The Sky Isn’t Falling, But the Internet Might

Experts say thanks to a dearth of Federal support, it isn’t a stretch to imagine a power grid cyber attack that takes out the Internet, grinding communications and businesses to a halt in the process.

The Federal government's General Accounting Office (GAO) and the Massachusetts Institute of Technology didn’t officially compare notes, but easily could have based on their research conclusions concerning U.S. power systems. Both organizations point to a power grid system that is vulnerable to attack by cyber criminals, a catastrophe that causes insurers selling business interruption coverage to cringe.

The broader GAO report, “Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination,” examined threats to federal information technology (IT) infrastructure and systems, which the report says continues to grow in number and sophistication.

The report looked at the health of cybersecurity programs in eight Federal departments, and found their respective efforts to be irregular. In other words, the scale and scope of cybersecurity is not well-defined, departments are deficient in setting expectations and milestones, and training requirements are inconsistent. The report calls for more coordination among departments and tighter planning overall.

The MIT report hails a similar call, but more specifically on the power grids that fuel the Federal departments’ ability to function, and suggests that a single Federal organization be made responsible for cybersecurity in all Federal departments and agencies. This report also calls for a stronger Federal role in cross-state transmission planning. The IEEE Standards Association asserts that the most recent national energy act already gave the Federal Energy Regulatory Commission (FERC) enhanced authority to bolster key transmission corridors, and reports evidence of transmission actually getting built when the task is properly addressed.

Insurers have a huge stake in cyber attacks, whether to the power grid itself or to its distributed systems. A report issued this week by Standard & Poor’s, “Ten Years Later, Terrorism Exposure Remains an Issue for U.S. Insurance Companies,” notes that isolated terrorist attacks--those that occur in particular places such as New York or other large cities—would mean less exposure to the insurance industry as a whole.

And although the federal terrorism insurance backstop (The Terrorism Risk and Insurance Act) provides coverage for insurers that participate in the program, a massive loss, such as that posed by cybersecurity criminals hoping to damage the power grid, would be a different matter. S&P estimates that with a given insurer’s deductible, it could amount to more than one year’s worth of an insurer’s earnings.

A loss of that size, in capital erosion terms, would probably equal more than 10 percent, and “would likely” cause S&P to issue a rating action on the insurer. This dire warning relates to the cyber attack’s “contagion factor on the macroeconomic level,” which would result in insurers’ reserve and investment incomes being affected.

Indeed, in a world that is becoming an increasingly insecure place to do business, commercial lines insurers must be up to task when it comes to risk assessment and mitigation against business interruption of any kind.

Linda Conrad, director of strategic business risk at Zurich Global Corp. who leads the supply chain group in the U.S. for Zurich NA, believes that any improvements to the power grid will benefit all stakeholders. At Zurich, however, the power grid is but one risk being tracked.

“We conduct gap analysis around business continuity plans—usually around a crisis situation,” she told Insurance Networking News, “and we start with that analysis to help the client understand how to be more proactive against certain types of risk.”

Conrad reflects on a survey Zurich conducted in 2009 that confirmed IT as the No. 1 cause of supply chain interruption.

“When one geographic area depends on another area that is taken out by a single event or crisis, the supply chain is profoundly affected,” she says. “An interesting example of this is in Japan – all of the actual damage [from the 2011 Tohoku earthquake] was in the north, but disruption to manufacturing and supplies came from southern Japan as the result of power issues related to the event.”

Conrad’s business unit lives and breathes a proactive approach to risk mitigation. “We call it business resilience,” she says. “We model this ourselves, and guide our clients in this philosophy.”

Zurich’s total risk profiling includes a structured risk analysis—a tool used to identify and quantify key risks within a company, and an exercise that involves every business unit and all personnel, who are asked to identify the major issues that may impact their ability to hit their targets.

“It’s less expensive to take a proactive approach,” Conrad says.

Insurers such as Zurich may take solace that the Federal government is trying to ramp up efforts to thwart cybercriminals—at least at their own military bases as a starting point. Cyber Command, also known as USCYBERCOM, conducted its first major tactical cyber exercise called Cyber Flag this week. The joint cyberspace training exercise was held at the Air Force Red Flag Facility at Nellis Air Force Base in Nevada. The event brought together more than 300 cyber and IT professionals, all focused on mission integration between cyber command and the cyber components of the Air Force, Marines, Army and Navy.

Federal budget allocations in the amount of $10 million are being devoted to a National Cybersecurity Center of Excellence to be housed at the National Institute of Standards and Technology, and $16.5 million is appropriated to support the administration’s National Strategy for Trusted Identities in Cyberspace, which is managed by NIST.

And shortly after the MIT report was released, the White House released a roadmap that sets research and development priorities for cybersecurity that focuses on the U.S. network infrastructure. The plan, "Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program," has as its goal accelerated efforts in the collaboration, scientific research and creation of stopgaps that make it more difficult for cybercriminals to launch an attack.

At Zurich, meanwhile, it’s business as usual. “We help companies think through this type of adversity,” Conrad says. “A small solution is to obtain a generator, which makes for good continuity planning. However, hospitals are known for acquiring diesel generators, and if there is an issue with the grid, those generators will be hard to obtain. So we advise companies to have a backup for their backup.”