A new study on ‘cyber-physical’ attacks on London’s electricity network examines the relationship between economic damage and the number of substations.
In 2015, a “cyber-physical”
attack (affecting sensors, computing and communications hardware/software) on the
electricity distribution network in Ukraine led to a loss of power for 225,000
A similar-sized attack in London would cause daily economic impact ranging from £20.6 million for an event affecting four substations to £111.4 million if 14 substations are affected, according to a new study co-authored at the Centre for Risk Studies at Cambridge Judge Business School.
published in the journal Risk Analysis,
focused in part on the number and function of substations in estimating the
economic damage from such cyber-physical attacks. It found that even a relatively
small attack on London’s electricity infrastructure would likely affect 1.5
research will be of interest to governments, private infrastructure operators,
commercial consumers of infrastructure services and other stakeholders who want
to understand systemic risks from cyber-physical attacks on Critical National
Infrastructure,” said Daniel Ralph, Professor of Operations Research and
Academic Director of the Centre for Risk Studies.
The study’s lead author, Research Associate Edward Oughton of the Centre for Risk Studies at Cambridge Judge, discusses some of the study’s findings:
The number of substations is critical to
population disruption of electricity distribution attacks. We found that we can better predict the size
of direct population disruption by the number of affected substations, rather
than the number of customer connections at each substation. This was
established by testing different numbers of substations – four, seven and 14 –
against different severity levels.
This leads to a finding that decision-makers
need to invest resources more-or-less equally across all substations in order
to protect them. This would
help prevent the scaling of a cyber-physical attack and mitigate major
population disruptions. That said, there are some substations – such as those
associated with the functioning of railways or fresh water distribution – which
require a societal rather than economic metric in determining preventative
Dealing with cyber-physical attacks on
infrastructure is the ultimate public-private partnership. In many countries, and this includes the UK
and the United States, private operators rather than governments own critical
infrastructure. Yet the public will demand action by governments in the event
of such attacks. So in assessing vulnerability to such attacks, it’s important
to look at the interests of parties with different objectives – including
governments, infrastructure operators, and the commercial consumers of infrastructure
The relentless shift toward smart cities and
smart grids through the Internet of Things raises the importance in
understanding these cyber-physical risks. Among the vulnerabilities are insufficient
training at an institutional level, outdated legacy software, practices at the
vendor-contractor level, and easy access to information about hacking.
“Stochastic Counterfactural Risk Analysis for the Vulnerability
Assessment of Cyber-Physical Attacks on Electricity Distribution Infrastructure
Networks”, in the journal Risk
Analysis, is co-authored by Edward Oughton, Daniel Ralph, Eireann Leverett,
Jennifer Copic, Rabia Dada, Simon Ruffle and Michelle Tuveson of the Centre for
Risk Studies at Cambridge Judge Business School, and by Raghav Pant, Scott
Thacker and Jim W Hall of the
Environmental Change Institute at Oxford University.