Operational and economy-wide impacts of compound cyber-attacks and extreme weather events on electric power networks
Introduction
Information communication and control (ICC) technologies enhance the efficiency and flexibility of infrastructure operations [1] but expose critical infrastructure components to cyber-attacks. In infrastructure systems with strong coupling of ICC technologies and physical operations, malware infiltration can result in large disruptions [2]. According to the Industrial Control Systems Cyber Emergency Response Team, the annual number of data breaches and exposed records in the U.S. grew sixfold and twofold, respectively, between 2005 and 2020 [3]. Across all economic sectors, cyber-attacks increase in frequency and intensity [4], but energy infrastructure is at particular high risk. Energy was the second most targeted economic sector in 2015 [3].
Major disruptions in energy infrastructure are also caused by extreme weather events which damage energy infrastructure components and force them out of service. Hurricane Isaias left almost 800,000 utility customers without power in New York in 2020 [5] while Hurricane Ida impacted more than 1.2 million customers in Louisiana in 2021 [6], largely due to damaged utility poles. Extreme weather events can also damage electric power substations, utility poles, and distribution lines [7], [8], [9].
In turn, energy infrastructure disruptions propagate across sectors and lead to economy-wide losses. Damaged electric power components can disrupt drinking water pumps, sewage pump stations, and telecommunications cellular tower sites. A substation explosion caused by Hurricane Sandy left most of Lower Manhattan without power for more than four consecutive days in 2012 [10], affecting also transportation and telecommunications [11]. Power outages during the 2016 Winter Storm Jonas disrupted food availability in Baltimore [12]. Estimates of the economy-wide losses of the 2003 Northeastern Blackout range between $4-10 billion [13]. Nationally, the 10-year economic losses in the U.S. due to extreme weather events have quadrupled between 1980–2020, averaging $120 billion per year in 2016-2020 [14].
Cyber-attacks are more disruptive when infrastructure components face stresses beyond normal operating conditions. Thus, in the food sector, cyber-attacks against grain facilities can be more frequent during the critical planting and harvest seasons [15]. Relative to 2018, healthcare organizations incur increasing data breaches after the surge of COVID-19, affecting a record-high 45 million individuals in 2021 [16]. The cyber-attack against oil terminals in Germany and in the Amsterdam–Rotterdam–Antwerp area in late January and early February 2022 [17] happened during Europe’s peak gas demand season [18].
The growing frequency of extreme weather events and cyber-attacks manifests a novel threat where a malicious cyber actor disrupts stressed components of critical infrastructure immediately before, during, or shortly after an extreme weather event. This paper investigates the compound threat of cyber-attacks and extreme weather events, hereinafter referred to as Compound Cyber–Physical Threats, in critical infrastructure systems. We focus on the electric power sector for two reasons. First, electric power networks are important for the operation of other critical infrastructure systems. The importance of electric power networks is growing due to national and global electrification efforts to offset carbon emissions. Second, electric power networks are vulnerable to cyber-attacks and extreme weather events. For instance, recognizing the potential of Compound Cyber–Physical Threats, the U.S. National Guard designed and conducted three-day drills of a cyber-attack striking during an extreme weather event in coordination with the City of Houston in 2018 and the State of Indiana in 2021 [19], [20].
However, there does not exist a framework to (a) understand the compound effect of a cyber-attack timed with an extreme weather event, (b) identify the spatial distribution of critically-vulnerable infrastructure components within an electric power network, and (c) generate realistic, synthetic scenarios of Compound Cyber–Physical Threats for electric power disruptions and their economic impacts. Existing literature on energy infrastructure resilience has focused on the vulnerability of energy infrastructure components to independent extreme weather events [7], [8], [9] or cyber-attacks [21], [22], [23], [24]. Treating cyber and physical threats in the same framework assumes the coordination between both stressors by the same malicious actor [25], [26], [27], [28]. The cyber-attack aims to mask a deliberate physical attack, which differs from a random, spatially-distributed extreme weather event. Finally, studies on the economy-wide response of a region also focus on independent extreme weather events or cyber-attacks [29], [30], [31], [32], [33], [34], [35], [36]. However, most economy-wide studies simplify the operational response of critical infrastructure systems. Thus, this paper investigates the following research questions:
- •What is the disruption potential of Compound Cyber–Physical Threats for electric power networks?
