A Criminological Perspective on Power Grid Cyber attacks: Using Routine Activities Theory to Rational Choice Perspective to Explore Adversarial Decision-Making

Abstract

Abstract The US power grid has been identified by security experts as a prime target for terrorist-based and state-sponsored cyber attacks. In addition to downing the grid, cyber attacks can also destroy and manipulate data systems, obtain sensitive intellectual property and steal trade secrets. Existing research has addressed the technical factors, such as vulnerabilities and poor intrusion detection systems, which lead to cyber attacks. However, it remains silent on the human factors in the cyber attack equation. This study uses a criminological framework, specifically Routine Activities Theory and Rational Choice Perspective to capture intelligent adversaries who plan and execute attacks based on their analysis of target suitability and guardianship efficacy. It uses a two-step methodology to identify adversary-, target-, and guardianship-specific factors that collectively impact decision-making processes. First, a document analysis of existing literature reveals nine factors (PARE RISKS) that influence adversarial decision-making: Prevention measures, Attacks and Alliances, Results, Ease of Access, Response and Recovery, Interconnectedness and Interdependencies, Security Testing, Assessments and Audits, Knowledge, Skills, Research and Development, and System Weaknesses. Second, surveys and interviews conducted between 2010 and 2012 with various hackers, penetration testers, and power grid representatives helps validate and refine the PARE RISKS framework. This study identifies (i) adversary-specific factors as resources (skills, money, and time), and research (targets and techniques); (ii) target-specific factors as accessibility (electronic and physical) and weaknesses (outdated architecture and inadequate testing/updates); and (iii) guardian-specific factors as prevention (quality of prevention and intrusion detection measures). It argues that altering each of these three elements of Routine Activities Theory can impact adversarial decision-making, which may help reduce the likelihood of power grid cyber attacks.