CPS: Medium: Collaborative Research: An Actuarial Framework of Cyber Risk Management for Power Grids

Abstract: As evidenced by the recent cyberattacks against Ukrainian power grids, attack strategies have advanced and new malware agents will continue to emerge. The current measures to audit the critical cyber assets of the electric power infrastructure do not provide a quantitative guidance that can be used to address security protection improvement. Investing in cybersecurity protection is often limited to compliance enforcement based on reliability standards. Auditors and investors must understand the implications of hypothetical worst case scenarios due to cyberattacks and how they could affect the power grids. This project aims to establish an actuarial framework for strategizing technological improvements of countermeasures against emerging cyberattacks on wide-area power networks. By establishing an actuarial framework to evaluate and manage cyber risks, this project will promote a self-sustaining ecosystem for the energy infrastructure, which will eventually help to improve overall social welfare. The advances in cyber insurance will stimulate actuarial research in handling extreme cyber events. In addition, the research and practice related to cybersecurity and cyber insurance for the critical energy infrastructure will be promoted by educating the next generation of the workforce and disseminating the research results. The objective of this project is to develop an actuarial framework of risk management for power grid cybersecurity. It involves transformative research on using insurance as a cyber risk management instrument for contemporary power grids. The generation of comprehensive vulnerabilities and reliability-based knowledge from extracted security logs and cyber-induced reliability degradation analysis can enable the establishment of risk portfolios for electric utilities to improve their preparedness in protecting the power infrastructure against cyber threats. The major thrusts of this project are: 1) developing an approach to quantifying cyber risks in power grids and determining how mitigation schemes could affect the cascading consequences to widespread instability; 2) studying comprehensively how hypothesized cyberattack scenarios would impact the grid reliability by performing a probabilistic cyber risk assessment; and 3) using the findings from the first two thrusts to construct actuarial models. Potential cyberattack-induced losses on electric utilities will be assessed, based on which insurance policies will be designed and the associated capital market will be explored.