Shutting down the power grid via cyberspace could occur within five to 10 years, new cyber risk report suggests

A major cyber crisis – such as the shutting down of the power grid in the United States via cyberspace – could occur within the next five to ten years, suggests a new cyber risk research report from the Insurance Institute of Canada (IIC).

Cyber Risks: Implications for the Insurance Industry in Canada, released on Tuesday, “uniquely assesses cyber risk from the perspective of Canada’s p&c insurance industry,” the IIC said in a press release. The research report surveys the most common forms of cyber attacks, who the criminals are and what they are after, the type and scope of cyber losses and why the losses are expected to get worse, including catastrophic scenarios in which criminals knock out the power grid via cyberspace.

While “widespread, prolonged disruptions in global communications and commercial networks have not occurred,” the report noted, cyber experts believe that these attacks will come in the next five to ten years. “Many anticipate that the first cyber crisis will involve an attack on the critical infrastructure of a major economy, such as shutting down the power grid in the United States,” the report said.

Related: Insurance Institute of Canada report encourages p&c organizations to build cyber resiliency; cites business opportunity in expanding coverage

According to the report, Admiral Michael Rogers, head of the U.S. National Security Agency and the top cyber security official in the country, issued a warning in late 2014 that three countries may now have the capacity to remotely shut down the national power grid and other critical infrastructure in the United States. “On a smaller scale, attackers could take control of a railroad system and order two trains onto the same track,” the report added. “The resulting collision could significantly erode public confidence in the safety of the transportation network.”

A cyber attack capable of taking down the national power grid, disrupting air and rail traffic, shutting down the water supply, bringing chaos to communications systems, or otherwise threatening critical infrastructure would create severe disruptions for society, the report emphasized. “This kind of catastrophic incident is presently uninsurable,” the report said, noting that insurance companies do not have sufficient information to assess the likelihood and consequences of a serious attack.

Furthermore, while insurance may be sufficient to cover the individual risks of loss, the industry may be unable to cover the accumulation of losses across society. “Major attacks on the power grid or the Internet itself are examples of perils with widespread implications that are poorly understood at present in terms of likelihood, consequence, and accumulation.”