One thing you can do to prepare: Keep some cash on hand because you can't rely on credit cards during a blackout. "You want enough money to make purchases for vital supplies at the time of an incident and ideally before store shelves go bare," says Al Berman, president of the Disaster Recovery Institute International, which helps organizations prepare for and recover from disasters.
How banks should protect you
Some banks are already preparing for an attack by conducting "table-top exercises to play out worst-case scenarios," Kalinich says. "These are evolving exposures and the solutions need to evolve as well."
Two ways banks can best protect customers, experts say, is to:
- Host the computers operating their websites in multiple states in multiple regions. In that instance, a customer in Florida can bank online even if a power grid attack occurs in the bank's home city of New York.
- Offer customers the option of using mobile banking applications.
"The integration is executed remotely so if power is down at a branch, there's a chance bankers can alert their customers via text messaging and offer online banking resources on their smartphones and tablets," says Gary Miliefsky, CEO of SnoopWall, a cybersecurity company in Nashua, New Hampshire.
While scenarios are not predictions, they do explore what might happen based on past events and scientific, social and economic theory.
"Prudent banks are aware of such risks and have developed incident-response plans, such as power generators and fail-over systems," Kalinich says.
Overall, the best way for consumers to protect themselves is to bank with financial institutions that maintain cyberinsurance that covers attacks on the power grid.
"Computer viruses are a new phenomenon," Kalinich says. "Historically, legacy policies were silent on power grid cyberattacks until as recently as 2 to 3 years ago."
Claims the insurance industry would face in the event of a disruption to the power grid could range from an estimated $21.4 billion to $71.1 billion in the most extreme scenarios, according to the Lloyd's report.
"While many cyberinsurance policies are focused on the costs of a data breach, other coverages are emerging which focus on a cyberattack against critical infrastructure and industrial machinery," says Nick Beecroft, manager for emerging risks and research with Lloyd's. "These policies can cover physical damage, business interruption, restoration costs and lost income together with support services to help organizations improve their cyber resilience."
What an attack might look like
"We define an extreme scenario as one that involves a cascading power outage," Beecroft says. "This means that problems in specific parts of the grid generate much wider ... impacts that cause a general blackout."
An example is the Northeast blackout of 2003, in which a software problem in 1 control room in Ohio generated a cascading outage that left 55 million people in the U.S. and Canada without power.
The blow to the grid might take the form of something like the 2010 Stuxnet virus, a computer worm that reportedly destroyed a portion of Iran's nuclear centrifuges by causing them to spin out of control.
"A piece of Trojan software like Stuxnet is able to take control of electricity generators and on command force them to run out of control and catch fire; (it) is based on a real threat that the FBI is already investigating," Beecroft says.