WIXLIB

Fear ofFryingElectromagneticweaponsthreatenour datanetworks.Here’show tostopthemBy WilliamA. RadaskyPhotographyby DanSaelinger46 sep 201409.EMAttacks.NA.indd 46 North American   SPECTRUM.IEEE.ORG8/13/14 9:02 AM

09.EMAttacks.NA.indd 478/13/14 9:02 AM

criminals use an electromagnetic weaponto black out a portion of Las Vegas. Veryfuturistic, you may say, but the threat isreal and growing.The problem is growing because the technology available to attackers has improvedeven as the technology being attacked hasbecome more vulnerable. Our infrastructureincreasingly depends on closely integrated,high-speed electronic systems operating atlow internal voltages. That means they canbe laid low by short, sharp pulses high involtage but low in energy—output that cannow be generated by a machine the size of asuitcase, batteries included.Electromagnetic (EM) attacks are not onlypossible—they are happening. One may beunder way as you read this. Even so, youwould probably never hear of it: These stories are typically hushed up, for the sake ofsecurity or the victims’ reputation. Occasionally, though, an incident comes to light.In May 2012, for instance, the Korea Heraldreported that over 500 aircraft flying in andout of South Korea’s Incheon and Gimpoairports reported GPS failures, as did hundreds of ships and fishing boats in the seawest of Incheon Airport. The source of theEM fields was traced to the North Koreancity of K aesong, about 50 kilometers northof Incheon. South Korean officials indicatedthat North Korea had imported truck-basedjamming systems in 2010 that had the capability to jam GPS signals. These officials specu lated that one purpose of the jamming wasto interfere with South Korea’s highly digitalsociety. Or perhaps the North Koreans wereconducting an experiment, using SouthKorea as their beta tester.In decades past, the few key electronicsystems that existed worked at higher voltages than today’s machines and at lowerfrequencies, making them less sensitive toEM disruption. Today, though, any digitallycontrolled infrastructure presents a target:48 sep 201409.EMAttacks.NA.indd 48 Power, telecommunications, finance, water,natural gas, and more are all coming underthe ever-finer control of computers. Rightnow the power systems in developed areas ofthe world are installing smart power metersin homes and businesses, along with communications systems to transmit the data. Thenew wave of distributed renewable powersystems requires additional sensors to determine their operating status, so that the gridcan operate efficiently and avoid collapse.The increased need for information and themeans to communicate it make all these systems vulnerable to anyone who may wishto create problems—and that means hackers,criminals, vandals, and terrorists.And, unlike other means of attack, EMweapons can be used without much risk.A terrorist gang can be caught at the gates,and a hacker may raise alarms whileattempting to slip through the firewalls,but an EM attacker can try and try again,and no one will notice until computer systems begin to fail (and even then the victims may still not know why).Governments and professional organizations have been aware of the problem (calledintentional electromagnetic interference, orIEMI) at least since the 1990s; in the wakeof attacks like the one in South Korea, theybegan to take it seriously. For instance, in2012 the European Union began fundingthree projects to deal with assessing EMattacks and protecting critical infrastructuresfrom them. One project, known as Secret(Security of Railways against ElectromagneticAttacks), is meant to find ways to prevent thejamming of railroad equipment that uses thenew GSM-Railway wireless communicationstandard. It’s not enough to patch holes thatbad actors have discovered; we must also tryto anticipate attacks that haven’t yet occurred.It may seem strange that we should find ourselves in need of defending against electromagnetic generators, a kind of weapon mostNorth American   SPECTRUM.IEEE.ORGTpeople have still never heard of. The reason isobvious: Not only is it getting easier to makethese generators, but we are also becomingmore dependent on the data networks thosegenerators threaten.The recipe for frying a network is simple.Begin with a generator, fold in a battery, andgarnish with either an antenna to propagate the output or a hardwired connectioninto the building you have targeted. Even a briefcase-size model could generate EM fieldswith peaks in the thousands of volts per meter,and those peaks would come fast and short,with a rise time of about 100 picoseconds andPrevious page, CGI: Swell; Previous Page and this Page,Prop Stylist: Birte Von KampenIn the 2001action movieOcean’s Eleven,8/13/14 9:02 AM

a pulse width of about 1 nanosecond. Sucha pulse would contain frequencies between100 megahertz and several gigahertz.Whether the attacker transmits via anantenna or a hardwired connection dependson circumstances. The radiated field methodgives attackers greater flexibility, but thepower decreases rapidly the farther they arefrom the target. A hardwired approach letsattackers put the pulsed power where theywant it without as much wastage, but it doesrequire that they get close enough to the target to make the physical connection. Eventhis needn’t be very hard: Many commercial buildings have vulnerable communica-tions cabinets and external power outlets, as aniel Månsson, at the KTH Royal Institute ofDTechnology, in Stockholm, has documented.An attack might be staged as follows. Alarger electromagnetic weapon could behidden in a small van with side panels madeof fiberglass, which is transparent to EMradiation. If the van is parked about 5 to10 meters away from the target, the EMfields propagating to the wall of the building can be very high. If, as is usually thecase, the walls are mere masonry, without metal shielding, the fields will attenuate only slightly. You can tell just how wellshielded a building is by a simple test: If yourcellphone works well when you’re inside,then you are probably wide open to attack.When the pulsed fields enter the building,they induce a current in the internal wiring that flows into the electronics, eitherdamaging the equipment or just producinga disruption, which in turn might require amanual restart or corrupt some data.The fields are of two kinds: narrowbandand wideband. A narrowband waveformis essentially a single frequency of power,delivered over a period of anywhere from100 ns to several microseconds. Narrowband attacks are usually of very high power,on the order of thousands of volts per meter.Achieving such strong fields is fairly easybecause the electrical energy is concentrated in a narrow band. The frequencycan be optimized for one purpose and thenmodulated for another. For instance, theattackers might beam in a gigahertz wave—perfect for penetrating small apertures inequipment cases—and then modulate it toproduce a lower-frequency signal (just asAM radio is modulated to encode music).That lower-frequency signal, in turn, isintended to pour energy into the electronicsinside the case. But the attack will succeedonly if the frequency matches the resonancepattern in the equipment. If no resonanceoccurs, or if the resonance is confined to justa portion of the equipment, then the effectwill be much less serious, or nonexistent.To increase the odds that such “coupling”occurs, the attacker can continue to shiftthe signal to other frequencies.Wideband (sometimes called ultrawideband) packs a different punch. Here, thepower of each pulse is spread over a rangeof frequencies, for example, from 100 MHzto 1 gigahertz. If the range is wide enough—that is, if the ratio of the highest to the lowestfrequencies in a single pulse is 10 or more—it’s considered hyperband. There’s less powerat any one frequency, and that means lessdamage will be inflicted per pulse than ina narrowband attack. But wideband pulsegenerators can easily produce 1,000 pulsesper second for many minutes at a time, andthat greatly increases the chance of damaging a system, or at least interfering withcommunications through a straightforwarddenial of service. Yury Parfenov, of the Russian Academy of Sciences, Joint Institute forHigh Temperatures, has demonstrated howa high repetition rate can reduce wired Ethernet communications to nearly zero.SPECTRUM.IEEE.ORG09.EMAttacks.NA.indd 49 North American  sep 2014 498/13/14 9:02 AM

OAnd because each pulse requires minimal energy to generate, the energy supplyfor such a weapon is modest compared towhat a narrowband weapon requires. In ourlaboratory at Metatech Corp., an EM consultancy in Goleta, Calif., we have built a powersupply from an automobile battery and aninverter, and it can operate our widebandpulser for days without losing its charge.Over the past 15 years, our laboratory andothers in Germany, Nor way, Russia, S weden, and the United Kingdom haveconducted hundreds of experiments studying how commercial equipment holds upto both narrowband and wideband attacks.The emphasis has been on personal computers, alone and in networks, but morerecent testing has included cash machines,industrial control equipment, substationelectronics, power supplies, E thernet components, Wi-Fi networks, automobiles, GPSelectronics, cellular phones, tablets, andvarious sensors.Computers and other systems based onmicroprocessors turn out to be vulnerableto radiated narrowband fields above 30 voltsper meter, although newer high-speed PCsappear to be resistant up to about 300 V/m atsome frequencies. That’s largely because U.S.and European rules now limit the amount ofEM radiation that such machines can emit tothe 1- to 10-GHz range, and those rules havehad the effect of increasing the machines’shielding. What’s more, as the frequencyrises from 1 to 10 GHz, computers become lessvulnerable to narrowband attack, accordingto experiments by Richard Hoad at QinetiQGroup, a defense technology company inEngland. That’s good news, but remember,not all industrial computers use high-speedprocessors. Slower microprocessors (present in programmable logic controllers, forexample) don’t emit in the gigahertz range,The Walls Have Eyesand so they are not well protected againstEM attacks in that same frequency range.In other experiments, Hoad has determined that the presence of metal connectingcables typically increases the vulnerability of the computer equipment. Attackingand damaging small handheld equipmentthat has no connected cables, by contrast,requires very high fields, usually with peaksgreater than 5 kilovolts per meter.Cables also weaken the defenses of industrial and power-system controls, as shown byEdward Savage, my colleague at Metatech.He simulated attacks, then found that a disproportionate number of equipment failures had originated in cable interface cards.This work suggests that for hooking togetherthe nodes of a network, fiber-optic cable(without metal components) is definitelypreferable to copper cable.Other researchers around the worldhave determined which kinds of wideband pulses are most dangerous to whichkinds of equipment. For instance, a peakelectric field of about 2 kV/m for pulsewidths on the order of 200 ps can disruptTo make sure your company’s electronicsaren’t wide open to attack, follow these simplerules of electromagnetic hygieneInstall EMdetectorsto sound analarm in caseof an attack.Replacewires withfiber-opticcable.Protect cableswith metal jacketing.Eliminatewindows orprotect themwith wire mesh.Protect all cablesleading into the buildingwith electromagnetic filters.Create asafe room,lined in metal,for the mostsensitiveelectronics.Put distancebetween theattackers andtheir target.50 sep 201409.EMAttacks.NA.indd 50 Harden wallswith rebar ormetal lining.North American   SPECTRUM.IEEE.ORGillustration byMCKIBILLO8/13/14 9:02 AM