This working paper from the Cambridge Judge Business School, with contributions from ITRC-MISTRAL researchers, proposes to apply stochastic counterfactual analysis as part of a new vulnerability assessment framework to develop resilience analytics of cyber-physical attacks.

A key finding is that if decision-makers wish to mitigate population disruptions, then they must invest resources more-or-less equally across all substations, to prevent the scaling of a cyber-physical attack. However, there are some substations associated with higher economic value due to their support of other Critical National Infrastructures, such as airports or maritime ports, which justifies the allocation of additional cyber security investment to reduce the chance of cascading failure. Further cyber-physical vulnerability research must address the trade-offs inherent in a system made up of multiple institutions with different strategic risk mitigation objectives and metrics of value, such as governments, infrastructure operators and commercial consumers of infrastructure services.