Warakorn - Fotolia

Collaboration vital to reduce economic impact of CNI cyber attack

The interconnected nature of critical national infrastructure (CNI) means the impact of the risk and the cost of a cyber attack grows exponentially every day

A significant cyber attack across the UK’s critical national infrastructure (CNI) could make a significant economic impact on the UK, a study revealed.

Collaboration on CNI cyber security is key to minimising the UK's economic risk, according to the report from the Cambridge Centre for Risk Studies at the University of Cambridge.

According to the report’s authors, the study provides a methodology for all UK businesses to assess the direct and indirect impact of cyber attacks.

The study, developed in conjunction with Lockheed Martin, models the potential impact of a co-ordinated and sustained cyber attack on one of the UK’s regional power distribution networks and the likely short and long-term costs to the UK economy.

The study is based on a fictional scenario in which a cyber attack is executed by a disgruntled employee of a distribution network operator with the backing of a nation state adversary.

Disruption is achieved by installing rogue hardware in 65 vulnerable substations in south-east England, which is expanded to 95 and 125 substations in two more extreme versions.

This rogue hardware empowers the cyber adversaries to trigger rolling blackouts across the region during the winter season, shutting down parts of the London area and affecting all aspects of the UK economy.

Interconnection expands CNI cyber risk

Justin Walker, vice-president for Lockheed Martin’s Information Systems business in the UK and Europe, said that, as critical national infrastructure becomes increasingly interconnected, the risk and cost of a cyber attack grows exponentially larger each and every day.

“Through increased collaboration, government, industry, regulators and the wider technology industry all have a role to play ensuring the UK economy is resilient to cyber attack,” he said.

Simon Ruffle, director of technology and innovation at the University of Cambridge’s Centre for Risk Studies said that, by better understanding and quantifying the consequences – both economic and societal – of a severe cyber hazard on the UK’s critical infrastructure, the study underlines the level of responsibility among each of the key stakeholders.

“Through hyperconnectivity, we have created fantastic opportunities for smarter infrastructure use that also bring with them a complex set of cyber risks for the foreseeable future,” he said.

According to Ruffle, there needs to be a better understanding across UK organisations – including suppliers of critical infrastructure – of the economic impact of cyber attacks.

“There needs to be better understanding of how economic impact, as a result of a cyber attack in one place, can be felt in other parts of the country and the economy because of the ripple effect,” he said.

Assessing the economic impact

Ruffle believes there needs to be greater collaboration between government, infrastructure suppliers and academia in understanding and mitigating cyber risks to critical infrastructure.

“There is a lot that operational technology can learn from IT in terms of cyber security, such as better software patching processes and better procurement processes that include pre-implementation testing and post-implementation support,” he said.

The researchers consulted widely with stakeholders across the UK power industry as well as government and industry regulators throughout this study, said Ruffle, emphasising that it does not predict an attack or seek to expose weaknesses in the power grid, but rather presents the likely economic impact of the hypothetical scenario.

The study also underlines the subsequent economic impact for other key industry sectors, including financial (£1.3bn) and professional services (£1bn), retail, construction, transportation, education and health.

In the most conservative scenario, the immediate impact to the UK’s economic output is £12bn, with the five-year GDP impact of £49bn.

In the most severe case, these figures increase to £85bn and £442bn respectively. In the latter case, this represents approximately 2.3% of the UK’s GDP over the period.

In the most conservative scenario an estimated 9 million people are hit by the blackouts, 800,000 individual train journeys and 150,000 air passenger tickets are affected daily. In the most extreme scenario this impact rises to 13 million affected, with 1 million rail and 330,200 air travel tickets cancelled.

Read more on IT legislation and regulation