Critical infrastructure, Cyber and worseCRO Assembly 22 Mai 2019

Dr. Eric Durand, Head Cyber Centre of Competence

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

Agenda

1. Of Infrastructures and Critical Infrastructures

2. A realistic worst-case (Cyber)

3. An even worse realistic worst-case ?

2

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

Cyber and Infrastructures, some past events

3

Sources: - World Energy Council- www.risidata.com

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

• Individual view = Underwriting view critical and non-critical “infrastructure”

– any (insured) machine

– any (insured) process

Property Damage, Business Interruption, Contingent BI, (Supply Chain)

Three different aspects

4

sources: fema, NIST

• Societal view – critical infrastructure events – little insurance coverage

• (Re)Insurance and society’s survival – largest critical infrastructure events.

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

How to Attack the Electric Power Grid

1: Control centres of TSO/ISO/RTOs1

– Intrusion into SCADA2 system (e.g. via corporate network)

– Making persistent changes on SCADA software

– Manipulation of transformers, breakers and switching centres → generally well protected, but a single attack can cause large blackouts

2: Power plants control centres, power generators– Intrusion into power plant control centres– Installing a malware (Logic Bomb) to distort the protection system of generators.

→ Attacks on single plant not critical thanks to the security reserves kept within the grid. A high number of plants need to be attacked synchronously for large-scale outage very unlikely.

3: “Smart Grid” consumers and producers

– Attack on power meters (consumers) or steering units (decentralised producers)

→“Smart Grid” is still in its infancy. Attack might be a concern in 10-15 years, but not today.

1

2

3

Se

lecte

d

sce

na

rio

1) TSO: Transmission System Operator, central entities that control the flow of electric power in European CountriesISO/RTO: Independent System Operator / Regional Transmission Operator (same function in the USA)

2) SCADA = Supervisory Control and Data Acquisition = System for remote monitoring and control

5

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019 6

Risk Scenario Cambridge

• US Grid study by Cambridge University (May 2015) in collaboration with Lloyds andwith contribution from the Department of Homeland Security

• 15 US States affected, 93 Mio. US Citizens without power for 2-7 days (three subscenarios S1, S2, X1)

• Quantification of Economic Loss and Insurance Industry Losses

• Economic costs (revenue calculation incl. Supply Chain) from USD 61bn to 223 bn

• Insurance losses range from USD 21bn to 71bn

Europe ? Germany, France !

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

• The RTOs in the USA are somewhat prepared, they have been regularly practicing crisis management and incident response (e.g. the Grid Exercise 2016 organized by NERC) also to some extent in case of a cyber attack.

• Two full days are required to regain control over the RTO/ISO’s system and to commence with the restore procedure.

• Fast recovery of 50% of the network can then be achieved within 1 days• Gradual recovery of the other 50% of the network within 11 days

7

Scenario parameters, example

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

Swiss Re Approach for Cyber on Critical Infrastructure (electricity production/transmission) for Single Risks

• All single-risks of electricity producers and electricity consumers (industry –commerce –individuals)

• BI, CBI, supplier extensions

FIRST STEP

• Turnover (daily)

• Industry segment

SECOND STEP

• Black-out duration vs. waiting period/deductible

• Black-out size vs. geographical distribution(mono- vs multi-location risks)

THIRD STEP

• Coverage conditions (trigger, exclusions)

FOURTH STEP

• Coverage limitations (Sum Insureds, limits, layer length)

• Minimal capacity charge

FIFTH STEP

• Resulting capacity

SIXTH STEP

8

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019 9

Out of Swiss Re Annual Report 2018, Financial part

Un

ce

r-ta

inty

ran

ge

Not at scale

Worse realistic worst-case ?

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019 11

Solar Storm Events: aka- Coronal mass ejection (CME)- Geomagnetic Disturbance (GMD)- Severe Space Weather- Geo-magnetically Induced Currents (GIC)

Bild: Solar Dynamics Observatorybservatory

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019Slide 12

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

From varying B-fieldandAuroral ElectrojetstoE-field.

13

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

Calculation steps

14

1) Substations- per states- 3 EHV voltage levels- with & w/o spares

2) Geo-magnetic latitude3) Resistivity

- down to 100 Km- equivalent impedance

4) Proximity to sea

5) Empirical vulnerabilityof transformers:

(Binomial distribution asfunction of all the above)

For scenario (S2)0 not impacted1 tripped2 slightly damaged3 strongly damaged4 destroyed

%-age of Outage days Outage daystransformers w/o spares with spares

49% 0 033% 5 514% 91 14

3.6% 182 140.4% 243 14

%-age of Outage days Outage daystransformers w/o spares with spares

49% 0 033% 5 514% 91 14

3.6% 182 140.4% 243 14

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

Metatech Corp, John Kappenman [2010].- > 130 m people affected

- Assumptions: strength as May 1921 event

- 200-300 transformers affected

- Economic costs > USD 1 trillion

- Lengthy restoration times, chronicshortages for up to 4 to 10 years for a fullrecovery

Scenarios of large-scale and long-lasting power outageWorst case solar storm scenario:

15

Lloyds study (aer) [2013]: Carrington-level storm (1859): 20-40 million people affected, Power outage 16 days to 1-2 years,Economic cost estimated at $0.6-2.6 trillion USD.

Cambridge Uni. [2016]: Total economic “shock”: S1, S2, X1 0.5 – 2.7 trillion USDS1 = “optimistic” view, power outage up to 1 year.X1 = “deliberately extreme, reflects Kappenman’s perspective”(insured is estimated at roughly 10-15%)

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

Swiss Re Approach for GMD on Critical Infrastructure (electricity production/transmission) for Single Risks

• All single-risks of electricity producers and electricity consumers (industry –commerce –individuals)

• BI, CBI, supplier extensions

FIRST STEP

• Turnover (daily)

• Industry segment

SECOND STEP

• Black-out duration vs. waiting period/deductible

• Black-out size vs. geographical distribution(mono- vs multi-location risks)

THIRD STEP

• Coverage conditions (trigger, exclusions)

FOURTH STEP

• Coverage limitations (Sum Insureds, limits, layer length)

• Minimal capacity charge

FIFTH STEP

• Resulting capacity

SIXTH STEP

16

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019 17

Out of Swiss Re Annual Report 2018, Financial part

Un

ce

rta

inty

ra

ng

e

Not at scale

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019 18

Discussion time !

1. Of Infrastructures and Critical Infrastructures

2. A realistic worst-case (Cyber)

3. An even worse realistic worst-case ?

Agenda today was:

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

Appendix

19

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019Slide 20

DST (disturbance – storm time) index

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

Aurora Borealis

Credit : NASAhttp://www.youtube.com/watch?v=N5utQxtma2U

21

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019

Legal notice

©2016 Swiss Re. All rights reserved. You are not permitted to create any modifications or derivative works of this presentation or to use it for commercial or other public purposes without the prior written permission of Swiss Re.

The information and opinions contained in the presentation are provided as at the date of the presentation and are subject to change without notice. Although the information used was taken from reliable sources, Swiss Re does not accept any responsibility for the accuracy or comprehensiveness of the details given. All liability for the accuracy and completeness thereof or for any damage or loss resulting from the use of the information contained in this presentation is expressly excluded. Under no circumstances shall Swiss Re or its Group companies be liable for any financial or consequential loss relating to this presentation.

22

Critical Infrastructure and Cyber | CRO - Assembly | 22 May 2019 23