A new status report on the Department of Homeland Security’s preparations to confront the threat of an electromagnetic pulse (EMP) attack and respond to a potentially catastrophic event says DHS is “working to evaluate the need for a program management office to provide steady consistent leadership in both the public and private sector engagements” on risk reduction.
The United States could face massive blackouts and disabled technology from rare solar super-storms like the 1859 Carrington Event, a nuclear weapon detonated at high altitude, sabotage of the electric grid with the use of small weapons or explosives against extra-high-voltage transformers, or a complex attack that includes a combination of cyber attack, sabotage and nuclear attack.
A nationwide blackout could last a year or longer, gravely impacting the food and water supply, healthcare and sanitation, public safety, communications and transportation, bringing society to a standstill and sparking starvation and spread of disease.
In October 2018, DHS released the Strategy for Protecting and Preparing the Homeland against Threats from Electromagnetic Pulse (EMP) and Geomagnetic Disturbance (GMD), which said that EMP-related intelligence gathering, sharing, and analysis at the time remained “largely stove-piped within the federal government and across DHS, which leads to disparate understanding of potential electromagnetic threats and hazards,” creating “uncertainties about how DHS should address critical infrastructure vulnerabilities.”
In March 2019, the White House unveiled an executive order, Coordinating National Resilience to Electromagnetic Pulses, stating that the federal government will “engage in risk-informed planning” and “prioritize research and development” into EMP protection, response and recovery and will “promote collaboration and facilitate information sharing, including the sharing of threat and vulnerability assessments, among executive departments and agencies” and stakeholders.
Part of Homeland Security’s broad focus under the executive order is to ensure timely EMP info gets to state and local governments, with a duty to “coordinate response to and recovery from the effects of EMPs on critical infrastructure,” exercise EMP scenarios, “maintain survivable means to provide necessary emergency information to the public during and after EMPs,” and develop quadrennial risk assessments.
DHS was also directed to “identify and list the national critical functions and associated priority critical infrastructure systems, networks, and assets, including space-based assets that, if disrupted, could reasonably result in catastrophic national or regional effects on public health or safety, economic security, or national security,” a list that DHS will keep updated. DHS was told that it “shall review test data — identifying any gaps in such data — regarding the effects of EMPs on critical infrastructure systems, networks, and assets”; within six months after that, DHS in coordination with other agencies was expected “to develop an integrated cross-sector plan to address the identified gaps.”
The August status report released Thursday said that the Cybersecurity and Infrastructure Agency (CISA), in coordination with the Science and Technology Directorate (S&T) and the Federal Emergency Management Agency (FEMA), has taken key actions to address known EMP-related vulnerabilities to critical infrastructure.
“As the nation’s risk advisor, one of CISA’s priorities is understanding and mitigating threats associated with EMPs,” said CISA Director Chris Krebs. “Over the past year, we have worked with interagency and industry partners to identify the footprint and effects of EMP threats across our National Critical Functions, and are developing sustainable, efficient, and cost-effective approaches to improving the nation’s resilience to EMPs.”
The document said that DHS’ initial efforts have focused on risk management in the communications and energy sectors.
“The complexity of this task required the development of new models and concepts for prioritization. Development of these risk management concepts and models is ongoing,” the report states. “However, the models have matured to a point that enables prioritization of a limited set of systems, networks, and assets for EMP vulnerability assessments and mitigation efforts. While the development of these models took longer than initially envisioned, additional time was needed to validate the concepts and ensure the efficient application of resources to progress to subsequent tasks within the E.O.”
CISA’s 55 National Critical Functions form the basis for analyzing what could be at risk from an EMP event.
“In addition to traditional models for determining criticality, DHS, in partnership with the federal interagency, is assessing how the widespread, simultaneous effects of an EMP would affect these criticality models,” the report continues. “DHS is developing new concepts and approaches to evaluate how simultaneous common component failures could cause cascading failures across critical infrastructures, as well as hinder response and recovery operations due to a lack of repair parts and personnel.”
DHS said it’s “building EMP considerations into internal continuity and mission assurance plans and associated resourcing” and FEMA “has designed and built EMP-hardened communications facilities” to support continuity of preparation and response directives from the federal government to the public.
FEMA is also developing an interagency EMP exercise in fiscal year 2021 to address “the unique, widespread, cross-sector effects of an EMP event and challenge planning assumptions used by federal planners when considering EMP actions.”
DHS, the Energy Department, and the Nuclear Regulatory Commission began a collaboration in March to “validate the continued operation of key safety features of nuclear power plants in a post-EMP environment”; expected completion is in late 2021. DHS S&T “developed a technology scouting report, cataloguing a number of available EMP protection equipment and testing organizations”; that report will be made available to federal agencies and private-sector partners through the Homeland Security Information Network. S&T is also reaching out to international partners for mitigation strategies.
“As funding becomes available, S&T, in coordination with CISA, will conduct vulnerability testing of prioritized critical infrastructure components, as well as validation testing of potentially applicable mitigation options for those components in order to better inform critical infrastructure owners and operators on what actions they can take to protect their systems,” the report notes.
CISA’S Resilient Power Working Group is developing Resilient Power Guidelines to be used to support EMP mitigation planning. DHS is likewise partnering with other federal departments and agencies, state, local, tribal, and territorial entities, as well as the private sector, to field test EMP mitigation and protection technologies. “These pilots are multisector, multifunction efforts, seeking to ensure key capabilities continue to function in a post EMP environment and that by maintaining those key functions we can expedite a full recovery,” says the report. “Working with federal interagency partners, DHS will play a major role in ensuring communications systems remain operational and, by ensuring key systems which are protected against EMP, are also protected against other threats such as cyber-attacks.”
The Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack was established in the 2001 National Defense Authorization Act to study U.S. vulnerability to such an attack and recovery capability. It was tasked with identifying steps that the U.S. could take to harden military and civilian systems against the threat of EMP.
“Such an attack would give North Korea and countries that have only a small number of nuclear weapons the ability to cause widespread, long-lasting damage to critical national infrastructures of the United States itself as a viable country and to the survival of a majority of its population,” said the commission’s July 2017 chairman’s report, which recommended that “implementation of cybersecurity for the electric grid and other critical infrastructures include EMP protection, since all-out cyber warfare as planned by Russia, China, North Korea, and Iran includes nuclear EMP attack, and integrating EMP and cyber-protection will be both the least expensive and most technically sound approach.”