- •Which regional electric power network components are more vulnerable to a cyber-attack timed with an operational disruption caused by an extreme weather event?
- •How do operational disruptions caused by a Compound Cyber–Physical Threat against electric power network components affect the activity of other sectors in the economy?
We build on existing literature to propose a two-stage framework for the study of Compound Cyber–Physical Threats. In the first stage, we integrate an Optimal Power Flow (OPF) model [37] of the New York Independent System Operator (NYISO) with a cyber-attacker model. The latter captures the adversarial rationale of the cyber-attacker and is posed as a bilevel optimization problem [24], [38]. In the second stage, we couple the cyber-attacker bilevel optimization problem with a Computable General Equilibrium (CGE) model to assess the economy-wide impacts. A CGE captures the flow of money and goods across all economic sectors [39]. Our framework goes beyond the existing literature on economy-wide impacts of disaster-induced electricity disruptions which represents the electricity sector using simplified assumptions [40]. Instead, in our framework, the unserved load is the result of the bilevel optimization problem, which accounts for power flow physics, energy infrastructure limits and mitigating actions of the system operator. For example, under a Compound Cyber–Physical Threat, the NYISO can operate parts of the electric power network in islanded mode to avoid a complete blackout.
As a case study, we focus on heatwaves and cyber-attacks against New York City and the New York State economy. Heatwaves stress the grid by increasing electricity demand [41]. Furthermore, climate change exacerbates heatwaves [42], rendering them more costly [43] and dangerous for vulnerable populations [44], [45] in future climates. Moreover, New York City is the most densely populated city in the U.S. [46] where a regional disruption of electricity supply can impact a larger population and cause more severe cascading failures compared to other cities. Also, the State of New York is the most exposed U.S. state to physical and cyber risks according to Lloyd’s and the Cambridge Centre for Risk Studies [47].
This paper aims to understand the response of all economic sectors to Compound Cyber–Physical Threats in the electric power network. Hence, the main contributions of this paper are as follows:
- 1.We proposed a framework, which couples the cyber-attacker strategies and system operator decisions under extreme weather conditions, with the response of all sectors in an economy, in the context of Compound Cyber–Physical Threats.
- 2.We identify vulnerable electric power network components, regions, and sectors across the economy to Compound Cyber–Physical Threats.
- 3.Finally, we develop a two-stage methodology for the generation of Compound Cyber–Physical Threat scenarios and the ex-ante simulation of a lower bound on economy-wide losses, caused by power outages, which is consistent with estimates for historical events.
The rest of the paper is organized as follows. Section 2 provides an overview of related literature and Section 3 introduces the proposed modeling framework and methodology. Section 4 describes the assumptions behind the Heatwave, Cyber-attack, and Compound Cyber–Physical Threat scenarios. We identify electric power network and inter-sectoral outcomes under combinations of extreme weather events and cyber-attacks in Section 5 and discuss resilience implications and limitations in Section 6. We conclude in Section 7 with the summary of the main findings and future research.
Section snippets
Literature review
Our work bridges the gap between cyber–physical resilience of electric power networks and the response of all sectors in the economy, and builds on three distinct research streams.
