- Lloyd's of London has issued a report aimed at informing the insurance industry as to the potential impacts of a widespread attack on the U.S. power grid, and finds the total economic loss could range from $243 billion up to $1 trillion in the most damaging scenarios.
- Lloyd's overtly says its report is not a prediction and describes highly unlikely scenarios, but the fallout includes a rise in mortality rates, a decline in trade, disruption to water supplies and transportation chaos.
- And the primary way in which the attack could be perpetrated is well-document and still exists: In 2007 the Idaho National Laboratory's Aurora Project showed that a remote attacker could damage generators by opening and closing certain circuit breakers to ultimately push a machine's rotating parts out of alignment.
The “Aurora vulnerability” was documented close to a decade ago, but the problem remains and the potential impacts are staggering, reports Lloyd's of London. Under the most extreme circumstances, the impacts would be felt for years and could cause up to $1 trillion in economic damage.
Perhaps the most startling aspect of the report is that it assumes the attackers are only successful in 10% of their attempts to access and disable sensitive equipment.
Lloyd's modeled out a potential attack that would leave 15 states in the dark, across an eastern seaboard swath that would include New York City and Washington, D.C. And while the scenario is unlikely, it is “technologically possible,” the firm said, and the odds against it are less than 200-to-1.
Those chances reflect the need for insurance companies to guard against possibly catastrophic events – the report isn't a doomsday prediction and the scenario is highly unlikely. But it highlights an existing vulnerability the United States' power grid is still trying to patch (and one the government may have inadvertently exacerbated not long ago).
Last summer the U.S. Department of Homeland Security mistakenly responded to a Freedom of Information Act on an unrelated topic and released more than 800 pages related to the so-called “Aurora vulnerability,” including the location of sensitive pieces of infrastructure that could be disabled.
While the industry is working to close the vulnerability, Lloyd's found that a relatively small success rate from hackers could be devastating.
In its hypothetical attack, the firm found that “despite only achieving a 10% success rate, the malware successfully infects over 70 generators by exploiting the systemic importance of control rooms, with each control room typically managing several generators.”
Such an attack could leave 93 million without power, Lloyd's found. And while improbable, the scenario is “technologically possible” and predicts “a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses."