebos Cyber Blackout Scenario is essentially the Aurora vulnerability combined with the 2003 Northeast outage. Following the 2007 Idaho National Laboratory Aurora test, CNN published an unclassified report on the Aurora test (http://www.cnn.com/2007/US/09/26/power.at.risk/index.html). Aurora is not malware but a physical gap in protection of the electric grid causing an out-of-phase condition. Out-of-phase conditions are a known problem to grid equipment and consequently the IEEE has a committee dedicated to out-of-phase conditions. Consequently, it shouldn’t be that difficult to understand what happened to the equipment though it may be very difficult to identify attribution. The classified Aurora information was declassified in July 2014 and is available on a number of hacker websites. Without the specific Aurora hardware mitigation that very few utilities have employed, Aurora can damage or destroy generators, transformers, and rotating AC equipment connected to the affected substations. Damaging generators or other large equipment is very expensive and can take a significant amount of time and resources to repair or replace. This could be as long as many months to recover assuming the equipment is available, appropriate staff is available to make the repairs or replacements, and transportation can be arranged. With 50 generators damaged (no mention of transformers which would also be damaged by an Aurora event), the probability that equipment and trained staff will be available on-site on a timely basis is rather low. The 2003 Northeast Outage was only 2-3 days because there was no damage to generators or other critical equipment. With 50 generators damaged, the probability that the grid will be available in 7 days, or even a few weeks, is really, really low.

There are other questions the report did not address. Were all of the generators from one utility or even one region?  That would help identify the potential geographic scope of the outage. How large were each of the generators? Depending on the size of the generator, there may not be requirements for any cyber protection or cyber monitoring. The same goes for the nearby substations connected to the generators. With no cyber monitoring, how will you have any attribution?

Several years ago, I participated in a NERC High Impact/Low Frequency (HILF) workshop. I believe the “Erebos” event could be a High Impact event because of its potential impact to the grid. However, because of the declassified DHS information, I do not believe it is a Low Frequency event.

As the report states, “a cyber attack of this severity is an unlikely occurrence, but we believe that it is representative of the type of extreme events that insurers should assess in order to understand potential exposures.” As mentioned, Aurora has been public since 2007 with the details unclassified in 2014. Based on actual control system cyber events that have already occurred and available knowledge of hacking control systems, I believe the grid and other critical infrastructures are at considerable risk to “frequent” cyber threats.

There is a need for the insurance industry to quantify control system cyber security risks to critical infrastructures. Unfortunately, the technical basis for the Lloyd’s case badly misses the boat.

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p>Dear Author, While there is a robust technical case for an increased focus on addressing malicious cyber attacks on industrial control systems infrastructure, the business case is not very clear or compelling. Meaning thereby that, for business leaders to invest in manpower and technologies for mitigating attacks on ICS the following questions should be addressed upfront: (1) What is the volume and rate of cyber incidents in the critical infrastructure sector? Especially energy, manufacturing and transportation? (2) Which authority is responsible for containing such incidents? (3) Has this problem reached such alarming proportions that it requires an immediate increase in investments? (4) What are the top 3 investment priorities?</p> <p>Answers to all of the above questions should emerge from the business case for protecting, defending, responding and implementing counter-measures for CIP.</p> <p>Does such a business case exist in the public domain?</p>

    Reply

  • <p>My blog of 7/30/15 addresses the current state of the impact of control system cyber security - "Viruses or worms haven’t killed anyone or destroyed equipment - control system cyber incidents have" Joe Weiss</p>

    Reply

RSS feed for comments on this page | RSS feed for all comments