Lloyd's: Cyber-Attack on US Northeast Power Could Cost $1Trillion

Northeast Electricity Reliability regionsMap by Lloyd's and Centre for Risk Studies
July 9 - A cyber-attack on 50 power generation plants in the Northeast United States would not only harm millions of people but could cost the economy between $243 billion and $1 trillion in damages from the resulting power outages, said insurance firm Lloyd's and the University of Cambridge's Centre for Risk Studies.

A report entitled "Business Blackout" issued by the two organizations detailed a scenario in which cyber-attackers hacked, infiltrated and disabled only 7 percent of the 676 power generators feeding the grid of the 15 states of the northeast United States, a scenario the report called "improbable, but technologically possible."

"The attack triggers a widespread blackout plunging 15 states and Washington DC into darkness and leaving 93 million people without power," the report said. "It shuts down factories and commercial activity responsible for 32 percent of the country’s economic production.

"While power is restored to some areas within 24 hours, other parts of the region remain without electricity for a number of weeks," the report said, further detailing it speculative scenario.

In addition to the harm to people, which would range from the frustration of cancelled events to lethal accidents caused by failed safety systems, the loss of that economic activity would be about $243 billion, the report said. If the cyber-attackers were to disable as many as 100 power generators, the cost of the damage could be around $1 trillion.

Insurance Claims

Further, Lloyd's estimated that the insurance payouts would be $21.4 billion in the standard case scenario of its disaster model and $71 billion in an extreme case. These payouts would go to claims made for losses such as damage to power generators, loss of perishable goods dependent on refrigeration and business interruptions.

Precendent Weighed

Although Lloyd's and the Centre for Risk Studies repeated their disclaimer that the scenario was an improbable and fictionalized version of a technical possibility, they did draw a comparison to the August 14, 2003 Northeast Power Blackout. During that blackout, which was caused by cascading failures in the distribution system and not by a cyber-attack, 50 million people in four states and in Ontario were without power for as long as four days.

Precedent for cyber-hacking was also described. In an annex to the report, Lloyd's and the Centre described 14 cyber-attacks since 1999 on industrial control systems around the world. Also, an industrial cyber emergency team of the US Department of Homeland Security said that in 2014 32 percent of its responses were in the energy sector.

"Cyber attacks are often treated as a problem of technology, but they originate with human actors who employ imagination and surprise to defeat the security in place," wrote Tim Bolt, Lloyd's director of performance management. "The evidence of major attacks during 2014 suggests that attackers were often able to exploit vulnerabilities faster than defenders could remedy them."

A Threat to Power, Concentrated in the US Northeast

The graphic below shows the night light profile of the United States overlaid by circles representing the power generating capacity of electrical power plants around the country. The red circles in the Northeast represent the generators that, under the disaster-planning scenario of the "Business Blackout" report, could affect 93 million people and cause up to $1 trillion in economic damage.
Map and graphic by Lloyd's and the Centre for Risk Studies at the University of Cambridge


conflict type: 


University of Cambridge Centre for Risk Studies