Network Vulnerability to Electromagnetic Pulse Attacks
-
Upload
steve-goeringer -
Category
Documents
-
view
137 -
download
1
Transcript of Network Vulnerability to Electromagnetic Pulse Attacks
©2015 Polar Star Consulting, LLC™ 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information
Network Vulnerability to Electromagnetic Pulse Attacks
Steve Goeringer
Jason Rupe
Abstract
An approach to assessing transport network robustness to single event EMP attacks.
P a g e | 2 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information .
Nature of the threat In 2004, the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP)
Attack released a watershed report to the public. The notion of an EMP attack presenting a threat was
not new; Army documentation and standards had been developed as early as two decades previously,
indicating that the government believed such a threat was serious. The Commission’s report, however,
highlighted that the threat was plausible with multiple potential adversaries capable of executing an
attack, and that the severity of the attack would be very severe.
The nature of the threat is very different than conventional nuclear attacks. Conventional nuclear
attacks primarily impact a focused area (a few to tens of square kilometers) with massive destruction,
with residual damage through fall out over a wider area. A nuclear based EMP attack has the potential
of impacting very large areas, though the nature of “destruction” is very tightly focused to specific
infrastructure (power generation, power distribution, and electronic devices).
The EMP attack is the result of interaction between released gamma radiation and the Earth’s
atmosphere. While a conventional nuclear detonation results in an EMP, it is fairly focused
geographically. However, when detonated at high-altitude – 70-400km – the generation of the EMP
results in much greater intensity (field strength) distributed over a much wider geography. This paper is
focused on High-altitude Electromagnetic Pulse (HEMP) events, though it refers to EMP generically.
The physics of an EMP event are complicated. The nuclear detonation’s interaction with the atmosphere
is not an isotropically emitted event. Consequently, the resulting EMP field intensity is not evenly
distributed, but rather has focus areas. Moreover, there are three EMP components, E1, E2, and E3. The
EMP component’s distribution is effected by both the height of the explosion and also the yield of the
device.
According to the Commission’s executive summary report, E1 is an intense impulse spike inducing
current sufficient to “disrupt or damage electronics-based control systems, sensors, communications
systems, protective systems, computers, and similar devices.” E2 itself is also an impulse spike but
slightly slower than E1 and also of less amplitude; in itself, it poses less risk though it can exacerbate the
damages induced by E1. E3 is a longer rise time, more sustained pulse that “creates disruptive currents
in long electricity transmission lines” that consequently can damage power generation and distribution
infrastructure. [Commission 1]
In publicly available information, it is unclear what specific damages may be incurred to network
equipment. Some reports independent from the commission indicate integrated circuits (ICs) are
particularly susceptible to EMPs. In the commission’s reports, vehicles were demonstrated as only
moderately susceptible to EMPs, even though they may contain several hundred ICs. However, vehicles
are nearly entirely self-contained devices riding on insulators (tires). Network equipment is typically
connected to the power grid, installed in racks made of metal connected to ground, inside buildings that
P a g e | 3 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
are grounded. Moreover, the commission reports focus on data and simulations that may be of EMPs an
order of magnitude lower in field strength than those that potential adversaries may be able to
generate.
From a risk assessment and engineering perspective, it is tempting to do detailed analysis of EMP
events. However, relative to understanding network risks and the corresponding mitigations, this is
probably not fruitful. It is enough to know that an EMP is a plausible threat and probably poses
significant risk to nationwide network infrastructure. This report, therefore, concentrates on assessing
network vulnerability to large scale disruptions such as an EMP. Appropriate mitigations may be
available to reduce at least some risk where necessary. This report, however, does not provide details of
those mitigations.
Network generalizations Local and regional networks may be largely disrupted by an EMP and as such are not considered in this
report. Protection of geographically concentrated networks must fall back to EMP hardening methods
such as those discussed in MIL-STD-188-125-1 (Department of Defense Interface Standard, High-Altitude
Electromagnetic Pulse (HEMP) Protection for Ground-Based C4I Facilities Performing Critical, Time-
Urgent Missions).
