Cyber Attack on U.S. Grid Could Destroy Dozens of Plants, Cost Billions, Report Says

A cyber attack on the U.S. power grid could potentially destroy dozens of generating units, leave 93 million people without power for weeks, and result in nearly $250 billion dollars in economic damage, according to a new report from Lloyd’s of London.

Prepared to enable insurers to gauge and prepare for potential risks, the report describes a remote-but-possible attack involving malware infecting the power sector, much like the Stuxnet virus several years ago. According to the report, the scenario was developed by the University of Cambridge Centre for Risk Studies and “reflects a fictionalised account based on several historical and publically known real-world examples.” Though an “extreme event,” it is technically plausible.

Long-Term Plan

As described, the attack would take place over several years, during which targeted malware is developed from meticulous research into vulnerabilities in power sector control systems and networks. The malware is injected into power plant generator control rooms using a variety of methods, such as compromising employee laptops and personal electronic devices.

Observers have noted that though progress has been made in recent years, large elements of the power sector remain deeply vulnerable to attack because of the huge number of assets that must be protected. The scenario in fact assumes that most of the intrusion attempts would fail, but enough would succeed to make the attack possible.

Though some plants are able to detect and correct the intrusion, and most of the infected plants have protective hardware making the intended attack method unviable, as many as 70 plants in the eastern U.S. are infected in the scenario.

The report then describes the havoc that the attackers would be able to unleash during a peak summer demand period.

“The hackers covertly and systematically disable safety systems which would usually protect the generators from desynchronisation events. They send control signals which open and close the generator’s rotating circuit breakers in quick succession, using the inertia of the generator itself to force the phase angle between supply and load out of sync. The impacted generators begin to catch fire and pour smoke; some are partially destroyed as the engine blows apart. One gas turbine facility is completely destroyed in an explosion resulting from the generator fire.”

Long-Term Damage

The result would be a blackout affecting 93 million people in 15 northeastern states and the District of Colombia. Though power could be partially restored in a few days, many areas, such as New York City, would suffer intermittent blackouts for weeks afterward, resulting in widespread social unrest and disruptions. Economic costs could reach as high as $223 billion, with the overall damage to the U.S. economy as much as $1 trillion in the worst-case scenario.

Though the likelihood of such a disaster is remote, the report notes that the attack is within the capabilities of a number of nation-states such as North Korea, which has been blamed for the December 2014 hacking of computer systems at Korea Hydro and Nuclear Power Co., the operator of South Korea’s 23 commercial nuclear reactors. Other attacks on power system infrastructure have been blamed on hackers operating out of China and Russia.

Andrew Coburn, director of the advisory board of the Cambridge Centre for Risk Studies, cautioned against panic despite the dire scenario in the report. “Although academic literature suggests that a variety of cyber-physical attacks against electric grids are possible, it would be very difficult to carry them out at scale because of the enormous amount of time and skills involved to overcome the defences that are already in place.”

Still, other observers note that the power sector’s biggest cybersecurity challenge is overcoming complacency. Cybersecurity expert Steve Mustard with the International Society of Automation remarked on this problem at a presentation last year.

“Too many owner/operators I meet believe that because they have not seen a cybersecurity-based incident themselves that it will never happen,” Mustard said. “This sort of complacency is why there will be a major incident.”

—Thomas W. Overton JD, is a POWER associate editor (@thomasoverton, @POWERmagazine).