There are some scary ideas out there. Last week I watched a webinar on enterprise cyber security and related threats. If you follow this area of the business world, you’ll be aware of the multiplicity of new threats and sources of threat that have developed over the past decade. The threat landscape is constantly evolving. Keeping current is tough, but if, like me, you’re responsible for providing advice to help keep enterprise clients safe, it’s an essential part of the role. This webinar, however, went much further – looking not only at what I have come to think of as “conventional” cyber threats, but also at a range of disaster scenarios that it’s much harder to plan for and mitigate.
Principal amongst these additional concerns are attacks against the power supply infrastructure of the country using weapons that deliver an electromagnetic pulse or EMP. Ranging in application from high altitude nuclear explosions (today, limited to a handful of nation states) to localized effects (terrorists or criminals), an EMP is the equivalent to releasing the energy of millions of lightning bolts compressed into a microsecond. Effects propagate at close to the speed of light and any exposed electrical circuit will immediately overload – generally beyond the ability of circuit breakers or fuses to provide protection, because every part of the circuit (both sides of the circuit breaker) is energized simultaneously. Pretty much every semiconductor component impacted will be permanently destroyed. Wiring may ignite, potentially causing widespread fires. Transformers in the local (or wide area) grid will be knocked offline by surges (best case) or destroyed by overloads. Transmission lines will be damaged. Recovery will be a protracted process, for a variety of reasons that we’ll get to later.
Interestingly (or alarmingly) EMP effects can be generated naturally, as a byproduct of intense solar activity (charged particles ejected from the sun interacting with the earth’s magnetic field to create a “geomagnetic storm”) that while less intense than man-made EMP can last for an extended period and have similar impacts on infrastructure and additional impacts on communications systems and anything that relies on orbital technology (so goodbye GPS and satellite TV). Such events are rare, but are known to have happened within recent history.
Three factors make EMP-related effects so worrying. First, almost everything we use today contains semi-conductor devices, and would stop working. Not just personal devices, but virtually all forms of transportation, industrial process controls, infrastructure management systems, even farm equipment. Anything in operation or motion at the moment of the EMP will simply stop working, including anything airborne. Second, we have no experience or plans for living without electricity for an extended period and third, we lack the capacity to rebuild the infrastructure that would be impacted quickly, even if we still had the tools and working transportation to support the reconstruction. As a specific example, we might need to replace many or all of the several thousand large substation transformers that are essential to the working of the electricity supply grid. These are large, expensive and custom made. The indigenous industry in the US could probably construct around 100 a year – most come from manufacturers in Asia today. That’s potentially a 40 – 50 year replacement effort.
This is a very scary scenario, but how likely is it in reality? You’d have to think that the widespread EMP scenario (a nation state attack using high altitude nuclear weapons) is unlikely, even for a rogue state. Military systems are hardened against EMP (at least to some degree) and an attack against the US mainland would not impact forces deployed overseas (particularly the ballistic submarine fleet) which would be able to retaliate in a devastating fashion. More concerning are localized attacks against key infrastructure targets – the electricity grid, communications nexi and transportation hubs. These require much less sophisticated weapons and delivery systems and while their impact is likely to be less widespread, it could still be devastating locally and socially and economically debilitating on a wider scale.
So, should you be worried about these scenarios and if you are, what can you do about them? If you’re in the infrastructure business, you’re probably already worried and hopefully taking action. Personally, I don’t consider the EMP threat as serious (yet) as other cyber threats for most businesses, but it’s growing rapidly on the overall threat landscape, as localized EMP weapons are developed by advanced technological militaries. This class of weapon is notoriously difficult to control and you have to assume that some will eventually make their way into the hands of terrorists or criminals – and that they’ll eventually be used. Thus, it would be a good idea to add the “local lights out for an extended period” scenario to your “worst case” BCDR planning process. Low probability, but very high impact.
You can also look for ways to “harden” essential parts of your business so you are less at risk in the event of an attack. Some data centers and operational structures are being built or retrofitted to withstand EMP and fiber communication links are unaffected (although the rest of the electro-optical infrastructure would be impacted). Shielded standby equipment can be stockpiled. Self-sustaining generation facilities can be built or contracted with for emergency use. A good source of knowledge is the joint FBI-industry InfraGuard program, which helps identify potentially vulnerable infrastructure and offers advice on protection and mitigation. Think about getting educated and involved.
Scary. We take electricity, and the systems it powers, for granted, but it may not be that easy to keep the lights on. And keep business running.