This report focuses on nationwide infrastructure networks. These networks typically incorporate these
characteristics:
They are based on fiber optic cable systems.
Fiber optic cables for nationwide networks are typically, though not exclusively, buried on rail or
highway Rights-of-Way.
Buried fiber optic cables are typically installed in conduit systems, usually with a conductor for
cable locating purposes. Conduit depth is typically 4-8 feet, though it can be deeper. Conduits
can support more than one fiber optic cable.
Most cable systems are comprised of many fiber optic strands and strands are provided to
multiple users through leasing agreements of the infrastructure owner.
Networks using fiber optic cables are Dense Wave Division Multiplexing (DWDM) systems. These
systems typically are capable of 80 or more waves per cable, each wave supporting 10Gbps,
40Gbps, or 100Gbps. A given DWDM system may support many Terabits per second of
information transfer.
A given cable, supporting several DWDM systems, may support a few hundred Terabits per
second of information transfer.
DWDM systems are comprised of optical amplifiers (OAs), and optical add/drop multiplexers
(OADMs). OAs are installed in small facilities every 50-120kms. OADMs are deployed where
P a g e | 4 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
necessary to serve traffic to end customers, or to condition optical signals. OADMs can be
deployed at 10s, 100s, or 1000s of kilometers.
A typical nationwide optical network will comprise some 300-600 OAs, 45-200 OADMs, and 20-
40,000kms of fiber route miles.
The US nationwide long-haul infrastructure is largely shared amongst service providers. A generalized
network infrastructure is shown in Figure 1. The overall network diagram comprises fiber cable
segments from many providers, and some segments shown may have multiple conduits. Small squares
indicate potential OA locations; the small ovals are likely OADM locations. It should be no surprise that
OADM locations correspond to population centers. The black portion illustrates a potential network
using only a portion of the overall potential nationwide network shown by the orange lines.
Figure 1: Notional national network infrastructure.
Illustration of potential scenarios It is probably not necessary to do extensive modeling of an EMP event itself to assess potential impact
to a nationwide network infrastructure. It is possible to do extensive modeling to determine energy
distribution and power levels. However, as this is largely an untested weapon platform, and delivery
capabilities of adversaries vary widely, generalization is probably sufficient. Work by Savage, Gilbert, and
Radasky is adequate for this purpose [Savage]. In their report prepared for ORNL in 2010, they show the
coverage and field intensity of different heights of burst. Their analysis shows greatest field strengths
P a g e | 5 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
relative to burst yield will be achieved with low altitude bursts (75km or so). However, greater
geographic coverage is provided at higher altitude bursts (EMP effect is to the Earth horizon relative to
burst height). The result is a range of effects from 0 to 2500kms for bursts from 0 to 500kms in altitude,
with energy levels ranging from nearly none to nearly 100%.
The geographic coverage for various burst heights, overlaid on a US map, is intimidating. See Figure 2.
Figure 2: Geographic coverage (Height of Burst horizon) of sample burst heights [Savage].
As mentioned previously, EMP field effects are not evenly distributed over the effected geographic
coverage. Rather, the energy distribution, relative to peak, is shaped more as is shown in Figure 3.
P a g e | 6 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
Figure 3: Sample HEMP field distribution diagram [Savage].
The precise distribution will vary on many factors. For purposes of this paper, a template was generated
that shows a larger peak area. See Figure 4.
90%
25%
50%
75%
Peak E
% of Max100%
0%
Figure 4: Sample HEMP field distribution template
This template can be overlaid on the national network illustration from Figure 1 for various heights of
burst. This is shown in diagrams in the following subsections, along with an estimate of OAs and OADMs
effected.
Some caveats on the 10km and 30km heights of burst sections. Technically, a HEMP is generated by a
nuclear burst in the upper atmosphere or above the atmosphere -- as discussed earlier, 75km or higher.
However, any nuclear detonation has some EMP component. A 75km high burst is technically difficult. A
conventional airliner can detonate at relatively high altitude within the atmosphere. So, both 10km and
P a g e | 7 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
30km heights of burst (HOB) are included. It should be noted that the field distribution will be different
in actuality than the template, and the energy field strength relative to device yield will be inefficient.
