A new report from the Department of Homeland Security’s Science and Technology Directorate says critical infrastructure sectors need to harden physical protection for mission-critical equipment ranging from servers and equipment for cloud service providers to electricity and emergency alert systems.
“Electromagnetic pulses, whether caused by an intentional EMP attack or a naturally occurring geomagnetic disturbance from severe space weather, could disrupt critical infrastructure such as the electrical grid, communications equipment, water and wastewater systems, and transportation modes,” said Acting Under Secretary for S&T Kathryn Coulter Mitchell. “This could impact millions of people over large parts of the country. It is critical to protect against the potential damage an EMP event could cause.”
DHS has previously warned public and private sectors of the need to prepare for an electromagnetic pulse (EMP) attack and be ready to respond to a potentially catastrophic event.
The United States could face massive blackouts and disabled technology from rare solar super-storms like the 1859 Carrington Event, a nuclear weapon detonated at high altitude, or electromagnetic “e-bomb” that releases a pulse of energy intended to strike information systems or electronics around the detonation area.
In October 2018, DHS released the Strategy for Protecting and Preparing the Homeland against Threats from Electromagnetic Pulse (EMP) and Geomagnetic Disturbance (GMD), which said that EMP-related intelligence gathering, sharing, and analysis at the time remained “largely stove-piped within the federal government and across DHS, which leads to disparate understanding of potential electromagnetic threats and hazards,” creating “uncertainties about how DHS should address critical infrastructure vulnerabilities.”
In March 2019, the White House unveiled an executive order, Coordinating National Resilience to Electromagnetic Pulses, stating that the federal government will “engage in risk-informed planning” and “prioritize research and development” into EMP protection, response and recovery and will “promote collaboration and facilitate information sharing, including the sharing of threat and vulnerability assessments, among executive departments and agencies” and stakeholders. “An EMP event has the potential to disrupt, degrade, and damage technology and critical infrastructure systems,” the EO stated.
The new S&T report says critical infrastructure owners and operators, depending on factors such as the importance and vulnerability of the assets and configuration of the system, have options for EMP barrier protection.
“EM signals such as those generated by EMP can couple to equipment circuits through chassis apertures (e.g., slots, holes, windows), communications networks, and power conductors. Electric fields levels can be reduced through EM reduction techniques such as housing MCE in shielded cabinets and enclosures, and the use of filters, fiber optic cables (as opposed to coaxial cables), and non-linear protection devices that provide surge protection. Points of entry (POE), or penetrations that could allow EM energy into the shielded enclosure, should be protected by a POE protective device,” the report notes. “The use of a barrier protection ensures that the equipment housed within the enclosure is subjected to minimal EM levels that do not hamper its survival or operation.”
Enclosures like a cabinet or a Faraday cage are recommended for equipment that needs to be portable and when only a few pieces of equipment require protection such as a server or a single distribution transformer. “As the entire system may not be shielded, the solution may rely on the availability of working spare parts and the execution of operational procedures to bring the system back online after an EMP event,” DHS adds.
EMP-protected shelters offer a solution between the size of a cabinet or designated room or building, can be fixed or able to be transported, and “are ideal for remote locations to reduce maintenance requirements.”
“The use of shelters to group equipment reduces the number of components and devices that must be verified and maintained throughout the life of the system. Therefore, the shielding inspection requirements, maintenance time, and labor costs for shelters can be lower than for the enclosures described in Option 1,” the report says. “Shelters can be attended or unattended depending on the system operating concept.” All points of entry should be protected and any accompanying emergency generator also needs to be sheltered from EMP effects.
FEMA currently has 77 shelter installations nationwide to protect the Integrated Public Alert & Warning System (IPAWS), with broadcasting equipment housed in shelters the size of shipping containers.
The third option to protect critical systems from EMP consists of protected rooms or buildings — “a low-risk but complex approach… constructed of metallic shielding, conductive concrete shielding, or hybrid concrete/steel shielding” — to shield facilities such as electric power control centers, national or regional network operations centers, and national cloud service provider center. “Maintainability and asset management should be considered when selecting a building shielding technology and designing the internal layout of the building,” DHS notes.
