A group of hackers bent on attacking the United States gains access to computer systems controlling a number of power plants. They then shut down those plants, plunging millions of Americans into darkness. Water supplies are disrupted, safety systems fail and transportation networks close.
Sound like a Hollywood blockbuster? It’s actually a nightmare scenario that some worry could happen.
President Barack Obama warned of the potential in his 2013 State of the Union address, saying the nation’s enemies are “seeking the ability to sabotage our power grid.” And a July 2015 study, co-authored by insurance giant Lloyd’s of London and the University of Cambridge’s Centre for Risk Studies, offers a grim portrait of what might happen if a group or country were to hack into power station computers.
“The reality is that the modern, digital and interconnected world creates the conditions for significant damage, and we know there are hostile actors with the skills and desire to cause harm,” says Tom Bolt, Lloyd’s director of performance management.
How to prepare for an attack
- Keep backups of all statements or e-statements.
- Maintain a backup of account information.
- Stash some cash in your home.
- Safeguard credit cards.
- Take advantage of your bank or credit union’s mobile banking app.
How an outage would hurt your finances
Though the impacts are somewhat less ominous than on some other areas of the economy, the Lloyd’s study also looks at what would happen if banks were to go dark. Indeed, a cyberattack would leave many depositors penniless for days.
An outage could mean you wouldn’t be able to withdraw or transfer money, and automatic payments would cease, says Kevin Kalinich, global cyber-risk practice leader for Aon, a risk management firm.
“Due to the fact that many consumer transactions are set up for automatic payment and transfer, consumers might be held delinquent in paying bills, rent (and) mortgages, and as a result receive a black mark on their credit rating, which can prove difficult to amend,” Kalinich says.
One thing you can do to prepare: Keep some cash on hand because you can’t rely on credit cards during a blackout. “You want enough money to make purchases for vital supplies at the time of an incident and ideally before store shelves go bare,” says Al Berman, president of the Disaster Recovery Institute International, which helps organizations prepare for and recover from disasters.
How banks should protect you
Some banks are already preparing for an attack by conducting “table-top exercises to play out worst-case scenarios,” Kalinich says. “These are evolving exposures and the solutions need to evolve as well.”
Two ways banks can best protect customers, experts say, is to:
- Host the computers operating their websites in multiple states in multiple regions. In that instance, a customer in Florida can bank online even if a power grid attack occurs in the bank’s home city of New York.
- Offer customers the option of using mobile banking applications.
“The integration is executed remotely so if power is down at a branch, there’s a chance bankers can alert their customers via text messaging and offer online banking resources on their smartphones and tablets,” says Gary Miliefsky, CEO of SnoopWall, a cybersecurity company in Nashua, New Hampshire.
While scenarios are not predictions, they do explore what might happen based on past events and scientific, social and economic theory.
“Prudent banks are aware of such risks and have developed incident-response plans, such as power generators and fail-over systems,” Kalinich says.
Overall, the best way for consumers to protect themselves is to bank with financial institutions that maintain cyberinsurance that covers attacks on the power grid.
“Computer viruses are a new phenomenon,” Kalinich says. “Historically, legacy policies were silent on power grid cyberattacks until as recently as 2 to 3 years ago.”
Claims the insurance industry would face in the event of a disruption to the power grid could range from an estimated $21.4 billion to $71.1 billion in the most extreme scenarios, according to the Lloyd’s report.
“While many cyberinsurance policies are focused on the costs of a data breach, other coverages are emerging which focus on a cyberattack against critical infrastructure and industrial machinery,” says Nick Beecroft, manager for emerging risks and research with Lloyd’s. “These policies can cover physical damage, business interruption, restoration costs and lost income together with support services to help organizations improve their cyber resilience.”
What an attack might look like
“We define an extreme scenario as one that involves a cascading power outage,” Beecroft says. “This means that problems in specific parts of the grid generate much wider … impacts that cause a general blackout.”
An example is the Northeast blackout of 2003, in which a software problem in 1 control room in Ohio generated a cascading outage that left 55 million people in the U.S. and Canada without power.
The blow to the grid might take the form of something like the 2010 Stuxnet virus, a computer worm that reportedly destroyed a portion of Iran’s nuclear centrifuges by causing them to spin out of control.
“A piece of Trojan software like Stuxnet is able to take control of electricity generators and on command force them to run out of control and catch fire; (it) is based on a real threat that the FBI is already investigating,” Beecroft says.