If you have ever seen this video:
The Most Terrifying Video You'll Ever See, it definitely has a catchy title that makes you want to click and watch. Regardless of your views on the topic it's covering (global climate change), it's an interesting topic and stimulates debate from all sides.
I could not help but notice the similarities between that topic and the increasingly popular power grid cyber attack scenario argument. With the discovery of Stuxnet in 2010 and it's "game changing" functionality and components, that which was previously theoretically possible is now a reality.
Using the same diagram as the author (Wonderingmind42, Greg) in this video, I constructed a similar diagram for a Grid Cyber Attack (GCA). The other acronym in the diagram is BES (Bulk Electric System).
First, a GCA is defined as a Stuxnet-like sophisticated piece of malware that infiltrates the US power grid at multiple locations, through multiple Utilities and is designed to have very specific impacts. Hypothetically, this scenario includes impacts such as wide spread cascading power outages in various parts of the country and many prolonged outages lasting weeks or months.
So let's define the diagrams components for clarity:
- On the left hand side is a false/true. This is whether or not you believe the above type of scenario happening is likely to be false or likely to be true.
- Across the top, the columns represent action taken. Either we take action "yes" or we do not take action "no" to do all that we can to prevent this type of cyber attack scenario from occurring.
- The 4 boxes in the middle represent the consequences of taking the actions (and depend on the false and true rows).
Now let's define the consequences of taking action in more detail:
Box 1 (upper left corner) represents taking an action (yes) and this sort of grid cyber attack occurring being false. The consequences of this action would likely result (using a worst case scenario) in a lot of unnecessary costs to all Utilities that chose to do all they can to defend against this scenario. "All that they can" is hard to define and left up to the decision makers of each participating Utility. This would likely translate into decreased profits which would translate into things like layoffs and a sector wide decline in profitability. - We spent a whole lot of money for nothing and now we might look a little silly and impact the lives of people we are forced to lay off.
Box 2 (lower left corner) represents taking an action (yes) and this sort of grid cyber attack scenario occurring turning out to be true. The consequences of this action would result in the same costs as listed above but the Utilities being able to either stop outright or retain reliability and integrity of the power grid against the described cyber attack. - We paid for it, but we stopped it. yay! :)
Box 3 (upper right corner) represents not taking any action (no) and this sort of grid cyber attack scenario not occurring. The consequences of this inaction are "business as usual" and everyone is happy yay! :)
Box 4 (lower right corner) represents not taking any action (no) and this sort of grid cyber attack scenario turning out to be true. The consequences of this inaction are the "worst case scenario" coming true. Significant human impacts. Loss of hundreds of millions of dollars but more than likely, hundreds of billions of dollars due to wide spread cascading power outages lasting weeks to months across the U.S. Major impacts include public safety, health, operational, economic, and political. Widespread panic and chaos not unlikely.
So like the author of "The Most Terrifying Video You'll Ever See", one must ask the question, is it worth it? Are we doing enough, fast enough? These are no doubt, difficult questions with difficult, complex answers.
Should these decisions be a cost/benefit analysis and financially motivated when they deal with such high impact consequences?
Some other interesting related topics include the precautionary principle:
The Precautionary Principle
What do you think?
