Costs of a Cyber-Security Attack on a Regional Power System

Cyber-Security – Part I: Simulation Results for the Costs of a Coordinated Attack on a Regional Power System

80x80-Logo-SG-1-and-2-and-IX-LOGO-e1363114874895-150x150

 

Dom Geraghty

 

Summary

  • Cyber-security comes in three forms: physical, IT-based, and industrial control systems-based
  • There is mounting concern about the vulnerability of the electric power system to cyber-attacks
  • Protection can take the form of investments in cyber-security or by increasing the level of contingencies planned for
  • A cyber-attack is a high-impact, low-frequency event, i.e., it has a low probability of happening but its consequences can be costly
  • The cost of successful cyber-attacks can be calculated using sophisticated power system simulation models that are integrated with ISO market protocols
  • Four scenarios of a coordinated cyber-attack on the PJM system has been simulated and the costs estimated
  • The costs are substantial and can include substantial amounts of costs associated with unserved energy; for example, a 31-bus, 1-week outage increased costs by $436 million, of which $285 million was related to unserved energy
  • How much should we be willing to pay to increase the resiliency of power systems to cyber-attacks?

Business Case Challenges

Today, we would suggest that the business case for cyber-security services and products has two primary challenges, assuming that one believes that the threat of a cyber-security attack on the power system is real:

(1)       While the costs of cyber-security protection systems can be reasonably estimated based on current vendor offerings, their associated benefits, i.e., the avoided costs have not been estimated, nor have they been allocated across the affected entities. How can we decide on what we want to spend without knowing what we are saving – isn’t this the very essence of a business case?

(2)       It isn’t clear whether there is an opportunity for a new business focused solely on cyber-security services for power system operators – there exist already many companies competent in the three main areas of cyber-security: physical access, information technology (IT) protection, and industrial controls systems protection. We will discuss this cyber-security market in our next dialog – “Cyber-security – Part II: Characterizing the Market in the Power Sector”.

For our initial SGX cyber-security business case dialog, we are going to focus on the first challenge above – estimating the costs of a successful cyber-security attack on the power system. We have simulated such an event, as presented below.

Estimating the Costs of a Coordinated Cyber-Security Attack on a Regional Power System

Background

There is considerable concern within the electric power industry about the possibility of a coordinated cyber-security attack on the U.S. power system, and the extent to which the system is vulnerable to such an attack.

The Cost Side of the Equation: Protection/Mitigation/Remediation

DSC_0027-150x150Various cyber-security vendors offer cyber-security products and services to the power sector. From these offerings, we can get some idea of the costs of different levels of protection. These costs of various levels of cyber-security protection are not trivial. Alternatively, utilities and ISOs can employ a different strategy: increase the flexibility and resiliency of their power systems by increasing the level of contingencies included in their operating plans. This strategy would create a different kind of costs.

We already know that we can never achieve 100% protection. How much money should we spend to protect ourselves against an event which might occur, but most likely will not? To answer that question, we must look at the other side of the equation -- the benefits of protection.

Calculating the Benefits of Protection (the “Avoided Costs”)

What is the potential impact of a successful cyber-attack, in terms of costs, business disruption, and societal impacts? What potential costs are we avoiding by spending money on protection?

Let’s define benefits in terms of the avoidance of all of the costs of a successful attack. We need to calculate these benefits, in order to complete the business case.

A cyber-security attack is characterized as a “high impact/low-frequency event” (“HILF”). To calculate the expected cost of the impact of a successful attack, two numbers need to be estimated: (1) the size of impact of the attack on the system (“S”), and (2) the probability (“p”) that such an attack will be successfully carried out. The “expected” cost of the attack would then equal the product: “S x p”. Note that we can include qualitative as well as quantitative costs, with the former obviously being more subjective. As a start, we can make an estimate of the probability of a generic attack, since it is difficult to define the probability of a specific attack scenario.

It is widely believed that the probability of a successful, coordinated attack is quite small to very small, and that therefore, “p” is perhaps less than 1%, perhaps much less.

Very little work has been done on calculating the size (“S”) of the impact in a real-life power system situation.  A real-life situation is very challenging to simulate because: (1) it requires a highly granular and up-to-date operating equipment database for the power system, and (2) it is very difficult to simulate and co-optimize, with high fidelity, the simultaneous interactions between power systems and power markets under the complex protocols of regional market operators.

