This is how much a huge cyberattack on the power grid could really cost

A catastrophic hack could cost billions to the economy, warns researchers
Written by Steve Ranger, Global News Director
power lines

An attack on the UK's power distribution network could cost the country's economy between £12bn and £85bn.

Image: Alubalish

Governments have long worried about the potential for a cyberattack on their country's critical national infrastructure, and now researchers have attempted to calculate just how much such an event would cost the economy.

The report by University of Cambridge researchers models the economic impact of a coordinated and sustained cyberattack on the UK's power distribution networks.

The calculations are based on a theoretical cyberattack carried out by a rogue employee with the backing of a nation state.

It concludes that a widespread cyberattack on a piece of the UK's critical national infrastructure could cost the country tens of billions of pounds. The paper was written by academics from Cambridge Centre for Risk Studies, part of the University of Cambridge Judge Business School, and sponsored by Lockheed Martin.

In the model, the disruption is caused by installing malicious hardware in 65 or more substations in south east England -- expanding to 95 and 125 substations in the "extreme" versions of the scenario. This hardware allows the attackers to trigger rolling blackouts across the region during winter, shutting down parts of the London area, and impacting all aspects of the UK economy.

In the most limited scenario, such an attack would cost the UK's economy £12bn, and cut £49bn from gross domestic product over five years. In the most severe scenario that rises to £85bn -- and £442bn over five years -- slashing 2.3 percent off the UK's GDP over the period.

In the basic scenario the UK is able to recover quickly -- within just three weeks compared to 12 weeks for the most extreme attack. But even this would see roughly nine million people hit by the blackouts, alongside disruption to 800,000 train and 150,000 air passenger journeys each day. In the most extreme scenario, these impact rises to 13 million affected, with one million and 330,200 rail and air travel tickets cancelled.

The researchers predict that financial services, retail, real estate, and professional services would be the industries hit hardest.

The researchers said they consulted with the UK power industry, as well as government and industry regulators for the study, but aren't suggesting an attack is coming -- or that there are weaknesses in the power grid.

Simon Ruffle, director of technology and innovation at the University of Cambridge's Centre for Risk Studies, said: "Through hyper-connectivity, we have created fantastic opportunities for smarter infrastructure use that also bring with them a complex set of cyber risks for the foreseeable future."

An attack on such a scale -- especially one where a disgruntled worker is able to introduce so much rogue hardware across the power network -- is an extremely unlikely scenario. It's often noted that squirrels or downed trees are much more of a danger to the power supply than hackers.

However, what is clear is that attacks on power grid infrastructure have already occurred: earlier this year Ukraine suffered power outages after hackers gained access to industrial control systems. And US law enforcement has warned that terrorists have shown interest in attacking the power grid there, too -- although they lack the skills to do any damage.

As more companies connect industrial control systems to the internet, there is an increasing fear that such attacks will become more likely, and that state-sponsored hackers in particular are probing such systems and cataloguing weaknesses which could potentially be used in any future conflict.

The UK government has listed cyberthreats as a 'tier one' security issue alongside international terrorism, war, and natural disasters, noting as long ago as 2010 that: "Attacks in cyberspace can have a potentially devastating real-world effect. Government, military, industrial and economic targets, including critical services, could feasibly be disrupted by a capable adversary."

Read more on cybersecurity

Editorial standards