Balancing Risk and Fairness in Power Grid Cyber-Insurance Design

Table of Links

1. ABSTRACT

2. INTRODUCTION

3. PROPOSED EPIDEMIC CYBER-PHYSICAL SYSTEM MODEL

4. PROPOSED INSURANCE PREMIUM PRINCIPLE

5. SIMULATION RESULTS

6. CONCLUDING REMARKS AND REFERENCES

PROPOSED INSURANCE PREMIUM PRINCIPLE

A. Fundamentals Due to the growing adoption of ICTs in power systems, financial tools to hedge against the unforeseeable cyber-related monetary losses are emerging as an alternative or supplemental solution more recently. A crucial characteristic of the mutual insurance is to account for the financial impacts on economically related entities. Due to the high unpredictability of cyberattack-caused losses, power system application of the mutual insurance can be especially challenging. The intended mutual insurance premium design is tailored to TGs with a relatively small insured pool and large fluctuations in indemnities.

An overview on the basics and existent work is provided before getting into the detailed insurance design. Definition 3: Tail Risk Measures for the loss ℒ 𝑉𝑎𝑅𝜛(ℒ) = inf{ℓ: 𝑃(ℒ > ℓ) ≤ 𝜛}, 𝜛 ∈ (0,1) (7A) 𝜋1(ℒ) = 𝑇𝐶𝐸𝜛(ℒ) = 𝐸[ℒ|ℒ > 𝑉𝑎𝑅𝜛(ℒ)] (7B) Pr[ℒ > 𝑉𝑎𝑅𝜛(ℒ)] = 𝜛 (7C) 𝑇𝐶𝐸𝜛(ℒ) > 𝑉𝑎𝑅𝜛(ℒ), ∀ ℒ (7D) Pr[ℒ > 𝑇𝐶𝐸𝜛(ℒ)] ≤ 𝜛 (7E) In Definition 3, VaR and TCE are statistical indices specifically for gauging risk percentile 𝜛. VaR is the 100𝜛% percentile of the loss ℒ. TCE is the average of the worst 100𝜛% scenarios of the loss ℒ. Given the same level of 𝜛, TCE is always larger than VaR. The relations among VaR, TCE and the loss ℒ are described in (7). TCE premium design 𝜋1 [17] is a mutual insurance allocated from the insured TGs. 𝜋1 can gauge risk conservatively based on individual contributions to 𝑇𝐶𝐸𝜛(∑𝑞 ℒ𝑞) .

In extremely catastrophic events, 𝜋1 would be beneficial. When the tail risk is small, 𝜋1 may induce heavy financial burden on the TGs if no major loss events occur. 𝜋1 is devised with the third-party insurer operation in mind. When undesirably high premium quotes from 𝜋1 occur, an insurance coalition among the TGs comes into play handily. The coalitional insurance manages to scale down the premium risk loading by evenly distributing the premiums across participating entities. The coalitional premium 𝜋2 [18] is a mutual insurance based on the crowdfunding model distributing the risk affordably. 𝜋2 offers small risk loading at the cost of small loss coverage. 𝜋2 accounts for the fairness across the TGs. The commitment and the claim of 𝜋2 can be flexibly set on the participants’ discretion; say, the TCE premium and the expected loss. In the following subsection, a novel Shapley premium design 𝜋3 is proposed as a middle ground between 𝜋1 and 𝜋2 . B. The Proposed Shapley Premium The Shapley value [20]-[22] was introduced as a unique set of values fairly distributed across players in the cooperative games. Several basic properties should be mentioned before the premium design is presented. In a cooperative game 𝐺 = (𝑈, 𝜀) that contains a finite player universal set 𝑈 whose respective costs correspond to a subset S are 𝜀(𝑆), the Shapley value of the TG 𝑞 is defined as follows: ℂ𝑞(𝑈, 𝜀) = ∑𝑆⊆𝑈 |𝑆|!(|𝑈|−|𝑆|−1)![𝜀(𝑆⋃{𝑞})−𝜀(𝑆)] \{𝑞} |𝑈|! (8)

Here a cooperative-game based Shapley value design is proposed for the power system cyber-insurance to achieve fair risk loading. The respective losses more evenly distributed in the proposed premium design than those in the coalitional insurance. Definition 4: The proposed Shapley mutual insurance principle 𝜋3(ℒ𝑞) = ℂ𝑞(𝑈, 𝜀𝑞,𝑘) (9A) 𝜀𝑞,𝑘 (𝑆) = 𝐶𝑘 𝑦 𝛿𝑞 𝑘 (1 −𝛿𝑞 𝑘 ) 𝑦−𝑘 ∑𝑞∈𝑆 𝑉𝑎𝑅𝜛(ℒ𝑞) (9B) 𝛤𝑞,𝑘 ∗ = 𝑦−𝑘 𝑦−1 𝑇𝐶𝐸𝜛(ℒ𝑞) + 𝑘−1 𝑦−1 ∑𝑞∈𝑈 𝑇𝐶𝐸𝜛(ℒ𝑞) (9C) 𝛤𝑞,𝑘 𝜓 = 𝜓(𝛤𝑞,𝑘 ∗ ) = { 𝛤𝑞.𝑘 ∗ , 𝑖𝑓 ∑ 𝛤𝑞,𝑘 ∗ 𝑞∈𝑆 ≤ ∑𝑞∈𝑈\𝑆 ℂ𝑞 ∑𝑞∈𝑈\𝑆 ℂ𝑞 ∑ 𝛤𝑞,𝑘 ∗ 𝑞∈𝑆 𝛤𝑞,𝑘 ∗ , 𝑒𝑙𝑠𝑒 (9D) Shapley value ℂ𝑞(𝑈, 𝜀𝑞,𝑘) of the loss ℒ𝑞 serves as the Shapley premium 𝜋3 , where the universal set 𝑈 includes all TGs in study.

