Thursday, July 9, 2015

Insurance and a US Electric Grid Blackout - A Compelling Read

On July 8, 2015, Lloyd's of London published an excellent report Business Blackout - The insurance implications of a cyber attack on the US power grid.  

(The same day as the United Airlines, Wall Street Journal and New York Stock Exchange cyber events...hmmm, any coincidence?)

This 65-page report is an excellent analysis of the insurance and economic impact on the US following a theoretical cyber attack on the US Northeastern corridor affecting Boston to Washington, DC.  The report is a compelling read for anyone in the cyber security or critical infrastructure domains -- at a minimum the analysis by Lloyd's and the Cambridge Center for Risk Studies Team (University of Cambridge Judge Business School) causes you to take pause to a) better understand the interdependency of infrastructures and b) better learn ways to consider economic impacts of such events.

Key sections of the report include:

  • Executive Summary
  • Introduction to the Scenario
  • The Erebos Cyber Blackout Scenario
  • Direct Impacts to the Economy**
  • Macroeconomic Analysis**
  • Cyber as an Emerging Insurance Risk**
  • Insurance Industry Loss Estimation
  • Annex A:  Cyber Attacks Against Industrial Control Systems since 1999
  • Annex B:  The US Electricity Grid and Cyber Risk to Critical Infrastructure
  • Annex C:  Constructing the Scenario - Threats and Vulnerabilities
** = Focus your reading here...

For some key "bullets" on the report and the scenario, the following were extracted from the Lloyd's web page:

  1. The attackers are able to inflict physical damage on 50 electric generators which supply electrical power in the Northeastern USA, including New York City and Washington, DC.
  2. While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers wider blackouts which leaves 93 million people without power.
  3. The total impact to the US economy is estimated at $243B, rising to more than $1T in the most extreme version of the scenario.
  4. Insurance claims arise in over 30 lines of insurance.  The total insured losses are estimated at $21.4B, rising to $71.1B in the most extreme version of the scenario.
  5. A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
  6. The sharing of cyber attack data is a complex issue, but could be an important element for enabling the insurance solutions required for this key emerging risk.

Hat tip to Eireann Leverett, Senior Risk Researcher and member of the ENISA ICS Security Stakeholders Group for passing along this analysis.


If you are involved with critical infrastructure -- especially the electric grid -- take time to read this report cover-to-cover.  If you are worried about the economic impacts of cyber on your business -- read this report to understand the interdependencies.