We’ve Completed a Simulation of a Cyber Attack in PJM

LCG's UPLAN (Link) software suite and its accompanying databases are capable of such simulations. The following is a description of a UPLAN simulation of a coordinated cyber-security attack in the PJM regional power system (this is a regional transmission organization that coordinates wholesale markets in 13 states and D.C.: Delaware, Illinois, Indiana, Kentucky, Maryland, Michigan, New Jersey, North Carolina, Ohio, Pennsylvania, Tennessee, Virginia, West Virginia and the District of Columbia), The attack simultaneously disables a number of transmission sub-station transformers. This scenario was designed by SGX in collaboration with cyber-security and power system industry experts. LCG ran the simulation using UPLAN. The results were analyzed by SGX.

Definition of Cyber-Security Attack Scenarios

The scenarios run by UPLAN were as follows:

  1. Base Case (no cyber-attack)
  2. A 10-bus cyber-attack-based outage of 8 hours (10 transmission substation transformers attacked simultaneously)
  3. A 20-bus cyber-attack-based outage of 8 hours
  4. A 31-bus cyber-attack-based outage of 8 hours
  5. A 31-bus cyber-attack-based outage of 1 week

DSC_1334 150x150All scenarios were simulated with coordinated attacks for both summer and winter peak seasons; all scenarios were run for 2012; the PJM system was selected for all simulations (UPLAN maintains up-to-date equipment and configuration databases for all generation units, and transmission lines and substations throughout the U.S.).

Transformer substations were chosen for the attack because of the potential for long outages given that high voltage transformers are no longer manufactured in the U.S. They have therefore an extended lead time for replacement equipment (quoted by NERC as being in the range of a 6 - 12 month delivery time).

In order to create an "envelope" around the potential impact, an 8-hour outage was first simulated (similar to a severe weather event). In all of the 8 hour scenarios (10-bus, 20-bus, and 31-bus), the contingency plans in place in PJM (N-X, depending on the bus) was able to avoid significant outages by dispatching additional, more expensive units, and re-routing the electricity flows – this incurred higher total operating costs, but there was no unserved energy.

Next, a scenario for an extended outage, i.e., a one-week long outage based on a 31-bus coordinated attack, was simulated. This could not be remediated by the in-place PJM contingency plans, and there was a substantial amount of unserved energy.

Total costs as defined in the UPLAN model are comprehensive -- all of the production costs associated with each scenario, including energy, ancillary services, T&D losses, etc.

The incremental costs of the cyber-security attacks in the winter peak season were, as expected, less than those in summer peak season, and are not included in the results below.

Results (all for summer season)

Attack Scenario Definition

Incremental Cost Relative to the Base Case ($millions)

Unserved Energy (GWh)

10 bus - 8 hr

9

0

20 bus - 8 hr

24

0

31 bus - 8 hr

46

0

31 bus - 1 week

151

19

Estimating the cost of unserved energy is an area of significant locational variability and difference of opinion. In this scenario, we used an average of the costs of unserved energy as estimated  in a number of jurisdictions (e.g., PG&E, PJM, Ontario Hydro) for residential, commercial, and industrial customers (progressively more costly) : from $2,700/MWh (residential only) to as high as $24,000/MWh (PJM) (all-customer average) -- see reference here and in the Archive, under "unserved Energy Cost Estimation").

Based on this, the estimated cost of unserved energy for the final (31-bus - 1 week) scenario above is between 19 x $2,700,000 and 19 x $24,000,000, or, using an average cost of $15,000,000/GWh, the unserved energy cost is about $285 million).

In addition, post –attack remediation costs must be taken into account, i.e., the repair and replacement of affected equipment. These costs will depend on the cyber-attack scenario and the extent to which it is successful. We have not estimated these costs in this simulation.

Conclusion

Excluding remediation costs, the total cost of a 1-week outage of 31 transmission substation busses in PJM caused by a coordinated cyber-security attack is substantial, estimated for this analysis to be about $436 million.

Yes, these costs seem relatively small when compared to the costs of some of the extreme weather events that utilities have faced in recent times.

But if the transformer sub-stations are damaged irreparably, then the outage could be extended by from 26 weeks to 52 weeks (the time elapsed from ordering a replacement to the delivery of the replacement units). This would create costs in the many billions of dollars. For example, for a greater-than-one-week 31-bus outage, it is not unreasonable to multiply the total costs, and the unserved energy, by the number of weeks of outage, as a first approximation of the total cost impact. For a 26-week replacement cycle, the total costs could exceed $11 billion, assuming that no transformer replacements were available from inventory.

