Start your day with intelligence. Get The OODA Daily Pulse.

Reorient Your Organization: Scenarios Exploring a Quantum Attack on Critical U.S. Power Grid Infrastructure

The Hudson Institute report on “Risking Apocalypse? Quantum Computers and the US Power Grid” highlights the significant threat posed by potential quantum computer attacks on the US power grid. It emphasizes the vulnerability of the grid to such attacks, which could decrypt existing encryption systems and cause catastrophic outcomes. As we navigate the complexities of the quantum era, we used this scenario as a launching point for the formulation of additional scenarios for your strategic consideration, including recommendations and insights for your organization (garnered from the application of both the scenario planning and systems thinking methodologies).  

Risking Apocalypse? Quantum Computers and the US Power Grid

The Economic Damage of a Quantum Attack on America’s Electrical Grid

The Hudson Institute report discusses the substantial economic damage a quantum attack on America’s electrical grid could cause. It suggests that the attack’s impact could be far-reaching, affecting not just the immediate functionality of the power grid but also having prolonged and severe effects on the national economy. The report underscores the necessity of enhancing the grid’s security against such futuristic threats to prevent potentially catastrophic economic consequences​​, such as:

  • The Cost of a Quantum Blackout:  The Hudson Institute report’s estimation on the cost of a quantum blackout suggests that the economic repercussions of such an event could be significant. It highlights the need for comprehensive models to understand and quantify these impacts better, underscoring the importance of preemptive measures to protect the power grid and mitigate potential economic damages​​.
  • The Economic Impact of Power Disruptions:   The report emphasizes that power disruptions can have severe and widespread economic consequences. It highlights the importance of securing the power grid against potential threats, including quantum attacks, to mitigate these economic impacts and ensure national security​​.

The Quantum Attack Scenario

“Aside from a quantum intrusion, the American power grid is increasingly exposed to traditional cyber threats by adversaries. Such an adversary also having access to a quantum computer or even a quantum-classical hybrid system could secretly gain access to the IT systems controlling the grid’s various power-generation, transmission, and delivery control systems. The hypothetical scenario described below assumed that an adversary with this capability has gained access to the US power grid, which, importantly, has been left exposed to such an attack through the failure to adopt quantum-safe security measures.

In this scenario, the quantum intruder is assumed to have introduced cyber-kinetic malware into the IT system of nine individual high-voltage transformers (HVTs) housed within high-voltage substations across the three principal interconnections within the contiguous forty-eight states. These HVTs are assumed to have simultaneously been taken offline from suffering intermediate physical damage, resulting in cascading power-distribution failures across the contiguous US.

In order to model a maximally destructive disruption event, the scenario is assumed to have unfolded at the hour of peak demand during the month of July 2025, when average electrical usage is at its annual peak nationwide. The resulting power distribution failure is assumed to have caused a total blackout for the contiguous forty-eight states, excluding off-grid backup generation and battery power storage. Due to the nature of the attack and the sensitivity of HVTs, the coast-to-coast blackout is assumed to last seventeen days before significant restoration of the infrastructure brings parts of the grid back online. Although seemingly extreme, this scenario is consistent with the magnitude of the quantum threat and with historical outages, particularly those caused by the cyber-kinetic attacks studied in our research. That the costs incurred from such an attack would be severe is an understatement. In the following sections, we outline the methodology utilized to model such a scenario and then present the results of our analysis.”

The Research Methodology

The research methodology used for this scenario involved a quantitative study designed to model the impact of a hypothetical future quantum cyberattack on the U.S. power grid.

This study utilizes data supplied by the global econometrics firm, Oxford Economics, to assess the potential consequences of such an attack. The approach aims to provide a detailed analysis of the vulnerabilities of the power grid to quantum threats and to evaluate the effectiveness of various protection and mitigation strategies. By focusing on both the security and resilience of the power grid, the methodology seeks to offer policymakers crucial insights into areas requiring immediate attention to safeguard the nation’s critical infrastructure against the emerging threat of quantum computing.

