“I don’t believe any system is totally secure.” Matthew Broderick’s character in the 1983 classic movie War Games makes this very astute observation about information security shortly before he slips in a back door of a computer system called Joshua and nearly causes a nuclear holocaust.
Thus far, most breaches are centered on gathering data and information. But what if the intent were more sinister and more widespread than just a single company? What would be the impact? These are the types of questions that Lloyd’s of London and the University of Cambridge attempt to answer in their recently released report entitled Business Blackout
[A] piece of malware (the ‘Erebos’ trojan) infects electricity generation control rooms in parts of the Northeastern United States. The malware goes undetected until it is triggered on a particular day when it releases its payload which tries to take control of generators with specific vulnerabilities. In this scenario it finds 50 generators that it can control, and forces them to overload and burn out, in some cases causing additional fires and explosions. This temporarily destabilises the Northeastern United States regional grid and causes some sustained outages. While power is restored to some areas within 24 hours, other parts of the region remain without electricity for a number of weeks.
The result: “an electricity blackout plunges 15 US states including New York City and Washington DC into darkness and leaves 93 million people without power.” Furthermore,
Economic impacts include direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business and disruption to the supply chain. The total impact to the US economy is estimated at $243bn, rising to more than $1trn in the most extreme version of the scenario.
The report also describes the impact on the insurance company. “The total of claims paid by the insurance industry is estimated at $21.4bn, rising to $71.1bn in the most extreme version of the scenario.”
The report notes that “[t]he scenario, while improbable, is technologically possible and is assessed to be within the benchmark return period of 1:200 against which insurers must be resilient.” (Remember the blackout of 2003 that left 50 million people in the U.S. and Canada without power?) Furthermore,
The scenario in this report describes the actions of sophisticated attackers who are able to penetrate security as a result of detailed planning, technical skill and imagination. A relatively small team is able to achieve widespread impact, revealing one of the key exposure management challenges for insurers. However, the report also describes the constraints faced by the attackers, and shows that insurers should not believe this type of threat to be unlimited in its potential scope.