This is the first in a series of articles on proposed government metrics (US and other) to measure the consequence of critical infrastructure OT cyber incidents.
Impacted People Days – – The number of people impacted by an OT cyber incident multiplied by the number of days they were impacted.
A cyber attack compromises OT components in a water system (Aliquippa) or causes a water tank to overflow for a couple of hours (Muleshoe). The impact on the people served by these water utilities was near zero. Potable water was available at all times during the incident. Impacted People Days = 0.
The related cyber attack on the water utility supplying Erris, Ireland caused 160 households to be without water for 2 days. Assume an average household size of 3, (160 x 3) x 2 = 960 Impacted People Days.
The largest OT cyber incident as measured by Impacted People Days, by far, is the Colonial Pipeline ransomware incident. Millions of people across the eastern United States spent additional time in long gas station lines over the five days of outage. It likely also led to changes in driving and associated activity to conserve precious gas. It would not be difficult to identify a number of Impacted People Days, within some margin of error. It would at least be 10’s of million.
The Clorox incident would be more difficult. Clorox products were missing from store shelves for many weeks, but there were replacement products available. I’d rate this no Impacted People Days. The same would be true of the Dole incident.
Hospital outages due to ransomware are another example where Impacted People Days would be a useful metric. The daily average treated patients multiplied by the number of days of outage would provide the metric.
The government should track Impacted People Days by sector, class of attack, and threat actor that caused the incident.
This metric could also be used by asset owners and in government programs to prioritize actions that would reduce Impacted People Days if a cyber incident occurred. Where should time and money be spent on consequence reduction?