What is the cost of a power outage caused by a cyber-attack? And how does one calculate the predicted cost?
Beyond the actuary purpose of estimating the cost of a power outage caused by a cyber-attack, the predicted cost can also inform decision makers as to the cost-effectiveness of deploying different types of defenses against cyber-attacks.
These questions are no longer merely theoretical, following the 2015 cyber-attack against a Ukrainian power utility that left tens of thousands of households in the dark for many hours. In lieu of empirical data (since thankfully, large-scale power outages are not commonplace, and it would be wrong to extrapolate figures from a single or a handful of occurrences,) the cost of an outage is calculated based on a set of predictors that are adjusted to each locale and distribution system. In this post I shall describe the different tools and predictors used to estimate the cost of an outage.
Breakdown of the damage cost
The damage cost of power outage consists of several components:
First, there is the power company’s direct profit loss, i.e. costumers that did not receive power for duration of the outage and thus did not pay for power. In addition, in case of damage to physical components (e.g. “Aurora Attack” on generators) there is also the cost of those components, which can reach millions of dollars.
Second, there are the indirect losses. This includes factories that are not able to manufacture products causing lost revenue, and in general losses due to halted business activity (as modern businesses rely on constant power for communications.) Needless to say, a power outage would prevent all computer-based financial trade operations. These examples demonstrate the complexity of estimating the cost of an outage, since each sector has a different loss model, which requires dedicated analysis.
To make things even more complex, two additional parameters need to be considered: (i) the customer mix of the targeted utility by sector (a higher percentage of customers from high cost loss sectors would increase the overall cost of an outage,) and (ii) the time and duration of the outage. The time, day of week and time of year the outage took place would result in a significantly different predicted cost loss (per sector); and as for duration, the non-linearity of the cost loss as a function of duration will heavily affect the overall cost loss, i.e. an eight-hour outage will cost much more than eight times the cost of a one-hour outage. For short durations, most critical businesses use standalone diesel-power generators; however, the longer the outage the greater the chance of these generators not functioning.
Estimators and estimates
The website Blackout Simulator (http://www.blackout-simulator.com/) provides a calculator for estimating the cost of a blackout in different European countries and regions, based on the date, time of day and duration of the blackout. In the example below, a nine-hour outage in London, UK would come at a staggering price tag of over half a billion Euros.
Another resource is Lloyd’s 2015 report (https://goo.gl/DZhhxW) that estimates the cost of a power outage at between $243bn and $1trn, for a blackout encompassing 15 U.S. states (including New York City and Washington DC) that would leave 93 million people without power for between 24 hours and a number of weeks.
The state of cyber-insurance and U.S. Government assistance
In terms of scope, the closest thing to a widespread power outage caused by a power outage would be a major natural disaster – a Katrina- or Sandy-magnitude hurricane or a devastating earthquake. As such, there might be an expectation that the mechanisms that alleviate the damage and suffering, namely insurance companies and FEMA, would be responsible for restoring the situation to normal and paying for damages.
However, according to Kevin Kalinich, Global Practice Leader for Cyber Insurance at Aon Risk Solution, a top U.K.-based risk consultant and insurance broker, this is not the case. Natural disasters have known qualities and precedents; cyber-attacks just present too many unknown, or in Kalinich’s words, “unique exposures,” i.e. exposures to new, unfamiliar and potentially catastrophic events arising from the inter-connectedness of disparate systems, whose likelihood cannot be predicted. Simply put, the framework for insuring against a “cyber-outage” has not been established; it would, he predicts, combine traditional insurance, a re-insurance company (e.g. Bekshire) and government guarantees of limited liability—meaning that even with a framework set in place, there will be no complete coverage. The same goes for FEMA, the U.S. government’s emergency management agency, whose responsibility would be limited to restoring life-sustaining infrastructures and institutions (water, food, hospitals.)
Whether or not the Christmas 2015 Ukrainian cyber-attack and outage became the watershed moment in terms of awareness to the need to install effective security measures in power generation systems, one thing is sure: it proved that the danger of cyber-attack is real and immanent. The combination of the staggering cost of inaction—in the tens and hundreds of millions—and and reality that damages will only be partially covered, should motivate power providers to safeguard their networks against the almost certain eventuality of another attack.