A severe enough cyber attack against the nation’s power grids could cripple cities like Milwaukee. UWM mathematician Wei Wei is the co-principal investigator on a grant to help identify the risks of such an attack and how insurance companies can guard against them. Photo by Corey Coyle.
In 2015, Ukraine reported that hackers were able to compromise the information systems of three power utility companies, marking the world’s first recorded successful cyber attack against a power grid. Cyber attacks, especially targeting infrastructure, have become an increasing concern for U.S. law enforcement agencies, security experts, and power companies alike.
UWM Mathematical Sciences professor Wei Wei is hoping to help utility companies prepare for that risk.
Wei’s research focuses on actuarial science. He is the co-principal investigator, alongside principal investigator electrical engineering professor Lingfeng Wang in the UWM College of Engineering and Applied Science, on a $352,109 grant from the National Science Foundation. The grant funds an examination of cyber security risks to the country’s power grids, and how to make insuring against those risks easier.
There are two ways power utility companies can protect themselves from the consequences of cyber attacks. The first is to invest in front-end security, like firewalls, strong passwords, and infrastructure, to stabilize the power grid. The second is to transfer the risk of monetary damages to another party, like an insurance company.
The trouble is, insurance companies are reluctant to provide services for this type of threat.
“For the past few years, people have thought that cyber risk is uninsurable,” Wei explained. “It’s uninsurable because we don’t know much about the nature of the risk.”
For comparison, think about car insurance, he said. Companies have collected a lot of data about driving habits based on driver age, car model, location, and more. Using that data, they can gauge the average amount of money a car accident might cost, and they can set their premiums accordingly.
“When it comes to cyber security and cyber risk, we don’t have that much data. It’s relatively new,” Wei said. “And when we don’t have data, we can’t build the statistical model as we did for traditional insurance business. That’s the difficulty, but we can’t wait until we accumulate enough data.”
That’s the driving point behind Wei and Wang’s grant.
“We think we can directly look into each utility company, or utility companies of the same nature, and look at their structures and self-protection strategies. Based on that, we can project the potential loss [in the event of a cyber attack],” Wei said.
The first part of the project is up to Wang. He and his students will examine existing power grid infrastructure and the security measures utility companies already have in place to address cyber threats. Then they’ll come up with scenarios of what might happen should hackers breach those security provisions.
Though it’s unlikely, the results of such an attack could be catastrophic. Power grids span broad regions and if certain parts of the grid fail, it could result in rolling blackouts affecting huge swaths of the country. And losing power goes beyond being unable to turn on the lights; hospitals could lose the function of life-saving medical equipment, financial institutions could lose access to vital business transactions, and traffic would be a snarled mess, for starters.
The second part of the project is Wei’s department.
“For each scenario, [we calculate] the potential losses, and then we construct a probabilistic model to quantify that,” Wei said. “Based on that, we can apply some actuarial techniques to give the insurance premium.”
He and Wang are also researching the idea of introducing incentives, much like good-driver discounts in auto insurance, based on how much utility companies invest in security measures like firewalls and infrastructure.
By the end of the grant, Wei and Wang hope to have made cyber insurance a more palatable prospect for wary insurers.
“We hope to get a clear picture on how those risks interact with each other, and then we want to build an actuarial model to instruct practice. If that works out, we can also generalize this model to other fields of the same nature, like Internet-based cyber risk and all of those dependent events. That model can also interact with existing models for traditional catastrophic events, like hurricanes or earthquakes,” Wei said.
“We also want to provide some insight for the utility companies themselves,” he added. “Currently, many companies are not willing to invest in self-protection. They think they’ll just take the chance. By building such a model we could let them realize
how risky those cyber events are.”
By Sarah Vickery, College of Letters & Science