An Actuarial Framework of Cyber Risk Management for Power Grids
pdf
As evidenced by the recent cyberattacks against Ukrainian power grids, attack strategies have advanced and Stuxnet-like malware agents will continue to emerge. Currently, the measures to audit the critical cyber assets of power infrastructure do not provide a quantitative guidance that can be used to address security protection improvement in the audit process. Investing in security protection is often limited to compliance enforcement on the reliability standards. Technologies could provide more security logs to automate the assessment of the ongoing health of cyber systems. The cyber risk management in utilities can be quantified but the auditors and investors must understand the implications of hypothetical worst cases and how they can affect their neighboring control areas within an interconnection if a cyberattack ever occurs. The objective of this collaborative research project is to develop an actuarial framework of enterprise risk management for power grid cybersecurity. The generation of comprehensive vulnerabilities and reliability-based knowledge based on extracted security logs, cyber-induced degradation of operational reliability, and hypothetical implications can establish risk portfolios for utilities in term of their preparedness level to protect their power communication infrastructure against cyber manipulation.
This three-thrust project will significantly advance the state of the art in research relating to science of cyber-physical systems. It is intended to establish an actuarial framework for strategizing technological improvements of countermeasures against intrusion-based attacks to wide-area power networks. Thrust one provides an approach to exploring the combinations of topological statuses of power grids to determine if deploying technologies can affect the cascading consequences to widespread instability. Thrust two studies comprehensively how hypothesized cyberattack scenarios would impact the grid reliability. This approach is based on a probabilistic, cyber-induced risk assessment. Thrust three uses the findings from the first two thrusts to construct actuarial models. Actuarial tools such as value at risk (VaR) and tail value at risk (TVaR) are employed to assist the quantification and management of cyber risks, from the perspectives of both insurers and the insured utilities.
This project will deliver socioeconomic and environmental benefits as well as educational benefits and outreach activities. By establishing an actuarial framework to quantify and manage cyber risks, this project will promote a self-sustaining ecosystem in power infrastructure, which will eventually help improve the overall social welfare. The advances on cyber insurance will stimulate actuarial research in handling extreme rare events and strong dependencies. In addition, the development of research and practice related to cybersecurity and cyber insurance for critical infrastructure will be further promoted by educating students at MTU and UWM and by disseminating the results in professional journals and peer-reviewed conferences. Underrepresented groups will be encouraged to participate in this project and related areas.
Submitted by Alexis Rodriguez
on
As evidenced by the recent cyberattacks against Ukrainian power grids, attack strategies have advanced and Stuxnet-like malware agents will continue to emerge. Currently, the measures to audit the critical cyber assets of power infrastructure do not provide a quantitative guidance that can be used to address security protection improvement in the audit process. Investing in security protection is often limited to compliance enforcement on the reliability standards. Technologies could provide more security logs to automate the assessment of the ongoing health of cyber systems. The cyber risk management in utilities can be quantified but the auditors and investors must understand the implications of hypothetical worst cases and how they can affect their neighboring control areas within an interconnection if a cyberattack ever occurs. The objective of this collaborative research project is to develop an actuarial framework of enterprise risk management for power grid cybersecurity. The generation of comprehensive vulnerabilities and reliability-based knowledge based on extracted security logs, cyber-induced degradation of operational reliability, and hypothetical implications can establish risk portfolios for utilities in term of their preparedness level to protect their power communication infrastructure against cyber manipulation.
This three-thrust project will significantly advance the state of the art in research relating to science of cyber-physical systems. It is intended to establish an actuarial framework for strategizing technological improvements of countermeasures against intrusion-based attacks to wide-area power networks. Thrust one provides an approach to exploring the combinations of topological statuses of power grids to determine if deploying technologies can affect the cascading consequences to widespread instability. Thrust two studies comprehensively how hypothesized cyberattack scenarios would impact the grid reliability. This approach is based on a probabilistic, cyber-induced risk assessment. Thrust three uses the findings from the first two thrusts to construct actuarial models. Actuarial tools such as value at risk (VaR) and tail value at risk (TVaR) are employed to assist the quantification and management of cyber risks, from the perspectives of both insurers and the insured utilities.
This project will deliver socioeconomic and environmental benefits as well as educational benefits and outreach activities. By establishing an actuarial framework to quantify and manage cyber risks, this project will promote a self-sustaining ecosystem in power infrastructure, which will eventually help improve the overall social welfare. The advances on cyber insurance will stimulate actuarial research in handling extreme rare events and strong dependencies. In addition, the development of research and practice related to cybersecurity and cyber insurance for critical infrastructure will be further promoted by educating students at MTU and UWM and by disseminating the results in professional journals and peer-reviewed conferences. Underrepresented groups will be encouraged to participate in this project and related areas.