Cyber attack on US power grid could result in losses up to $1 trillion

When, on Wednesday, the New York Stock Exchange halted trading, The Wall Street Journal website went down, and United Airlines grounded flights – all practically at the same time – it seemed like a well orchestrated cyber attack had been launched against high-profile US businesses and organizations.

As it turned out, the outages were the result of technical problems and network connectivity issues. Still, I bet that for a brief moment, the US government and authorities worried that the moment that many security experts have warned about for years has come: a coordinated, widespread cyber attack against the country and its businesses.

As it happens, insurance market Lloyd’s of London has, on the same day, published a research report produced with the help of the University of Cambridge Centre for Risk Studies, which investigates how a severe cyber attack against the US power grid could affect US businesses and what the impact on the US economy would be.

While the research and report was made to help insurance companies develop insurance solutions for the digital age, it can also help US decision-makers evaluate the risk of such a scenario, and hopefully push them into doing something to make it less likely.

“In the scenario, a piece of malware (the Erebos Trojan) infects electricity generation control rooms in parts of the Northeastern United States. The malware goes undetected until it is triggered on a particular day when it releases its payload which tries to take control of generators with specific vulnerabilities,” says the very thorough report.

“In this scenario it finds 50 generators that it can control, and forces them to overload and burn out, in some cases causing additional fires and explosions. This temporarily destabilizes the Northeastern United States regional grid and causes some sustained outages. While power is restored to some areas within 24 hours, other parts of the region remain without electricity for a number of weeks.”

“Economic impacts include direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business and disruption to the supply chain. The total impact to the US economy is estimated at $243bn, rising to more than $1trn in the most extreme version of the scenario,” it notes.

The scenario is technologically possible – it’s based on several historical and publicly known real-world examples – but is not likely to occur, the company pointed out. Nevertheless, it should raise awareness about what damage cyber attacks against operational technology can cause.