What is the probability of a successful cyber-attack occurring? If we say 1%, for example, then the “expected costs” would be $4.36 million for the one-week outage.

Business Case Question

Given these potential costs, but still having to estimate the probability of their occurrence, what should we be willing to spend to avoid the costs – i.e., what is the business case for cyber-security and/or mitigation investments? Who should pay? Who benefits?

Can we use an analysis like this to put a “cap” on how much we’d be willing to spend to protect against cyber-security attack scenarios?

Is it credible for a cyber-security products and/or services business to use this type of analysis to support its value proposition? Are “expected” costs the best way to evaluate an investment in cyber-security protection?

4 thoughts on “Costs of a Cyber-Security Attack on a Regional Power System

  1. Walter Levesque

    I think a forecast range may be more appropriate than a specific number. Some cost etimates, not in your calculation, might be disputed by a broader audience. For example, when there is a loss of electric power there is a loss to gross domestic product. I do not have the multiple but dividing GDP by gigawatts of power would provide a GDP/GW and that number could be added to the high range. Impacts for which a high % of readers agree should be included (say at least 80%) would establish the low range. Impacts such as my loss of GDP might only make sense to 50% of readers and this would establish the high range of the cost estimate. The methodology used to create the result should be shared.
    Best regards,
    Walter Levesque

    Reply
    1. domgeraghty Post author

      Walter,

      Yes, there are some cost impacts that are hard to quantify, or disputable at least. And your idea of using a range is definitely apropos. Estimates of generalized, or average, unserved energy costs require some heroic assumptions and omit situation specific factors.

      Your GDP impact suggestion may result in some double-counting, though.

      Why? Because the cost estimate of unserved energy includes the economic impact of an outage for residential, commercial, and industrial customers, i.e., business interruption costs for the latter two segments. I believe that these costs reflect the reduced economic activity of the businesses, which in effect, represents a decrement to GDP? On the other hand, the calculation might not cover the correlated indirect costs to other businesses in the directly-affected business’ supply-chain?

      Maybe somebody can comment on the methodology by which unserved energy costs are calculated addressing (1) whether or not correlated supply-chain costs are included, and (2) whether the unserved energy costs when added together represent a proxy for the resultant reduction in GDP?

      One can take these indirect costs even further, e.g., is there a beneficial effect on the environment, but I’m not going to try to go there, since the quicksand is already rising above our ankles!

      Reply
  2. Frances Cleveland

    I am very glad to see the use of “traditional” power system mitigation techniques used against cyber attacks. All too often I see cyber security experts wanting to rely only on cyber security techniques to mitigate attacks.

    That said, the cost of some cyber security measures are very minimal (e.g. use of individual passwords, RBAC, authentication in all communication transmissions), while other security measures could be very costly (e.g. protection against supply chain malware, maintaining 10 backup transformers on wheels). So part of the cost analysis must include the differing costs of cyber security measures. This then modifies the “p” probability of a successful attack occurring into a multiplication of “ease” of an attack times the “attractiveness” of such an attack.

    So any cost assessment should include the cost of different cyber security mitigation techniques and their impact on the “ease” of an attack.

    Frances

    Reply
  3. Doug Westlund

    Very nice to see some quantitative work being done on the avoided costs of implementing cyber-security initiatives. Well done !

    We at N-Dimension have some empirical evidence that I would like to share. Industry norms (across all industries, not just utilities or critical infrastructure) for the costs of a security initiative relative to the IT system / project are in the 10 – 15 % range. In the co-op and muni electric sectors we have been able to implement effective security controls for less than 5% using a modular platform specifically designed for utility environments. And with respect to the cost to recover, conventional wisdom in the security industry across all sectors is that recovery costs tend to be a multiple of 5 times more than implementing a cyber-security initiative in the first place. In our experience with co-op and municipal utilities however, the multiple is closer to 10 to 20 times the investment (these figures are exclusive of secondary costs including lawsuits). We believe that the recovery multiple is so much higher due to the fact that most utilities have not protected their operational environments which allows the damage to be more pervasive, and the cost to recover an operational asset such as a SCADA system is far more complicated that recovering a desktop workstation or a web server.

    We look forward to the day when analytic models like yours can accelerate adoption of cyber-security measures in critical infrastructure industries !

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *