Network Vulnerability to Electromagnetic Pulse Attacks

©2015 Polar Star Consulting, LLC™ 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770

This paper includes Polar Star Consulting Proprietary Information

Network Vulnerability to Electromagnetic Pulse Attacks

Steve Goeringer

Jason Rupe

Abstract

An approach to assessing transport network robustness to single event EMP attacks.

P a g e | 2 14900 Conference Center Drive Suite 280 Chantilly, VA 20151 703-955-7770

This paper includes Polar Star Consulting Proprietary Information .

Nature of the threat In 2004, the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP)

Attack released a watershed report to the public. The notion of an EMP attack presenting a threat was

not new; Army documentation and standards had been developed as early as two decades previously,

indicating that the government believed such a threat was serious. The Commission’s report, however,

highlighted that the threat was plausible with multiple potential adversaries capable of executing an

attack, and that the severity of the attack would be very severe.

The nature of the threat is very different than conventional nuclear attacks. Conventional nuclear

attacks primarily impact a focused area (a few to tens of square kilometers) with massive destruction,

with residual damage through fall out over a wider area. A nuclear based EMP attack has the potential

of impacting very large areas, though the nature of “destruction” is very tightly focused to specific

infrastructure (power generation, power distribution, and electronic devices).

The EMP attack is the result of interaction between released gamma radiation and the Earth’s

atmosphere. While a conventional nuclear detonation results in an EMP, it is fairly focused

geographically. However, when detonated at high-altitude – 70-400km – the generation of the EMP

results in much greater intensity (field strength) distributed over a much wider geography. This paper is

focused on High-altitude Electromagnetic Pulse (HEMP) events, though it refers to EMP generically.

The physics of an EMP event are complicated. The nuclear detonation’s interaction with the atmosphere

is not an isotropically emitted event. Consequently, the resulting EMP field intensity is not evenly

distributed, but rather has focus areas. Moreover, there are three EMP components, E1, E2, and E3. The

EMP component’s distribution is effected by both the height of the explosion and also the yield of the

device.

According to the Commission’s executive summary report, E1 is an intense impulse spike inducing

current sufficient to “disrupt or damage electronics-based control systems, sensors, communications

systems, protective systems, computers, and similar devices.” E2 itself is also an impulse spike but

slightly slower than E1 and also of less amplitude; in itself, it poses less risk though it can exacerbate the

damages induced by E1. E3 is a longer rise time, more sustained pulse that “creates disruptive currents

in long electricity transmission lines” that consequently can damage power generation and distribution

infrastructure. [Commission 1]

In publicly available information, it is unclear what specific damages may be incurred to network

equipment. Some reports independent from the commission indicate integrated circuits (ICs) are

particularly susceptible to EMPs. In the commission’s reports, vehicles were demonstrated as only

moderately susceptible to EMPs, even though they may contain several hundred ICs. However, vehicles

are nearly entirely self-contained devices riding on insulators (tires). Network equipment is typically

connected to the power grid, installed in racks made of metal connected to ground, inside buildings that


This paper includes Polar Star Consulting Proprietary Information.

are grounded. Moreover, the commission reports focus on data and simulations that may be of EMPs an

order of magnitude lower in field strength than those that potential adversaries may be able to

generate.

From a risk assessment and engineering perspective, it is tempting to do detailed analysis of EMP

events. However, relative to understanding network risks and the corresponding mitigations, this is

probably not fruitful. It is enough to know that an EMP is a plausible threat and probably poses

significant risk to nationwide network infrastructure. This report, therefore, concentrates on assessing

network vulnerability to large scale disruptions such as an EMP. Appropriate mitigations may be

available to reduce at least some risk where necessary. This report, however, does not provide details of

those mitigations.

Network generalizations Local and regional networks may be largely disrupted by an EMP and as such are not considered in this

report. Protection of geographically concentrated networks must fall back to EMP hardening methods

such as those discussed in MIL-STD-188-125-1 (Department of Defense Interface Standard, High-Altitude

Electromagnetic Pulse (HEMP) Protection for Ground-Based C4I Facilities Performing Critical, Time-

Urgent Missions).

This report focuses on nationwide infrastructure networks. These networks typically incorporate these

characteristics:

They are based on fiber optic cable systems.

Fiber optic cables for nationwide networks are typically, though not exclusively, buried on rail or

highway Rights-of-Way.

Buried fiber optic cables are typically installed in conduit systems, usually with a conductor for

cable locating purposes. Conduit depth is typically 4-8 feet, though it can be deeper. Conduits

can support more than one fiber optic cable.

Most cable systems are comprised of many fiber optic strands and strands are provided to

multiple users through leasing agreements of the infrastructure owner.