Even if critical infrastructure sectors take precautions to shield critical equipment from the effects of EMP, the report notes that the hardened system may not maintain readiness if it depends on vulnerable external systems.
“Assets that are outside the facility’s boundary and control should be identified, including wireline communications (e.g., Public Switched Telephone Network or the internet), the electric power grid, fuel sources, transportation, and other critical services,” the report states. “Mitigation strategies for external assets should be developed. Facilities should consider installing collocated, EMP-protected backup power sources and fuel stores, and for systems that rely on wireline communications, alternative radio frequency communications such as commercial satellite communications.”
Critical infrastructure sectors also need to take into account whether specific critical systems would be attended or, by design, run continuously unattended — including backup systems, such as a backup switch at a telecommunications office, power transformers at a substation, or toxic chemical processing equipment. Critical equipment that is attended — and should have livability considerations in place such as a supply of rations and living quarters — can include 911 calls centers, emergency operations centers run by local governments, a nuclear power plant’s offsite emergency operations facility, and emergency radio or broadcast stations.
All points of entry into protected facilities or shelters should be shielded from electromagnetic fields, DHS stresses. “Plumbing should use metal pipes that are grounded at both ends. Air handling ducts should follow the rules for waveguide beyond cutoff. Fiber penetrations should also occur via a waveguide and not use armor clad cables,” the report continues. “EMP-rated surge protectors and an UPS should be placed on power lines leading to critical equipment and external communications. Power lines should be placed underground to reduce coupling to external cables.” Ideally, the protected facility should have a double-door vestibule for entry and exit.
A concept of operations should be developed for the protected facility that includes a list of authorized personnel (subject to training once or twice a year) and designated responsibilities, a timeline and system checklist for equipment operation in an EMP environment, physical security access control mechanisms, personnel communications procedures, a sustainment plan for maintaining and inspecting the EMP protections in place, and cybersecurity access control mechanisms for equipment with a Human Machine Interface. Storage areas should be identified to stash essentials for human operators to live at the site along with EMP-protected spare equipment, with protocols to ensure these supplies are periodically refreshed and the equipment is maintained. Procedures should also be in place for operating backup power sources as well as controlling and maintaining the HVAC and temperature and chemical, biological, radiological, nuclear, and explosives (CBRNE) air filters.
“To maintain EMP protection, facility sustainment activities must incorporate routine inspections of EMP shielding and POEs to detect leaks. These inspections should take place prior to deployment, annually, and when configuration changes occur, including the addition of new equipment,” the report recommends, adding, “CI owners and operators should also conduct realistic simulation exercises that cover facility operations and use trained personnel. These exercises should be conducted at least once per year. The facility owner and operator can conduct them separately or they could be planned in conjunction with national Federal or CI Sector EMP exercises.”
“As noted in the 2017 EMP Commission Report, the EMP threat to the United States is ‘present and continuing,'” the DHS document states. “Just as CI owners and operators have taken significant strides to address cyber threats, they should now consider addressing EMP threats within their risk assessment program.”
The Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack was established in the 2001 National Defense Authorization Act to study U.S. vulnerability to such an attack and recovery capability. It was tasked with identifying steps that the U.S. could take to harden military and civilian systems against the threat of EMP.
“Such an attack would give North Korea and countries that have only a small number of nuclear weapons the ability to cause widespread, long-lasting damage to critical national infrastructures of the United States itself as a viable country and to the survival of a majority of its population,” said the commission’s July 2017 chairman’s report, which recommended that “implementation of cybersecurity for the electric grid and other critical infrastructures include EMP protection, since all-out cyber warfare as planned by Russia, China, North Korea, and Iran includes nuclear EMP attack, and integrating EMP and cyber-protection will be both the least expensive and most technically sound approach.”