The first stream of research identifies cyber attack vectors against communication and control equipment of electric power generation, transmission, and voltage regulation. Esfahani et al. [21] focus on a two-area case where the cyber-attacker can inject a bounded disturbance to the automatic generation control signal
Methodology
Fig. 1 illustrates the proposed two-stage methodology. The first stage is a bilevel optimization problem, which models the adversarial rationale of the cyber-attacker, identifies vulnerable generators and transmission lines in the electric power network, and computes electric power supply disruptions in each region. In turn, disruptions in the electric power network decrease electricity supply to all other sectors. In the second stage, we compute the economic losses for all sectors caused by
Scenario design
We first describe the Baseline scenario, which will serve as a reference for the Cyber-attack, Heatwave, and Compound Cyber–Physical Threat scenarios. Among different extreme weather events, New York City is particularly vulnerable to Heatwaves [67]. First, although winter outages result in greater welfare losses in the current climate and electrification levels, summer outages due to Heatwaves can be more costly under warmer future climate [43]. Second, higher temperatures increase power
Vulnerability of regional infrastructure components
In this section, we identify vulnerable components of the NYISO grid and compare the magnitude and regional distribution of unserved load under the Heatwave, Cyber-attack, and Compound Cyber–Physical Threat scenarios as described in Section 4. Fig. 3 shows that the NYISO grid has the generation and transmission capacity to withstand the Heatwave without shedding load, while the Cyber-attack under normal operating conditions results in 295 MWh of unserved load in a 24-hour period, which is 0.1%
Discussion
Our results reveal which electric power infrastructure components are most vulnerable to cyber-attacks under extreme weather stressors. Depending on the budget of the attacker, unserved load in the NYISO increases from 0 to 3%, however the impact is highly localized. Less interconnected NYISO zones are heavily targeted, leading to disproportionally more unserved load compared to more interconnected zones with greater local electricity supply, which remains relatively unaffected.
Summary and contributions
This paper introduces the novel Compound Cyber–Physical Threat, arising when a cyber-attack targets electric power network components when they are critically stressed due to extreme weather events. In this context, our work contributes to the identification and management of electric power network vulnerabilities, and economy-wide losses. We find that when generators are more easily compromised, the cyber-attacker targets NYISO zones with low network connectivity. We also find that a Compound
CRediT authorship contribution statement
Charalampos Avraam: Conceptualization, Data curation, Formal analysis, Methodology, Software, Validation, Visualization, Writing – original draft, Writing – review & editing. Luis Ceferino: Conceptualization, Methodology, Supervision, Writing – review & editing. Yury Dvorkin: Conceptualization, Methodology, Supervision, Writing – review & editing.
Declaration of competing interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
Research support for C.A and Y.D. was funded in part by the NSF Grant #2245507 [ECCS:CAREER:A Peer-to-Peer Approach to Electricity Supply]; and the NSF Grant #2245506 [CMMI:Collaborative Research: Modeling Strategic Regulators in Network Infrastructure Planning]. The views and opinions expressed in this paper are those of the authors alone. The authors are grateful to Dr. Maxwell Brown and Dr. Jon Becker for their generous advice on the implementation of WiNDC. The authors are also grateful to
References (95)
- et al.
Cyber–physical risk modeling with imperfect cyber-attackers
Electr Power Syst Res
(2022) - et al.
A tri-level optimization model to mitigate coordinated attacks on electric power systems in a cyber-physical environment
Appl Energy
(2019) - et al.
Coordinated attacks on electric power systems in a cyber-physical environment
Electr Power Syst Res
(2017) - et al.
Quantifying impacts of heat waves on power grid operation
Appl Energy
(2016) - et al.
False data injection attack and corresponding countermeasure in multienergy systems
IEEE Trans Power Syst
(2023) - et al.
Combining bottom-up and top-down
Energy Econ
(2008) - et al.
The non-linear link between electricity consumption and temperature in Europe: A threshold panel approach
Energy Econ
(2008) - et al.
Risk-informed participation in T&D markets
Electr Power Syst Res
(2022) - et al.
A remedial action framework against cyberattacks targeting energy hubs integrated with distributed energy resources
Appl Energy
(2021) - et al.
Inequitable access to EV charging stations
Electricity J
(2022)
Industrial cyberphysical systems: A backbone of the fourth industrial revolution
IEEE Ind Electron Mag
(2017)
The cybersecurity landscape in industrial control systems
Proc IEEE
(2016)
NCCIC/ICS-CERT year in reviewTech. rep.
(2015)
The growth and challenges of cyber insurance, no. 426
(2019)
HURRICANE ISAIAS (AL092020)Tech. rep.
(2021)
HURRICANE IDA (AL092021)Tech. rep.
