A cyber attack on the US power grid and related infrastructure could cost the country as much as $1tn in economic damage, a major report has warned.
The Business Blackout report (PDF) produced by insurers Lloyds of London and the University of Cambridge’s Centre for Risk Studies paints the worst case scenario if a major malware attack were to cripple the east coast of the US.
“The scenario predicts a rise in mortality rates as health and safety systems fail, a decline in trade as ports shut down, disruption to water supplies as electric pumps fail, and chaos to transport networks as infrastructure collapses,” the report noted.
It examined the impact based on the idea of a fictitious malware strain called Erebos that has been injected into key systems by a ‘hired hacker’ team.
Once the malware is activated it knocks 50 main generators offline by forcing them to burn themselves out. This causes widespread chaos along the eastern coast of the US affecting 93 million people.
“[The attack] temporarily destabilises the north eastern US regional grid and causes some sustained outages. While power is restored to some areas within 24 hours, other parts of the region remain without electricity for a number of weeks,” the report said.
“Economic impacts include direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business, and disruption to the supply chain.”
The report estimated the damage of such an incident to the US economy at between $243bn and $1trn. Given that the annual US GDP is $16.77tn, this is a huge figure and underlines just how damaging such an incident could be.
The report noted that the scenario described is the worst possible, but is not beyond the realms of possibility.
“While there have been large individual business losses attributed to cyber attacks, there have, at the date of writing, been no examples of catastrophe-level losses from a widespread cyber attack affecting many companies and insurers at the same time,” it said.
"The scenario, while improbable, is technologically possible."
The report also pointed out that, while cyber security threats are a big concern that needs to be considered by every organisation, they should not be feared as cataclysmic events as even the most ardent and sophisticated hackers face limitations in their attacks.
“Cyber attacks and IT events are not unlimited or infinitely scalable. They can have significant constraints that limit attack severity and curtail the amount of loss that insurers may face,” it said.
“A successful cyber attack has to overcome all the security systems put into place to protect against it, requires expertise and resources by the perpetrators who face their own risks of identification, prosecution and retribution, and the loss consequences of attacks are mitigated by risk management actions.”
Sophisticated cyber attacks that hit infrastructure are becoming a real threat to many nations. Several high-profile malware tools have been uncovered in systems over the years, such as Stuxnet in Iran.
Applications from some member states were down more than 40 per cent
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams