Cyber-security – BizCase Challenges

Estimating the Costs of a Coordinated Cyber-Security Attack on a Regional Power System

Background

There is considerable concern within the electric power industry about the possibility of a coordinated cyber-security attack on the U.S. power system, and the extent to which the system is vulnerable to such an attack.

Today’s power system is vulnerable to cyber-attacks for a number of reasons. As the power system is transitions into a smart grid, by definition its elements are becoming more inter-operable. For example, the deployment of Advanced Metering Infrastructure (AMI) increased the uniformity of the end-user “edges” of the power system, making it more vulnerable to a multiple-point, coordinated cyber-attack. But it is also vulnerable because it is a mixture of different vintages of technology, some of which was designed without cyber-security protections. Meanwhile, hackers have become much more sophisticated in their methods of attack.

NERC and NIST Programs

In the past five years or so, a great deal of work has been done to analyze the physical-, IT-, and industrial controls systems-based vulnerability of the power system to cyber-attacks, focusing on its critical assets. NERC, under a Federal directive to protect critical national infrastructure from cyber-attacks, has issued nine auditable Critical Infrastructure Protection Standards (“CIPS”) and mandated eleven “responsible entities” to implement the CIPS in the bulk power market.

In parallel, NIST is leading a voluntary, phased initiative involving stakeholders across the electricity sector that has developed detailed draft communications and control standards for the smart grid as a whole. These include cyber-security provisions. NIST’s Smart Grid Interoperability Group (SGIP) has been a leader in these efforts (link).

In parallel to these activities, smart grid vendors are adding cyber-security to the functionality of their products.

Characterizing a Cyber Attack Event

A cyber-security attack is characterized as a “high impact/low frequency event” (“HILF”). To calculate the expected cost of the impact of a successful attack, two parameters need to be estimated: (1) the size of impact of the attack on the system (“S”), and (2) the probability (“p”) that such an attack will be successfully carried out. The “expected” cost of the attack would then equal the product: “S x p”. Note that we can consider quantitative and qualitative costs, with the latter being more subjective. As a start, we can make an estimate of the probability for a generic attack, since it is difficult to define an attack scenario.

It is widely believed that the probability of a successful, coordinated attack is quite small, and that therefore, “p” is perhaps less than 1%, perhaps much less.

How much money should you spend to protect yourself against an event which might occur, but most likely will not? You already know that you can never achieve 100% protection.

Costs of Protection/Mitigation/Remediation

Various cyber-security vendors offer cyber-security packages to the power sector. From these offerings, we can get some idea of the costs of different levels of protection. The costs of various levels of cyber-security protection have been estimated, and in many cases, they are not trivial. Utilities, at a cost, can mitigate their risks by increasing the levels of their contingency planning to increase the flexibility of their power systems. Remediation costs depend on the cyber-attack scenario and the extent to which it is successful.

And what is the potential impact of a successful cyber-attack, in terms of costs, business disruption, and societal impacts? What potential costs are you avoiding by spending money on protection?

What are the Benefits of Cyber-Security Protection?

Let’s define benefits in terms of the avoidance of all of the costs of a successful attack. We need to calculate these costs, in order to make a business case.

Very little work has been done on calculating the size (“S”) of the impact in a real-life power system situation.  A real-life situation is very challenging to simulate because: (1) it requires a highly granular and up-to-date operating equipment database for the power system, and (2) it is very difficult to simulate and co-optimize, with high fidelity, the simultaneous interactions between power systems and power markets under the complex protocols of regional market operators.

The UPLAN Power System and Market Simulation Model

LCG's UPLAN (Link) software suite and its accompanying databases are capable of such simulations. The following is a description of a UPLAN simulation of a coordinated cyber-security attack in the PJM (Pennsylvania, New Jersey, and Maryland) regional power system – one that simultaneously disables a number of transmission sub-station transformers.

Defining Cyber-Security Attack Scenarios

The scenarios run by UPLAN were as follows:

  1. Base Case (no cyber-attack)
  2. A 10-bus cyber-attack-based outage of 8 hours (10 transmission substation transformers attacked simultaneously)
  3. A 20-bus cyber-attack-based outage of 8 hours
  4. A 31-bus cyber-attack-based outage of 8 hours
  5. A 31-bus cyber-attack-based outage of 1 week

All scenarios were simulated with coordinated attacks for both summer and winter peak seasons; all scenarios were run for 2012; the PJM system was selected for all simulations (UPLAN has current databases for all generation units, and transmission lines and substations throughout the U.S.).

Transformer substations were chosen for the attack because of the potential for long outages given that high voltage transformers are no longer manufactured in the U.S., and have therefore an extended lead time for replacement equipment (quoted by NERC as being in the range of a 6 - 12 month delivery time).

In order to create an "envelope" around the potential impact, an 8-hour outage was first simulated (similar to a severe weather event). In all of the 8 hour scenarios (10-bus, 20-bus, and 31-bus), the contingency plans in place in PJM (N-X, depending on the bus) took care of the outages by dispatching additional, more expensive units and re-routing the electricity flows -- there were higher total costs, but there was no un-served energy.

Next, a scenario for an extended outage, i.e., a one-week long outage based on a 31-bus coordinated attack, was simulated. This could not be remediated by the in-place PJM contingency plans, and there was a substantial amount of un-served energy.

Total costs as defined in the UPLAN model are comprehensive -- all of the production costs associated with each scenario, including energy, ancillary services, T&D losses, etc.

The incremental costs of the cyber-security attacks in the winter peak season were, as expected, less than those in summer peak season, and are not included in the results below.

Results (All For the Summer Season)

Scenario Definition

Incremental Cost Relative to the Base Case ($millions)

Un-Served Energy (GWh)

10 bus - 8 hr

9

0

20 bus - 8 hr

24

0

31 bus - 8 hr

46

0

31 bus - 1 week

151

19

Estimating the cost of un-served energy is an area of significant locational variability and difference of opinion. In this scenario, we used an average of the costs of un-served energy as estimated  in a number of jurisdictions (e.g., PG&E, PJM, Ontario Hydro) for residential, commercial, and industrial customers (progressively more costly) : from $2,700/MWh (residential only) to as high as $24,000/MWh (PJM) (all-customer average) -- see references here, under "Un-served Energy Cost Estimation").

Based on this, the estimated cost of un-served energy for the final scenario above is between 19 x $2,700,000 and 19 x $24,000,000, or, using an average cost of $15,000,000/GWh, the un-served energy cost is $285 million).

Conclusion

The total cost of a 1-week outage of 31 busses in PJM caused by a coordinated cyber-security attack is substantial, estimated for this analysis to be about $436 million.

Furthermore, if the transformer sub-stations are damaged irreparably, then the outage could be extended by from 26 weeks to 52 weeks (the time needed to manufacture replacement units). This would create costs in the many billions of dollars, i.e., for a greater than a one-week 31-bus outage, it is not unreasonable to multiply the total costs, and the un-served energy, by the number of weeks of outage, as a first approximation of the total cost impact.

Business Case Question

Given these potential costs, but still having to estimate the probability of their occurrence, what should we be willing to spend to avoid them – i.e., what is the business case for cyber-security and/or mitigation investments? Who should pay? Who benefits?

Leave a Reply

Your email address will not be published. Required fields are marked *