A significant cyberattack across the United Kingdom’s critical national infrastructure could have “far-reaching and significant economic impacts” for Britain, according to a study carried out by the Cambridge Centre for Risk Studies.
The report, titled Integrated Infrastructure: Cyber Resiliency in Society, was developed by the Cambridge Centre for Risk Studies, a multidisciplinary centre of excellence for the study of the management of economic and societal risks, in conjunction with global security and aerospace company Lockheed Martin. The report, which was released on Tuesday, models the potential impact of a coordinated and sustained cyberattack on one of the UK’s regional power distribution networks and the likely short- and long-term costs to the UK economy.
In the most conservative scenario, said a press release from Lockheed Martin, the immediate impact to the UK’s economic output is 12 billion pounds (£), with a five-year GDP impact of £49 billion. In the most severe case, these figures increase to £85 billion and £442 billion respectively. In the latter case, this represents approximately 2.3% of the UK’s GDP over the period.
The report outlines a fictional scenario in which a cyberattack is executed by a disgruntled employee of a distribution network operator with the backing of a nation-state adversary. Disruption is achieved by installing rogue hardware in a minimum of 65 vulnerable substations in South East England (this attack footprint is expanded to 95 and 125 substations in increasingly extreme variants of the scenario). This rogue hardware empowers the cyber adversaries to trigger rolling blackouts across the region during the winter season, shutting down parts of the London area and impacting all aspects of the UK economy. [click image below to enlarge]
Key findings from the report include:
Financial services (£1.3 billion losses in the standard scenario), retail (£1.3 billion), real estate (£1.2 billion) and professionals (£1 billion) are the most significantly affected industries in terms of immediate economic losses. The remaining £7.2 billion in losses is spread over another 19 industry sectors;
Scenario variants and rectification timescales range from rapid response (three weeks until full power restoration), average response (six weeks restoration) and slow response in the most extreme scenario (12 weeks restoration); and
In the most conservative scenario, an estimated nine million people are hit by the blackouts, 800,000 individual train journeys and 150,000 air passenger tickets are impacted daily. In the most extreme scenario, these impacts rise to 13 million affected, with one million and 330,200 rail and air travel tickets cancelled.
“As our critical national infrastructure becomes increasingly interconnected, the risk and cost of a potential cyberattack gets exponentially larger each and every day,” said Justin Walker, vice president for Lockheed Martin’s information systems business in the UK and Europe. “Through increased collaboration, government, industry, regulators and the wider technology industry all have a role to play ensuring the UK economy is resilient to cyberattack.”