The failure of even parts of the nation’s power grid could cause rolling blackouts that paralyze health care, traffic and business systems. With the advent of “smart” infrastructures that send data to the internet, cybersecurity is becoming a prime concern of public officials.
A pair of UWM professors is aiming to help utility companies prepare for that risk by making it easier for insurance companies to cover it.
But insurance doesn’t keep a disaster from happening. So how does quantifying the risk help protect people?
It’s an important first step in motivating operators and policymakers to invest more in cybersecurity assets, according to Lingfeng Wang, an associate professor of electrical engineering, and Wei Wei, an assistant professor of mathematics. The two have funding from the National Science Foundation to build predictive models that would put a monetary value on damage caused by potential cyberattacks to the nation’s power grids.
“The cyber insurance premiums will be high for those with low cybersecurity performance audits, based on our novel actuarial models,” said Wang, who develops software tools that can find vulnerable spots in public infrastructure. “Conversely, utilities with high cybersecurity will enjoy low premiums.”
Currently, decision-makers at most electric utilities do not see the need for such investment because the latest measures would not guarantee complete protection. Yet, the cyberthreat landscape is continuously evolving, said Wang, requiring the development of forward-thinking defense and risk-transferring strategies.
And building a model could illustrate just how risky cyberthreats are, added Wei.
“For the past few years, people have thought that cyber risk is uninsurable,” said Wei, who specializes in actuarial science – mathematical techniques for prediction and risk assessment. “It’s uninsurable because we don’t know much about the nature of the risk.”
For comparison, think about car insurance, he said. Companies have collected a lot of data about driving habits based on driver age, car model, location and more. Using that data, they can gauge the average amount of money a car accident might cost, and they can set their premiums accordingly.
“When it comes to cybersecurity and cyber risk, we don’t have that much data and we can’t wait for the data to be collected,” said Wei.
Instead, he said, they will investigate the structures and self-protection strategies of some companies and project potential losses. It’s a project that blends expertise in electrical engineering, computer science, actuarial science and statistics.
In the first phase of the study, Wang and his students will examine the existing power grid infrastructure and the cybersecurity measures utility companies already have in place. Then they’ll come up with scenarios of what might happen should hackers breach those security provisions.
The second part of the project is Wei’s department.
Besides calculating potential losses for each scenario, the researchers will construct a probabilistic model to quantify them.
“Based on that, we can apply some actuarial techniques to give the insurance premium,” said Wei. “We hope to get a clear picture on how those risks interact with each other, and then we want to build an actuarial model to instruct practice.”
The two researchers also are investigating the idea of introducing incentives, much like good-driver discounts in auto insurance, based on how much utility companies invest in measures like firewalls and security infrastructure.
While their model could make cyber insurance more palatable for wary insurance companies, the work also could improve existing models of risk for other kinds of disaster, said Wei.
“If it works, we can also generalize this model to other fields of the same nature, like internet-based cyber risk,” he said. “That model can also interact with existing models for traditional catastrophic events, like hurricanes or earthquakes.”