However, the horizon effects do apply and are useful for assessing network vulnerability.
P a g e | 8 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
10km HOB Keeping in mind the caveats outlined above, a 10km HOB is very focused, as illustrated in Figure 5.
Whatever impacts it does have on network elements will affect only a small portion of any nationwide
network. Though not illustrated in Figure 5, it is clear even many events will not entirely disrupt or
destroy the network.
Figure 5: 10km HOB network overlay.
A typical network, as illustrated by the black portion above, may be effected by a 10km HOB EMP as
shown in Table 1.
10km Height of Burst
Peak E % of max OAs OADMs
90-100% 0 3
75-90% 0 0
50-75% 0 3
25-50% 5 1
0-25% 5 3
Total NEs in range 10 10 Table 1: Network impact 10km HOB.
P a g e | 9 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
30km HOB Keeping in mind the caveats outlined above, a 30km HOB as illustrated in Figure 6 is not so nearly
concentrated as the 10km HOB example. Still, it only impacts a small portion of any nationwide network.
Figure 6: 30km HOB network overlay.
A typical network, as illustrated by the black portion above, may be effected by a 30km HOB EMP as
shown in Table 2.
30km Height of Burst
Peak E % of max OAs OADMs
90-100% 4 4
75-90% 0 0
50-75% 4 3
25-50% 7 3
0-25% 7 2
Total NEs in range 22 12 Table 2: Network impact 30km HOB.
75km HOB A 75km HOB can be expected to behave as described in the available literature. Moreover, as illustrated
in Figure 7, it impacts a wide region. This impact is sufficient to have impact on network assets beyond
the horizon of the event in that existing network redundancy is reduced.
P a g e | 10 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
Figure 7: 75km HOB network overlay.
A typical network, as illustrated by the black portion above, may be effected by a 75km HOB EMP as
shown in Table 3.
75km Height of Burst
Peak E % of max OAs OADMs
90-100% 8 6
75-90% 0 0
50-75% 7 3
25-50% 11 4
0-25% 19 2
Total NEs in range 45 15 Table 3: Network impact 75km HOB.
P a g e | 11 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
100km HOB
Figure 8: 100km HOB network overlay.
A typical network, as illustrated by the black portion above, may be effected by a 100km HOB EMP as
shown in Table 4.
100km Height of Burst
Peak E % of max OAs OADMs
90-100% 5 7
75-90% 0 0
50-75% 11 4
25-50% 26 2
0-25% 10 3
Total NEs in range 52 16 Table 4: Network impact 100km HOB.
P a g e | 12 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
200km HOB
Figure 9: 200km HOB network overlay.
A typical network, as illustrated by the black portion above, may be effected by a 200km HOB EMP as
shown in Table 5.
200km Height of Burst
Peak E % of max OAs OADMs
90-100% 7 9
75-90% 0 0
50-75% 20 4
25-50% 28 3
0-25% 31 4
Total NEs in range 86 20 Table 5: Network impact 200km HOB.
P a g e | 13 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
300km HOB
Figure 10: 300km HOB network overlay.
A typical network, as illustrated by the black portion above, may be effected by a 300km HOB EMP as
shown in Table 6.
300km Height of Burst
Peak E % of max OAs OADMs
90-100% 13 11
75-90% 0 0
50-75% 34 3
25-50% 33 4
0-25% 34 6
Total NEs in range 114 24 Table 6: Network impact 300km HOB.
P a g e | 14 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
Modeling approach Traditional network resiliency engineering concentrates on single failures, double failures, or at most a
few concurrent failures (e.g., three or so key failure modes). However, Network Disaster Recovery (NDR)
planning considers destructive scenarios, and develops plans to continue and recover during such
events. Introduction of EMP as a factor for planning ultimately requires assessing scenarios of network
devastation, with multiple failures and higher than normal usage demands at the same time. Gross
effects on a given network can probably be sufficiently understood for planning and engineering
purposes using a traditional scenario based approach. For example, probabilities for the scenarios
outline in Table 1 through Table 6 might be modeled based on the following failure probabilities (see
Table 7 through Table 10). Given time and computing resources, these disruption and destruction
estimates can be replaced by simulated scenarios or other state-based models to better understand
network resiliency to multiple concurrent failures.
