A new study on ‘cyber-physical’ attacks on London’s electricity network examines the relationship between economic damage and the number of substations.
In 2015, a “cyber-physical” attack (affecting sensors, computing and communications hardware/software) on the electricity distribution network in Ukraine led to a loss of power for 225,000 people.
A similar-sized attack in London would cause daily economic impact ranging from £20.6 million for an event affecting four substations to £111.4 million if 14 substations are affected, according to a new study co-authored at the Centre for Risk Studies at Cambridge Judge Business School.
The paper, published in the journal Risk Analysis, focused in part on the number and function of substations in estimating the economic damage from such cyber-physical attacks. It found that even a relatively small attack on London’s electricity infrastructure would likely affect 1.5 million people.
“The research will be of interest to governments, private infrastructure operators, commercial consumers of infrastructure services and other stakeholders who want to understand systemic risks from cyber-physical attacks on Critical National Infrastructure,” said Daniel Ralph, Professor of Operations Research and Academic Director of the Centre for Risk Studies.
The study – entitled “Stochastic Counterfactual Risk Analysis for the Vulnerability Assessment of Cyber-Physical Attacks on Electricity Distribution Infrastructure Networks” – is a collaboration between the Infrastructure Transitions Research Consortium at Oxford University and the Centre for Risk Studies at Cambridge Judge Business School.
The study’s lead author, Research Associate Edward Oughton of the Centre for Risk Studies at Cambridge Judge, discusses some of the study’s findings:
The number of substations is critical to population disruption of electricity distribution attacks. We found that we can better predict the size of direct population disruption by the number of affected substations, rather than the number of customer connections at each substation. This was established by testing different numbers of substations – four, seven and 14 – against different severity levels.
This leads to a finding that decision-makers need to invest resources more-or-less equally across all substations in order to protect them. This would help prevent the scaling of a cyber-physical attack and mitigate major population disruptions. That said, there are some substations – such as those associated with the functioning of railways or fresh water distribution – which require a societal rather than economic metric in determining preventative investment.
Dealing with cyber-physical attacks on infrastructure is the ultimate public-private partnership. In many countries, and this includes the UK and the United States, private operators rather than governments own critical infrastructure. Yet the public will demand action by governments in the event of such attacks. So in assessing vulnerability to such attacks, it’s important to look at the interests of parties with different objectives – including governments, infrastructure operators, and the commercial consumers of infrastructure services.
The relentless shift toward smart cities and smart grids through the Internet of Things raises the importance in understanding these cyber-physical risks. Among the vulnerabilities are insufficient training at an institutional level, outdated legacy software, practices at the vendor-contractor level, and easy access to information about hacking. “Stochastic Counterfactural Risk Analysis for the Vulnerability Assessment of Cyber-Physical Attacks on Electricity Distribution Infrastructure Networks”, in the journal Risk Analysis, is co-authored by Edward Oughton, Daniel Ralph, Eireann Leverett, Jennifer Copic, Rabia Dada, Simon Ruffle and Michelle Tuveson of the Centre for Risk Studies at Cambridge Judge Business School, and by Raghav Pant, Scott Thacker and Jim W Hall of the Environmental Change Institute at Oxford University.