Networks using fiber optic cables are Dense Wave Division Multiplexing (DWDM) systems. These

systems typically are capable of 80 or more waves per cable, each wave supporting 10Gbps,

40Gbps, or 100Gbps. A given DWDM system may support many Terabits per second of

information transfer.

A given cable, supporting several DWDM systems, may support a few hundred Terabits per

second of information transfer.

DWDM systems are comprised of optical amplifiers (OAs), and optical add/drop multiplexers

(OADMs). OAs are installed in small facilities every 50-120kms. OADMs are deployed where



necessary to serve traffic to end customers, or to condition optical signals. OADMs can be

deployed at 10s, 100s, or 1000s of kilometers.

A typical nationwide optical network will comprise some 300-600 OAs, 45-200 OADMs, and 20-

40,000kms of fiber route miles.

The US nationwide long-haul infrastructure is largely shared amongst service providers. A generalized

network infrastructure is shown in Figure 1. The overall network diagram comprises fiber cable

segments from many providers, and some segments shown may have multiple conduits. Small squares

indicate potential OA locations; the small ovals are likely OADM locations. It should be no surprise that

OADM locations correspond to population centers. The black portion illustrates a potential network

using only a portion of the overall potential nationwide network shown by the orange lines.

Figure 1: Notional national network infrastructure.

Illustration of potential scenarios It is probably not necessary to do extensive modeling of an EMP event itself to assess potential impact

to a nationwide network infrastructure. It is possible to do extensive modeling to determine energy

distribution and power levels. However, as this is largely an untested weapon platform, and delivery

capabilities of adversaries vary widely, generalization is probably sufficient. Work by Savage, Gilbert, and

Radasky is adequate for this purpose [Savage]. In their report prepared for ORNL in 2010, they show the

coverage and field intensity of different heights of burst. Their analysis shows greatest field strengths



relative to burst yield will be achieved with low altitude bursts (75km or so). However, greater

geographic coverage is provided at higher altitude bursts (EMP effect is to the Earth horizon relative to

burst height). The result is a range of effects from 0 to 2500kms for bursts from 0 to 500kms in altitude,

with energy levels ranging from nearly none to nearly 100%.

The geographic coverage for various burst heights, overlaid on a US map, is intimidating. See Figure 2.

Figure 2: Geographic coverage (Height of Burst horizon) of sample burst heights [Savage].

As mentioned previously, EMP field effects are not evenly distributed over the effected geographic

coverage. Rather, the energy distribution, relative to peak, is shaped more as is shown in Figure 3.



Figure 3: Sample HEMP field distribution diagram [Savage].

The precise distribution will vary on many factors. For purposes of this paper, a template was generated

that shows a larger peak area. See Figure 4.

90%

25%

50%

75%

Peak E

% of Max100%

0%

Figure 4: Sample HEMP field distribution template

This template can be overlaid on the national network illustration from Figure 1 for various heights of

burst. This is shown in diagrams in the following subsections, along with an estimate of OAs and OADMs

effected.

Some caveats on the 10km and 30km heights of burst sections. Technically, a HEMP is generated by a

nuclear burst in the upper atmosphere or above the atmosphere -- as discussed earlier, 75km or higher.

However, any nuclear detonation has some EMP component. A 75km high burst is technically difficult. A

conventional airliner can detonate at relatively high altitude within the atmosphere. So, both 10km and



30km heights of burst (HOB) are included. It should be noted that the field distribution will be different

in actuality than the template, and the energy field strength relative to device yield will be inefficient.

However, the horizon effects do apply and are useful for assessing network vulnerability.



10km HOB Keeping in mind the caveats outlined above, a 10km HOB is very focused, as illustrated in Figure 5.

Whatever impacts it does have on network elements will affect only a small portion of any nationwide

network. Though not illustrated in Figure 5, it is clear even many events will not entirely disrupt or

destroy the network.

Figure 5: 10km HOB network overlay.

A typical network, as illustrated by the black portion above, may be effected by a 10km HOB EMP as

shown in Table 1.

10km Height of Burst

Peak E % of max OAs OADMs

90-100% 0 3

75-90% 0 0

50-75% 0 3

25-50% 5 1

0-25% 5 3

Total NEs in range 10 10 Table 1: Network impact 10km HOB.



30km HOB Keeping in mind the caveats outlined above, a 30km HOB as illustrated in Figure 6 is not so nearly

concentrated as the 10km HOB example. Still, it only impacts a small portion of any nationwide network.



shown in Table 2.



90-100% 4 4

75-90% 0 0

50-75% 4 3

25-50% 7 3

0-25% 7 2


75km HOB A 75km HOB can be expected to behave as described in the available literature. Moreover, as illustrated

in Figure 7, it impacts a wide region. This impact is sufficient to have impact on network assets beyond

the horizon of the event in that existing network redundancy is reduced.





shown in Table 3.