75km Height of Burst (or lower)
Peak E % of max Disruption Destruction
90-100% 100% 100%
75-90% 90% 80%
50-75% 40% 30%
25-50% 20% 10%
0-25% 10% 0% Table 7: Sample network element failure probabilities for 75km or lower HOB.
100km Height of Burst
Peak E % of max Disruption Destruction
90-100% 100% 90%
75-90% 85% 75%
50-75% 30% 25%
25-50% 20% 10%
0-25% 5% 0% Table 8: Sample network element failure probabilities 100km HOB.
P a g e | 15 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
200km Height of Burst
Peak E % of max Disruption Destruction
90-100% 90% 80%
75-90% 80% 65%
50-75% 25% 15%
25-50% 10% 5%
0-25% 0% 0% Table 9: Sample network element failure probabilities 200km HOB.
300km Height of Burst
Peak E % of max Disruption Destruction
90-100% 50% 65%
75-90% 25% 40%
50-75% 15% 10%
25-50% 5% 0%
0-25% 0% 0% Table 10: Sample network element failure probabilities 300km HOB..
These tables (Table 7 through Table 10) show hypothetical probabilities of network element impact for
given Heights of Bursts for EMP. Both disruption and destruction will cause failure, but the mean time to
restore will vary by recovery plan. These models will be network and scenario specific. However,
disruption may impact customer traffic for 10 minutes to an hour; for larger overall network disruptions
(in terms of the number of network elements impacted), perhaps recovery will be longer. Shorter
intervals represent time for network elements to self-recover; if human intervention is expected to be
necessary (for hard resets, for example), longer periods will be required. The more network elements
affected by the EMP event, the longer each element may take to recover. The key point of disrupted
network elements, however, is that they will recover without replacement.
Destroyed network elements will not recover without partial or complete replacement of components,
requiring spare parts, operations support, and repair teams. And depending on the amount of
destruction associated with the scenario, recovery resources may be further constrained. Most network
operators maintain sufficient network inventory to replace a few components per failed network
element and a few complete network elements (two or three chassis). Any further damaged
components will need to be provided by the vendor, possibly even built. Therefore, destroyed network
element recovery will take days, weeks, or even months. In some cases, depending on the scenario, and
what other damage may have occurred to other systems including other communication networks,
spare parts and repair personnel and equipment may be more scarce than ever before. Consider, for
P a g e | 16 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
example, that damaged power distribution components may be necessary in many industrial segments,
not just telecommunications infrastructure.
Intuitive findings Simply looking at the coverage maps provided in Figure 5 through Figure 10 may give some intuitive
insights. Of course, intuition is often wrong and must be verified according to specific threat parameters
and network implementations.
Any given national network only needs to be as robust as the mission assets the network supports.
Consequently, it is important to consider implications of network operation outside the affected area of
any event (failure isolation) so that mission assets not affected by an event continue to be supported.
Therefore, network diversity should be considered not at the level of individual network elements, but
rather on the ability of the entire network.
Networks designed to survive typical failure events are not designed to survive catastrophic events
because the assumptions are fundamentally different. A key design strategy for reliability engineering is
to make a network robust to failure – network components do fail. So, networks are designed at both
the network element and on the network wide basis to eliminate single points of failure. When
considering the nationwide network, the typical strategy is to ensure diverse connectivity – two or three
or even more disjoint paths to interconnect network elements. But failures in these EMP scenarios will
not occur independently. A path separation of 50 feet might make line systems reasonably back hoe
failure independent, but not EMP event independent. Such catastrophic failure modes impact large
amounts of a network from the single event, so the independent failure assumption is far from valid. For
a wide outage event such as caused by a EMP event, diversity will not be sufficient.