Results of the Scenario

“In total, the economic cost of the hypothetical quantum cyberattack and the resulting seventeen-day total power blackout amount to over $12.8 trillion in damages to the American economy. The direct and indirect costs associated with the attack combined are equivalent to the loss of over 67 percent of 2019’s annual GDP…”

From the report:   “According to our analysis, the cost of a quantum-enabled cyberattack on the US power grid would be daunting:

  • In terms of revenue-at-risk, utility companies would lose over $50 billion in revenue from lost electricity sales. This cost would be trivial, however, when compared to the direct GDP-at-risk estimated utilizing the modified production-function VoLL, which exceeded $8.9 trillion in direct costs, i.e., those incurred directly from and during the power outage itself, to the American economy.
  • These costs would not be shared evenly by sectors, however; over 75 percent of them would be incurred by the commercial sector, 20 percent by the industrial sector, and roughly half of a percent by the residential sector [with]  a total of roughly $9 trillion in nominal damage.
  • Important to note is that the direct costs of the attack presented above are likely to be underestimations due to the theoretical economic assumptions employed and to limitations associated with the data that were available. For example, as detailed above, official government accounts assume that the residential sector, which accounts for over one-third of total electricity consumption in the United States, uses electricity strictly to meet noneconomic needs. Given this and other limitations, the direct costs of such an attack could be reasonably assumed to be significantly higher than those estimated. In addition, there would also almost certainly be significant loss of human life.
  • Immediately following the attack, disruptions to supply chains and to business operations and the consequent changes in consumer demand behavior would cause ripple effects throughout the American economy and hence the entire world. As modeled in the Oxford Economics’ Global Economic Model (GEM), these upstream and downstream indirect losses would cost the US economy over $3.8 trillion in real (inflation-adjusted) GDP (nominally over roughly $17 trillion) over the following six quarters.

For the full pdf version of the report, go to:  Risking Apocalypse? Quantum Computers and the US Power Grid

Further Scenarios Exploring a Potential Quantum Attack on the Critical U.S. Power Grid Infrastructure

Exploring potential scenarios for a quantum attack on the U.S. power grid infrastructure requires a blend of technical understanding and strategic foresight.

Given the pivotal role of the power grid in national security and  everyday life, the implications of such an attack are profound and multifaceted.  Additional scenarios include:

The exploitation of encrypted communications within the power grid’s control systems:  Quantum computing, with its ability to break current asymmetric encryption methods, could allow adversaries unprecedented access to sensitive operational data This could lead to manipulation or sabotage of the grid’s operations, from generation to distribution. The strategic decryption of communications could enable attackers to bypass security protocols, manipulate control signals, and disrupt the balance between supply and demand, leading to widespread blackouts or even physical damage to critical infrastructure components.

An adversarial focus on the vulnerabilities within the grid’s Supervisory Control and Data Acquisition (SCADA) systems:  These systems, which monitor and control the physical processes within the grid, rely heavily on encrypted communications for secure operation.  A quantum-enabled attacker could potentially decrypt these communications, gaining the ability to issue unauthorized commands, disable safety mechanisms, or inject false data, leading to destabilization of the grid. The complexity and interconnectedness of the grid mean that even localized disruptions could have cascading effects, leading to widespread outages or damage.

The strategic targeting of specific substations or transmission lines could amplify the impact of an attack:  Given the grid’s design to withstand single or certain double failures, a coordinated quantum-enabled attack on multiple critical points could overwhelm the system’s resilience, leading to voltage collapse or cascading failures.  The potential for such an attack underscores the need for a quantum-resilient cybersecurity posture that encompasses both the encryption methods used and the operational strategies for grid management.

In contemplating these scenarios, it’s essential to recognize the dual-use nature of quantum computing:  While it presents significant threats, it also offers opportunities for enhancing the security and resilience of critical infrastructure through quantum-resistant encryption and advanced simulation capabilities for grid management.  The transition to quantum-resistant cryptographic standards, as spearheaded by institutions like NIST, is a critical step in safeguarding the future of the power grid and other critical infrastructure against quantum threats.

What Next?

Given these considerations, the readiness of the U.S. critical infrastructure to withstand a quantum attack is a matter of strategic importance.  It requires not only technological upgrades but also a comprehensive approach that includes:

  • Policy development;
  • Workforce training, and
  • International cooperation.

Recommendations

The specter of quantum computing, with its unparalleled computational prowess, necessitates a reevaluation of our current cybersecurity paradigms and the adoption of forward-looking strategies that can withstand the quantum threat.

In contemplating the profound implications of a potential quantum attack on the critical U.S. power grid infrastructure, it is imperative to adopt a multifaceted approach that encompasses business strategy, operations, and information technology resilience.

Business Strategy:  From a business strategy perspective, the first recommendation is to prioritize cybersecurity as a core component of the organizational strategy. This involves recognizing the existential threat posed by quantum computing to the security of encrypted communications and control systems within the power grid infrastructure. Organizations must not only allocate sufficient resources towards cybersecurity but also ensure that it is integrated into the strategic decision-making process at the highest levels. This strategic prioritization will ensure that cybersecurity considerations are not an afterthought but a fundamental aspect of business planning and risk management.