(2022)
Bayesian Updating of Solar Panel Fragility Curves and Implications of Higher Panel Strength for Solar Generation Resilience
(2021)
The disaster resilience value of shared rooftop solar systems in residential communities
Earthq Spectra
(2021)
A Stronger, More Resilient New YorkTech. rep.
(2013)
Economic impact of hurricane sandy potential economic activity lost and gained in New Jersey and New YorkTech. rep.
(2013)
Baltimore food system resilience advisory reportTech. rep.
(2017)
Final report on the august 14, 2003 blackout in the United States and Canada: Causes and recommendations
(2004)
2020 U.S. billion-dollar weather and climate disasters in historical contextTech. rep.
(2021)
Ransomware attacks on agricultural cooperatives potentially timed to critical seasons
(2022)
2021 H2 healthcare data breach reportTech. rep.
(2022)
Why the energy sector’s latest cyberattack in Europe matters
(2022)
Natural gas demand in Europe: The impacts of COVID-19 and other influences in 2020Tech. rep.
(2022)
Houston prepares for critical infrastructure threats involving cyberattacks
(2018)
The state of cyber report 2017–2021Tech. rep.
(2021)
Cyber attack in a two-area power system: Impact identification using reachability
Attack detection and identification in cyber-physical systems
IEEE Trans Automat Control
(2013)
Detection of cyber attacks against voltage control in distribution power grids with PVs
IEEE Trans Smart Grid
(2016)
CCPA: Coordinated cyber-physical attacks and countermeasures in smart grid
IEEE Trans Smart Grid
(2017)
Detection of stealthy cyber-physical line disconnection attacks in smart grid
IEEE Trans Smart Grid
(2021)
A multiregional impact assessment model for disaster analysis
Econ Syst Res
(2016)
Analyzing indirect economic impacts of wildfire damages on regional economies
Risk Anal
(2023)
Assessment of the potential impacts of climate variability and shocks on zimbabwe’s agricultural sector: A computable general equilibrium (CGE) analysis
(2018)
Estimating the global cost of cyber risk: Methodology and examples
(2018)
The economic impact of extreme cyber risk scenarios
N Am Actuar J
(2022)
A framework for linking cybersecurity metrics to the modeling of macroeconomic interdependencies
Risk Anal
(2007)
Economic impacts of a California Tsunami
Nat Hazards Rev
(2016)
Quantification of disaster impacts through household well-being losses
Nat Sustain
(2020)
An improved method for the DCOPF with losses
IEEE Trans Power Syst
(2018)
Cyber-physical emulation and optimization of worst-case cyber attacks on the power grid
Tools for open source, subnational CGE modeling with an illustrative analysis of carbon age
J Glob Econ Anal
(2019)
Business interruption impacts of a terrorist attack on the electric power system of Los Angeles: Customer resilience to a total blackout
Risk Anal
(2007)
Cited by (11)
Secure and convenience charging communication between electric vehicle and charging station with plug and charge
2025, Electric Power Systems ResearchAI for science: Covert cyberattacks on energy storage systems
2024, Journal of Energy StorageCitation Excerpt :Recent trends in academic research have shifted towards examining cyberattacks from the adversary's perspective. This methodology, known as the ‘attacker's viewpoint’, is predicated on the notion that a thorough understanding of attack strategies is essential for crafting effective defense mechanisms [18,26,27]. This approach entails a detailed examination of an attack's entire lifecycle, ranging from the initial planning and intrusion methods to its execution and subsequent network impact.
Oil detection in substation equipment based on PFDAL-DETR network
2025, Journal of Real-Time Image ProcessingArtificial intelligence and machine learning for the optimization of pharmaceutical wastewater treatment systems: a review
2024, Environmental Chemistry LettersReview of Power System Resilience Concept, Assessment, and Enhancement Measures
2024, Applied Sciences (Switzerland)Analysis of non-contact measurement methods for sag of overhead transmission lines
2024, Conference Record - Industrial and Commercial Power Systems Technical Conference
© 2023 Elsevier Ltd. All rights reserved.