Given the subset 𝑆 including the selected TGs, Shapley cost of the q-th TG when 𝑘 TG(s) submit the claim is denoted as 𝜀𝑞,𝑘 (𝑆). The Shapley cost 𝜀𝑞,𝑘 (𝑆) handles typical risk lower than the tail risk when the cumulative loss distributions 𝛿𝑞 are smaller than 𝑉𝑎𝑅𝜛(ℒ𝑞), 𝑞 ∈ 𝑆. Since the typical risk in each TG varies with 𝑘 , the probability that the specific TGs are included in a subset 𝑆 is determined by an unfair coin-tossing model in 𝛿𝑞 .

The cooperative game 𝐺 determines each ℂ𝑞(𝑈, 𝜀𝑞,𝑘) by assigning the expected values of its marginal contribution. The constraint of rationality ensures ℂ𝑞(𝑈, 𝜀𝑞,𝑘) that no feasible cooperation can be formed if the cooperative cost exceeds the sum of the respective costs. In other words, the Shapley cooperative game 𝐺 guarantees the mutually insured individual a lower cost than its own cost. In this way, 𝜀𝑞,𝑘 (𝑆) ensures that the Shapley premium 𝜋3(ℒ𝑞) is fairly allocated according to the loss ℒ𝑞 of the TG. The base indemnity 𝛤𝑞,𝑘 ∗ is the amount that each of the TGs can redeem from insurance when suffering from the loss event. 𝛤𝑞,𝑘 ∗ is proportionally allocated between the self-indemnity term 𝑇𝐶𝐸𝜛(ℒ𝑞) and the group-indemnity term ∑𝑞∈𝑈 𝑇𝐶𝐸𝜛(ℒ𝑞) summed across all the participating TGs. The group-indemnity term weighs heavily as 𝑘 increases, and vice versa. The scaling function 𝜓(∙) ensures the budget sufficiency at various 𝑘 by scaling down 𝛤𝑞,𝑘 ∗ beyond the premium ℂ𝑞 . Denote the indemnity at 𝑘 as 𝛤𝑞,𝑘 𝜓 = 𝜓(𝛤𝑞,𝑘 ∗ ).

The indemnity that the TG 𝑞 can at most redeem from a loss would be 𝛤𝑞 𝜓 = max 𝑘 𝛤𝑞,𝑘 𝜓 . Like 𝜋1 and 𝜋2 , the formulation of 𝜋3 also incentivizes the security investment by reducing the premium payment. Besides, 𝜋3 is a mutual insurance that intends to be a financial mutual trust. Most TGs with positive risk loading provide some margin to cushion against uncertainty. In the mutual insurance, outliers struck by unexpectedly high damages would result in negative risk loading. Losses of other TGs could partially be covered by the mutual insurance premium.

A major design goal of the insurance premium is to mitigate the risk insolvency by restraining the risk higher than the indemnity. TCE premium 𝜋1 offers good mitigation on the risk insolvency and serves as the claim term in 𝜋3 . The nature of mutual insurance guarantees 𝜋3 premium package is nearly as affordable as 𝜋2 . Combining the advantages of 𝜋1 and 𝜋2 , the proposed 𝜋3 can substantially restrain the insolvency comparable to 𝜋1 . The mutual insurance premium estimation procedure is summarized in Algorithm 1. The proposed cybersecurity mutual insurance model shown in Fig. 5 can be elaborated as follows: (1) Epidemic cyberphysical system model introduced in Section II. The cyber attacker injects the epidemic virus through Internet that penetrates the firewall of a TG.

Within the TG, a control center and substations interconnected via the Local Area Network (LAN) are stochastically infected by the cyber epidemic. The proposed cyber-physical network model (Definition 1) accounts for the defensive capability of the TG via the hardware investment, software strategy development and its intrinsic vulnerabilities. With the above information, the substation state sequence (Definition 2) can be synthesized considering the SoI across the TGs. (2) Cyber-insurance design introduced in Section III. Taking the state sequence generated by the cyber epidemic, load curtailment of the respective TGs is calculated with the reliability analysis (Optimization 1). Using the marginal distribution of load loss statistics, the proposed Shapley premium of the individual TGs are estimated. In the following section, the proposed Shapley premium design at various SoI and cyber-physical defense investment will be verified in the simulated case studies.