Business Operations:  In terms of business operations, the recommendation is to foster a culture of continuous learning and adaptation. The rapid pace of technological advancements, particularly in the realm of quantum computing, requires organizations to remain agile and responsive to emerging threats. This involves regularly updating operational practices, conducting comprehensive risk assessments, and engaging in scenario planning exercises to anticipate and prepare for potential quantum attacks. Additionally, organizations should establish robust incident and recovery plans that can be swiftly activated in the event of a quantum-enabled breach. This operational resilience is critical for minimizing the impact of an attack and ensuring the rapid restoration of services.

Information Technology Resilience and Preparedness:  On the information technology resilience front, the paramount recommendation is to accelerate the transition to quantum-resistant cryptographic standards. As we’ve discussed, the National Institute of Standards and Technology (NIST) is spearheading efforts to standardize quantum-resistant algorithms. Organizations must proactively adopt these emerging standards to safeguard their communications and control systems against quantum cryptanalysis. This transition requires a comprehensive review of existing cryptographic practices and the implementation of quantum-resistant algorithms across all facets of the organization’s IT infrastructure. Moreover, investing in quantum key distribution (QKD) and other quantum-safe technologies can provide an additional layer of security, leveraging the principles of quantum mechanics to secure communications against eavesdropping.

By prioritizing cybersecurity at the strategic level, fostering operational agility, and adopting quantum-resistant cryptographic standards, organizations can fortify their defenses against the quantum threat. This proactive stance is not merely a technical necessity but a strategic imperative that will define the resilience and competitiveness of businesses in the quantum era.

Given the critical importance of these considerations, begin to reorient your organization’s current posture. How have you integrated cybersecurity and resilience considerations into your business strategy and operations to address potential quantum threats to critical infrastructure?

Powerful Strategic Tools for Your Organization

Scenario Planning (aka Foresight Strategy)

“In essence, scenario planning and foresight strategy are not just about predicting the future; they are about creating a strategic framework that enables organizations to navigate uncertainty with confidence. They provide a structured way to explore the implications of different decisions, helping leaders to make informed choices that align with their long-term objectives and values.”

Scenario planning and foresight strategy are indispensable tools in the arsenal of any organization or nation-state aiming to navigate the uncertain waters of future technological and geopolitical landscapes. These methodologies empower entities to not only anticipate potential challenges but also to devise robust strategies that ensure resilience and adaptability in the face of unforeseen events.

The power of these tools lies in their ability to stretch the imagination beyond linear projections, enabling a deeper understanding of the complex interplay between emerging technologies, societal shifts, and geopolitical dynamics.

Consider, for instance, the nuanced scenarios we’ve discussed regarding quantum attacks on critical infrastructure. The ability to envision and meticulously analyze such scenarios through scenario planning and foresight strategy allows us to:

  1. Identify vulnerabilities
  2. Assess potential impacts, and
  3. Develop preemptive measures to mitigate risks.

This is not merely an academic exercise but a strategic imperative that could mean the difference between catastrophic failure and sustained security in an era of rapid technological evolution:  the strategic foresight approach encourages us to think in terms of multiple, divergent futures rather than a single, linear trajectory.

This is crucial because the future is inherently unpredictable, and the challenges we face are complex and multifaceted. By considering a range of possible futures, we can better prepare for the unexpected, building flexibility and resilience into our strategies.

This approach also helps in: 

  • Breaking free from the constraints of current thinking and assumptions, enabling us to explore innovative solutions to emerging threats.
  • Fosters a culture of strategic thinking and continuous learning within organizations. 
  • Encouraging leaders and decision-makers to question their assumptions, consider alternative viewpoints, and adapt their strategies in to changing circumstances. This is particularly important in the context of cybersecurity and national security, where the threat landscape is constantly evolving, and adversaries are continually adapting their tactics.

Given the critical importance of these methodologies in preparing for the complex scenarios we’ve discussed:  What steps have you taken to incorporate scenario planning or foresight strategy into your current approach to risk management and preparedness?

A Systems Thinking Framework:  Readiness and Response to a Quantum Attack of this Magnitude

In essence, a systems thinking framework for readiness against a quantum attack requires a holistic approach that integrates technical innovation, organizational agility, and societal engagement. It’s about building a resilient ecosystem that can adapt to the quantum era’s challenges, ensuring the security and continuity of critical infrastructure.