Many national networks have a significant concentration in the mid-Atlantic region extending from mid-
Virginia to mid-New York State. This concentration extends in from the coastline some hundreds of
kilometers. It is difficult to provide sufficient diversity to provide multiple ingress and egress points to
this region. Consequently, EMP hardening should be considered for this area. Fortunately, as these
diagrams illustrate, hardening of the entire network according to MIL STD 188-125 may not be necessary
for the entire national network for a chance of mitigating the effects of a single EMP event. Hardening
should possibly extend to the Charlotte, NC and Indianapolis regions. On the other hand, the area is
relatively easy to isolate from the rest of a network using diverse assets in the South and mid-West.
International connectivity should also be considered. Figure 11 illustrates the global submarine fiber
optic cable network. Wide diversity is readily available on the West Coast and should be leveraged.
However, the Atlantic cable landing points are particularly concentrated in the Northern mid-Atlantic
regions. Networks supporting missions or critical business requiring connectivity across the Atlantic
should seek diverse connectivity that does not use cable landings in the mid-Atlantic region.
P a g e | 17 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
Figure 11: Submarine fiber optic cable map [Mahlknecht].
While details of impact should be modeled for any specific critical network, it is clear that an EMP event
poses significant risk of damage – as the numbers in Table 2 through Table 6 show, tens to hundreds of
network elements may be impacted. Several of these may be physically damaged and require
replacement. Most network operators do not maintain sufficient spare stock to support replacement of
multiple broken network elements. Critical networks should therefore review their sparing strategies for
regions where EMP mitigation through network diversity or hardening is deemed insufficient. Spare
network component quantities should provide support to replace several entire network elements. This
material should be stored in EMP hardened cabinets at dispersed locations.
We don’t get to choose the time when an event occurs. Any nationwide network experiences network
failures, most daily. In fact, for any network of reasonable scale, there is usually some network element
or fiber route that is out at any given time. So, as an EMP event occurs, there will likely already be
outages on a network. If an outage is forcing use of redundant network assets within the HEMP horizon,
business or mission activities outside the affected area will also be impacted.
P a g e | 18 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
Conclusions and recommendations The likelihood and severity of an EMP attack against the U.S. is significant enough to warrant
consideration. Such an event would impact our national network infrastructure. However, it is possible
the largely mitigate that impact through traditional reliability engineering practices. Detailed
understanding of specific event scenarios may not be necessary; simply planning for critically impactful
scenarios is a good start. Resulting mitigation effects should rely on a mixture of diversity planning,
hardening, and sparing management. It is likely that hardening is not necessary for entire networks.
It should be noticed that these efforts provide benefit beyond the response to an EMP event. Hardening
provides protection from any damaging electromagnetic event. Diversity planning and sparing on the
order described above provides robustness against any regional catastrophe.
Recommendations:
Conduct studies to appreciate the vulnerabilities of specific networks to likely threat scenarios.
These studies will not take a prohibitive effort.
Develop a Network Disaster Recovery Plan that incorporates EMP scenarios. Determine risk
categories and apply appropriate hardening approaches for places (regions) where network
diversity cannot be made sufficient to mitigate risk.
Dramatically increase sparing levels.
Particularly seek diversity solutions for trans-Atlantic cable systems.
P a g e | 19 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770
This paper includes Polar Star Consulting Proprietary Information.
Citations [Savage] “The Early-Time (E1) High-Altitude Electromagnetic Pulse (HEMP) and Its Impact on the U.S.
Power Grid”, Edward Savage, James Gilbert, and William Radasky, Metatech Corporation, January 2010.
Online: http://www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity/ferc_meta-r-320.pdf.
[Commission 1] “Volume1: Executive Report 2004”, Commission to Assess the Threat to the United
States from Electromagnetic Pulse (EMP) Attack, John S. Forester, et al, 2004. Online:
http://www.empcommission.org/docs/empc_exec_rpt.pdf.
[Commission 2] “Critical National Infrastructures”, Commission to Assess the Threat to the United States
from Electromagnetic Pulse (EMP) Attack, John S. Forester, et al, April 2008. Online:
http://www.empcommission.org/docs/A2473-EMP_Commission-7MB.pdf.
[Mahlknecht] “Greg’s Cable Map”, Greg Mahlknecht. Online: http://www.cablemap.info/.