90-100% 8 6

75-90% 0 0

50-75% 7 3

25-50% 11 4

0-25% 19 2




100km HOB



shown in Table 4.



90-100% 5 7

75-90% 0 0

50-75% 11 4

25-50% 26 2

0-25% 10 3




200km HOB



shown in Table 5.



90-100% 7 9

75-90% 0 0

50-75% 20 4

25-50% 28 3

0-25% 31 4




300km HOB



shown in Table 6.



90-100% 13 11

75-90% 0 0

50-75% 34 3

25-50% 33 4

0-25% 34 6




Modeling approach Traditional network resiliency engineering concentrates on single failures, double failures, or at most a

few concurrent failures (e.g., three or so key failure modes). However, Network Disaster Recovery (NDR)

planning considers destructive scenarios, and develops plans to continue and recover during such

events. Introduction of EMP as a factor for planning ultimately requires assessing scenarios of network

devastation, with multiple failures and higher than normal usage demands at the same time. Gross

effects on a given network can probably be sufficiently understood for planning and engineering

purposes using a traditional scenario based approach. For example, probabilities for the scenarios

outline in Table 1 through Table 6 might be modeled based on the following failure probabilities (see

Table 7 through Table 10). Given time and computing resources, these disruption and destruction

estimates can be replaced by simulated scenarios or other state-based models to better understand

network resiliency to multiple concurrent failures.

75km Height of Burst (or lower)

Peak E % of max Disruption Destruction

90-100% 100% 100%

75-90% 90% 80%

50-75% 40% 30%

25-50% 20% 10%

0-25% 10% 0% Table 7: Sample network element failure probabilities for 75km or lower HOB.



90-100% 100% 90%

75-90% 85% 75%

50-75% 30% 25%

25-50% 20% 10%

0-25% 5% 0% Table 8: Sample network element failure probabilities 100km HOB.





90-100% 90% 80%

75-90% 80% 65%

50-75% 25% 15%

25-50% 10% 5%

0-25% 0% 0% Table 9: Sample network element failure probabilities 200km HOB.



90-100% 50% 65%

75-90% 25% 40%

50-75% 15% 10%

25-50% 5% 0%

0-25% 0% 0% Table 10: Sample network element failure probabilities 300km HOB..

These tables (Table 7 through Table 10) show hypothetical probabilities of network element impact for

given Heights of Bursts for EMP. Both disruption and destruction will cause failure, but the mean time to

restore will vary by recovery plan. These models will be network and scenario specific. However,

disruption may impact customer traffic for 10 minutes to an hour; for larger overall network disruptions

(in terms of the number of network elements impacted), perhaps recovery will be longer. Shorter

intervals represent time for network elements to self-recover; if human intervention is expected to be

necessary (for hard resets, for example), longer periods will be required. The more network elements

affected by the EMP event, the longer each element may take to recover. The key point of disrupted

network elements, however, is that they will recover without replacement.

Destroyed network elements will not recover without partial or complete replacement of components,

requiring spare parts, operations support, and repair teams. And depending on the amount of

destruction associated with the scenario, recovery resources may be further constrained. Most network

operators maintain sufficient network inventory to replace a few components per failed network

element and a few complete network elements (two or three chassis). Any further damaged

components will need to be provided by the vendor, possibly even built. Therefore, destroyed network

element recovery will take days, weeks, or even months. In some cases, depending on the scenario, and

what other damage may have occurred to other systems including other communication networks,

spare parts and repair personnel and equipment may be more scarce than ever before. Consider, for



example, that damaged power distribution components may be necessary in many industrial segments,

not just telecommunications infrastructure.

Intuitive findings Simply looking at the coverage maps provided in Figure 5 through Figure 10 may give some intuitive

insights. Of course, intuition is often wrong and must be verified according to specific threat parameters

and network implementations.

Any given national network only needs to be as robust as the mission assets the network supports.

Consequently, it is important to consider implications of network operation outside the affected area of

any event (failure isolation) so that mission assets not affected by an event continue to be supported.

Therefore, network diversity should be considered not at the level of individual network elements, but

rather on the ability of the entire network.

Networks designed to survive typical failure events are not designed to survive catastrophic events

because the assumptions are fundamentally different. A key design strategy for reliability engineering is

to make a network robust to failure – network components do fail. So, networks are designed at both

the network element and on the network wide basis to eliminate single points of failure. When

considering the nationwide network, the typical strategy is to ensure diverse connectivity – two or three

or even more disjoint paths to interconnect network elements. But failures in these EMP scenarios will

not occur independently. A path separation of 50 feet might make line systems reasonably back hoe

failure independent, but not EMP event independent. Such catastrophic failure modes impact large

amounts of a network from the single event, so the independent failure assumption is far from valid. For

a wide outage event such as caused by a EMP event, diversity will not be sufficient.

