Originally published in the Weiss’ Unfettered Blog
The Lloyd’s report on cyber implications of the electric grid serves a very important need to understand the insurance implications of a cyber attack against the electric grid. There have already been more than 250 control-system cyber incidents in the electric industry including 5 major cyber-related electric outages in the US.
There have been numerous studies on the economic impact of various outage durations, but they have not addressed issues associated with malicious causes. Consequently, there is a need to address the missing “malicious” aspects of grid outages. Unfortunately, I believe the technical aspects of the hypothesized attack in the Lloyd’s study are too flawed to be used.
According to the Lloyd’s report, “the Erebos (the name Lloyd’s assigned to the malware in its hypothetical) Cyber Blackout Scenario is an extreme event and is not likely to occur. The report is not a prediction and it is not aimed at highlighting particular vulnerabilities in critical national infrastructure. Rather, the scenario is designed to challenge assumptions of practitioners in the insurance industry and highlight issues that may need addressing in order to be better prepared for these types of events…. On the given day, the malware is activated and 50 generators are damaged in rapid succession.”
ALSO READ: Even imaginary cyber catastrophes point to cyber-data sharing
The Erebos Cyber Blackout Scenario is essentially the Aurora vulnerability combined with the 2003 Northeast outage. Following the 2007 Idaho National Laboratory Aurora test, CNN published an unclassified report on the Aurora test. Aurora is not malware but a physical gap in protection of the electric grid causing an out-of-phase condition. Out-of-phase conditions are a known problem to grid equipment and consequently the IEEE has a committee dedicated to out-of-phase conditions.
Consequently, it shouldn’t be that difficult to understand what happened to the equipment though it may be very difficult to identify attribution. The classified Aurora information was declassified in July 2014 and is available on a number of hacker websites. Without the specific Aurora hardware mitigation that very few utilities have employed, Aurora can damage or destroy generators, transformers, and rotating AC equipment connected to the affected substations.
Damaging generators or other large equipment is very expensive and can take a significant amount of time and resources to repair or replace. This could be as long as many months to recover, assuming the equipment is available, appropriate staff is available to make the repairs or replacements, and transportation can be arranged. With 50 generators damaged (no mention of transformers which would also be damaged by an Aurora event), the probability that equipment and trained staff will be available on-site on a timely basis is rather low.
The 2003 Northeast Outage was only 2-3 days because there was no damage to generators or other critical equipment. With 50 generators damaged, the probability that the grid will be available in 7 days, or even a few weeks, is really, really low.
There are other questions the report did not address. Were all of the generators from one utility or even one region? That would help identify the potential geographic scope of the outage. How large were each of the generators? Depending on the size of the generator, there may not be requirements for any cyber protection or cyber monitoring. The same goes for the nearby substations connected to the generators. With no cyber monitoring, how will you have any attribution?
Several years ago, I participated in a NERC High Impact/Low Frequency (HILF) workshop. I believe the “Erebos” event could be a High Impact event because of its potential impact to the grid. However, because of the declassified DHS information, I do not believe it is a Low Frequency event.
As the report states, “a cyber attack of this severity is an unlikely occurrence, but we believe that it is representative of the type of extreme events that insurers should assess in order to understand potential exposures.” As mentioned, Aurora has been public since 2007 with the details unclassified in 2014.
Based on actual control system cyber events that have already occurred and available knowledge of hacking control systems, I believe the grid and other critical infrastructures are at considerable risk to “frequent” cyber threats.
There is a need for the insurance industry to quantify control system cybersecurity risks to critical infrastructures. Unfortunately, the technical basis for the Lloyd’s case badly misses the boat.
ALSO READ: Commitment to address control-system cybersecurity inadequate