National Security Report
Quantifying Improbability: An Analysis of the Lloyd’s of London Business Blackout Cyber Attack Scenario
by Susan Lee, Michael Moskowitz, and Jane Pinelis
Scenarios that describe cyber attacks on the electric grid consistently predict significant disruptions to the economy and citizens’ quality of life. Most offer anecdotal support for the grid’s vulnerability to such an attack and assume the existence of an adversary with the means and intent to launch the attack. An estimate of risk, however, also requires knowledge of the probability that an attack of the required caliber can be successfully executed. Quantifying the probability of success for a large-scale cyber attack is hard because of the lack of precedent and the changing nature of threats and vulnerabilities. This report uses the grid cyber attack scenario outlined in the Lloyd’s of London and the University of Cambridge Centre for Risk Studies 2015 report, Business Blackout, to demonstrate how a probabilistic assessment could be used to quantify the likelihood that the scenario could occur. The analysis is subject to the limitations inherent in any probabilistic risk assessment; however, it serves to highlight some interesting phenomena that deserve further investigation, such as the importance of some individual power plants in influencing the adversary’s probability of success. In addition, it describes feasible data collection that would materially increase the validity of such an analysis.