A systems thinking framework for readiness in to a quantum attack, especially one of significant magnitude on critical infrastructure like the U.S. power grid, necessitates the following comprehensive, multi-layered approach:

  1. At the technical level, the framework must prioritize the acceleration of research and development into quantum-resistant cryptographic technologies. This is not merely a matter of upgrading existing systems but involves a fundamental rethinking of our cryptographic underpinnings to ensure they can withstand the capabilities of quantum computing. The transition to quantum-resistant algorithms, as advocated by institutions like NIST, is a critical step, but it must be accompanied by a broader technological strategy that includes redundancy, diversity, and the segmentation of critical systems to limit the blast radius of any successful attack.
  2. From an organizational perspective, the framework requires a culture of continuous adaptation and learning. This involves not only staying abreast of the latest developments in quantum computing and cybersecurity but also fostering an environment where proactive risk management is ingrained in every aspect of the organization’s operations. Scenario planning and foresight strategy, as we’ve discussed, play a pivotal role here, enabling organizations to anticipate and prepare for a range of potential futures.  Moreover, organizations must develop robust incident and recovery plans that are regularly updated and tested to ensure they are effective in the face of new and evolving threats.
  3. At the societal level, the framework must address the broader implications of quantum attacks on critical infrastructure. This includes public awareness and education on the risks associated with quantum computing, as well as the development of policies and regulations that encourage the adoption of quantum-resistant technologies while ensuring privacy and civil liberties are protected. Collaboration and information sharing between the public and private sectors, as well as international cooperation, are essential to build a collective defense against quantum threats.

Incorporating the OODA Loop—Observe, Orient, Decide, Act—into this framework provides a dynamic decision-making process that can enhance readiness and to quantum attacks.  By continuously observing the evolving quantum landscape, orienting strategies and defenses in light of new information, deciding on the most effective courses of action, and acting swiftly to implement them, organizations can maintain a step ahead of potential adversaries.

Given the complexity of preparing for such a scenario, What steps has your organization has taken?  How do you currently assess the readiness of your organization to respond to a quantum attack on critical infrastructure?

Systems Thinking

…resilience is built on a foundation of 1) Redundancy; 2) Diversity; and 3) Modularity within the system – enabling it to withstand shocks and stresses without catastrophic failure.

A systems thinking approach to the scenarios we’ve discussed requires a holistic and interconnected perspective. This methodology is not merely about addressing individual components in isolation but understanding and managing the complex web of relationships and feedback loops that define the entirety of the system.

In the realm of cybersecurity and critical infrastructure protection, systems thinking compels us to consider not just the immediate technical vulnerabilities but also the broader socio-technical systems in which these technologies operate. This includes the organizational, regulatory, and societal dimensions that influence and are influenced by cybersecurity practices.

For instance, when contemplating the strategic implications of quantum computing on critical infrastructure, a systems thinking approach would necessitate a comprehensive analysis that spans beyond the immediate technical challenges of quantum-resistant cryptography. It would involve examining

  • The readiness of organizational structures to adapt to new security paradigms;
  • The capacity of regulatory frameworks to foster innovation while ensuring security; and
  • The societal implications of potential disruptions to critical services.

Moreover, systems thinking underscores the importance of resilience as a critical attribute of any robust system. In the context of the U.S. power grid, this means not only fortifying the grid’s defenses against quantum-enabled attacks but also ensuring that the grid can recover and adapt in the aftermath of an attack.

This resilience is built on a foundation of 1) Redundancy; 2) Diversity; and 3) Modularity within the system – enabling it to withstand shocks and stresses without catastrophic failure.

Incorporating systems thinking into business strategy and operations involves: 

  • Recognizing that cybersecurity is not a standalone issue but an integral component of the organization’s ecosystem; and 
  • A shift from reactive, siloed approaches to proactive, integrated strategies that account for the interdependencies between cybersecurity, business operations, and broader societal impacts.

As we navigate the complexities of the quantum era, the adoption of a systems thinking approach will be instrumental in developing strategies that are not only robust in the face of technological threats but also aligned with long-term business objectives and societal values. This holistic perspective is essential for fostering resilience, adaptability, and sustainability in an increasingly interconnected and uncertain world.

Given the intricate nature of these challenges:  How do you currently apply systems thinking in your approach to analyzing complex scenarios and their business implications?

NOTE:  This OODA Loop Original Analysis was partially generated with the cognitive augmentation of and in collaboration with ALTzero Project – MattGPT.

Additional OODA Loop Resources

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Quantum Computing and Quantum Sensemaking: Quantum Computing, Quantum Security and Quantum Sensing insights to drive your decision-making process. Quantum Computing and Quantum Security

Technology Convergence and Market Disruption: Rapid advancements in technology are changing market dynamics and user expectations. See: Disruptive and Exponential Technologies.

The New Tech Trinity: Artificial Intelligence, BioTech, Quantum Tech: Will make monumental shifts in the world. This new Tech Trinity will redefine our economy, both threaten and fortify our national security, and revolutionize our intelligence community. None of us are ready for this. This convergence requires a deepened commitment to foresight and preparation and planning on a level that is not occurring anywhere. The New Tech Trinity.

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Tagged: Quantum
Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.