Many national networks have a significant concentration in the mid-Atlantic region extending from mid-

Virginia to mid-New York State. This concentration extends in from the coastline some hundreds of

kilometers. It is difficult to provide sufficient diversity to provide multiple ingress and egress points to

this region. Consequently, EMP hardening should be considered for this area. Fortunately, as these

diagrams illustrate, hardening of the entire network according to MIL STD 188-125 may not be necessary

for the entire national network for a chance of mitigating the effects of a single EMP event. Hardening

should possibly extend to the Charlotte, NC and Indianapolis regions. On the other hand, the area is

relatively easy to isolate from the rest of a network using diverse assets in the South and mid-West.

International connectivity should also be considered. Figure 11 illustrates the global submarine fiber

optic cable network. Wide diversity is readily available on the West Coast and should be leveraged.

However, the Atlantic cable landing points are particularly concentrated in the Northern mid-Atlantic

regions. Networks supporting missions or critical business requiring connectivity across the Atlantic

should seek diverse connectivity that does not use cable landings in the mid-Atlantic region.



Figure 11: Submarine fiber optic cable map [Mahlknecht].

While details of impact should be modeled for any specific critical network, it is clear that an EMP event

poses significant risk of damage – as the numbers in Table 2 through Table 6 show, tens to hundreds of

network elements may be impacted. Several of these may be physically damaged and require

replacement. Most network operators do not maintain sufficient spare stock to support replacement of

multiple broken network elements. Critical networks should therefore review their sparing strategies for

regions where EMP mitigation through network diversity or hardening is deemed insufficient. Spare

network component quantities should provide support to replace several entire network elements. This

material should be stored in EMP hardened cabinets at dispersed locations.

We don’t get to choose the time when an event occurs. Any nationwide network experiences network

failures, most daily. In fact, for any network of reasonable scale, there is usually some network element

or fiber route that is out at any given time. So, as an EMP event occurs, there will likely already be

outages on a network. If an outage is forcing use of redundant network assets within the HEMP horizon,

business or mission activities outside the affected area will also be impacted.



Conclusions and recommendations The likelihood and severity of an EMP attack against the U.S. is significant enough to warrant

consideration. Such an event would impact our national network infrastructure. However, it is possible

the largely mitigate that impact through traditional reliability engineering practices. Detailed

understanding of specific event scenarios may not be necessary; simply planning for critically impactful

scenarios is a good start. Resulting mitigation effects should rely on a mixture of diversity planning,

hardening, and sparing management. It is likely that hardening is not necessary for entire networks.

It should be noticed that these efforts provide benefit beyond the response to an EMP event. Hardening

provides protection from any damaging electromagnetic event. Diversity planning and sparing on the

order described above provides robustness against any regional catastrophe.

Recommendations:

Conduct studies to appreciate the vulnerabilities of specific networks to likely threat scenarios.

These studies will not take a prohibitive effort.

Develop a Network Disaster Recovery Plan that incorporates EMP scenarios. Determine risk

categories and apply appropriate hardening approaches for places (regions) where network

diversity cannot be made sufficient to mitigate risk.

Dramatically increase sparing levels.

Particularly seek diversity solutions for trans-Atlantic cable systems.



Citations [Savage] “The Early-Time (E1) High-Altitude Electromagnetic Pulse (HEMP) and Its Impact on the U.S.

Power Grid”, Edward Savage, James Gilbert, and William Radasky, Metatech Corporation, January 2010.

Online: http://www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity/ferc_meta-r-320.pdf.

[Commission 1] “Volume1: Executive Report 2004”, Commission to Assess the Threat to the United

States from Electromagnetic Pulse (EMP) Attack, John S. Forester, et al, 2004. Online:

http://www.empcommission.org/docs/empc_exec_rpt.pdf.

[Commission 2] “Critical National Infrastructures”, Commission to Assess the Threat to the United States

from Electromagnetic Pulse (EMP) Attack, John S. Forester, et al, April 2008. Online:

http://www.empcommission.org/docs/A2473-EMP_Commission-7MB.pdf.

[Mahlknecht] “Greg’s Cable Map”, Greg Mahlknecht. Online: http://www.cablemap.info/.

http://www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity/ferc_meta-r-320.pdf

http://www.empcommission.org/docs/empc_exec_rpt.pdf

http://www.empcommission.org/docs/A2473-EMP_Commission-7MB.pdf

http://www.cablemap.info/

Network Vulnerability to Electromagnetic Pulse Attacks

Documents

Transcript of Network Vulnerability to Electromagnetic Pulse Attacks