Will EMP Attacks Be The Next Emerging Cyber Threat?

Summary

This month’s Knowledge Exchange white paper on emerging and existing Cyber Security threats will examine why ITDMs and Business Leaders are extremely worried about a ‘catastrophic cyber event’ that could have more of a societal impact than Covid-19 in next few years, and what ITDMs can do today and longer term to mitigate those risks. 

It may be pure co-incidence, but it was certainly chilling to see that in a matter of weeks after the World Economic Forum’s (WEF) 2023 annual summit in Davos, Switzerland that warned of a total “grid down” scenario caused by a ‘catastrophic cyber event;’ a mysterious high-altitude balloon was seen floating across America. 

And while many in the mainstream media have quickly judged this and subsequent other balloons to be a surveillance or spy balloons, other commentators claim that most state sponsored espionage is done via satellites¹ and that this vehicle has potentially a more sinister capability: The ability to activate an electromagnetic pulse or EMP at high altitude (HEMP) using a smaller lighter nuclear payload. 

Therefore, if the balloon was carrying an EMP device or was just a drill to test the detection and response time of such devices, at the sort of altitude the vehicle was flying it would have a greater geographical reach than a ground detonated device and could have knocked out a big chunk of the infrastructure it was flying over.  

A grid down scenario would make Covid’s impact seem like, ‘a small disturbance’

Klaus Schwab, founder of the WEF. 

he result would be an instant shut down of power, communication, finance, and business systems that would have a devastating effect to emergency services and supply chains that could tip society into chaos in a matter of days. 

A grid down scenario would make Covid’s impact seem like, ‘a small disturbance,’ according to Klaus Schwab, founder of the WEF.  

President of the Centre for American Defence Studies, Paul Crespo also confirmed the high-altitude vehicles could be a trial run for a cyber-attack using a balloon-mounted weapon.  

Speaking in the Epoch Times Crespo said: 

“While China has tested hypersonic missiles launched from balloons in the past, that isn’t a likely use for these airships."

“The biggest threat is sending one or more of these high-altitude balloons over the US with a small nuclear EMP device.” 

While we hope the vehicle may be nothing more than a ‘weather balloon,’ with rising geopolitical tension between the US with China², over Taiwan, tensions with Russia, over Ukraine; an increasingly unstable regime in Iran and a reescalation of tension with North Korea, the usage of EMP enabled weapons for a global pre-emptive strike seems alarmingly possible.  

Military strategists at these countries may be in favour of a high-altitude pre-emptive HEMP strike over a conventional full blown nuclear attack as it limits immediate death, radiation fall out and keeps the infrastructure intact, albeit broken, that can be repaired in time.

With more balloons and objects being spotted and shot down by the US and also sightings over other countries such as India, some emergency disaster recovery planning would seem prudent for all businesses to see if there are short-to-midterm policies that can be adopted as well as longer term solutions to keep communications, business systems and
supply chains up and running.
And it is not just the enterprise and big companies that will be affected as many SMEs and mid-size business have been moving their formerly static sensitive data to Softwareas-a-Service companies or moving on premise systems to cloud infrastructure, which can introduce more rather than less security vulnerabilities.
With a massive grid down scenario many watchers believe at best it can get back up and running in a year but more likely more. But even a 12-month delay could cause massive increase in societal instability.
Jonathan Hollerman of Grid Down Consulting explains that although the US and the EU has been aware for a while that ‘critical infrastructure,’ is open to attack there has been a reluctance to do so because upgrading grids and infrastructure many of which are still using 1970’s technology would cause massive disruption to governmental, business, communication and residential needs.

In other cases, firms have been reluctant to make the necessary changes for fear of being subjected to stricter governmental audits and certifications needed to be labelled ‘critical infrastructure.’
Citing the US commander of Cyber Command Admiral Michael Rogers, Hollerman explains that in a meeting of the House Select Intelligence Committee in 2014, Rogers told the House he believed there would be a catastrophic cyber-attack before 2025:

We see multiple nation states and, in some cases, individuals and groups that have the capability to engage in this behaviour… It is only the matter of when and not if we are going to see something traumatic.

US COMMANDER ADMIRAL MICHAEL ROGERS

Since 2014, there have been increasing attacks on critical infrastructure via cyber warfare which have grown in sophistication. Using an EMP device however, albeit as a worst-case scenario, would at a stroke and when needed bypass the need for sophisticated malware and hacks.

Although these threats have been identified for some time, more than half of the US Government Accountability Office’s recommendations for protecting critical infrastructure from cyber threats have not been implemented since they were put in place in 2010, according to Edward Graham of Nextgov who states:
“The report found that of the 106 public recommendations for bolstering cyber critical infrastructure that have been issued by the agency since 2010, only 46 have been implemented as of December 2022.
“Until these are fully implemented, key critical infrastructures will continue to have increased cybersecurity risks to their systems and data,” Graham warned.
So, what can enterprise and SMB ITDMs do to extend ever growing cyber security polices to include mitigating for EMP or other kinetic attacks to critical, IT infrastructure, communication and supply lines? And with the growing threat of ‘conventional’ cyber warfare and attacks such as Distributed Denial of Service (DDos) attacks, Ransomware that is increasingly destroying data rather than encrypting it and other phishing and data breaches, what do you prioritise first?

Underground clouds and EMP proofing IT infrastructure

For the enterprise, the answer is perhaps easier. Government and military organisations have for many years used underground data centres to prevent satellite espionage and mitigate from EMP that until recently was more likely considered to be generated by solar storms that emit localised EMP strikes, than man-made airborne attacks.
More recently, finance and pharmaceutical companies have been looking to datacentre companies that have been repurposing abandoned Cold War nuclear bunkers to offer secure data facilities that have independent power systems to keep systems up and running in what many people are calling ‘underground clouds.’ In the EU there are many such facilities in the Swiss Alps, dubbed the Swiss Fort Knox.
Even in land-based or co-located facilities—eg datacentres near wind, solar or sea-generated energy, datacentres and IT infrastructures can be EMP-proofed by either the combination of materials used in the construction or internally essentially creating Faraday cages around IT cabinets and servers which can be certified as EMP proof.

“When it comes to protection, the first thing to do is take a good review of the security systems that you have in place now and see how your servers are protected.”

GUNNEBO MATT BROOKES

For on premises servers, Brookes suggests protecting your servers with the right kind of pulse-shielding. If hosted, Brookes suggests you can ask your provider what EMP certification they have either at the Datacentre level or rack/cabinet level. It is also a wise move, Brookes says, to see what general EMP protection the actual physical datacentre has in place—such as the materials used in construction, double skinned outer walls etc, if you are looking to do some partial or complete cloud migration.
For smaller midsize operations Brookes suggests:
“The room itself or the building can be made EMP-proof, but that is expensive. It’s much better to look at individual server installations and protect them with the right kind of pulse-shielding. Any electric cable which goes into your server is a possible conductor of an EMP so isolate all of those cables and have connectivity via fibre-optic cables which will not conduct that pulse.”

Msps can play a vital role in cybersecurity support

In conclusion, while threats from EMP until recently have perhaps not been seen as a massive priority, with the rising geopolitical instability and capability to launch such an attack growing daily, it seems that it should be part of all businesses disaster recovery and cyber security policies. And while before the pandemic this might have been another headache for an enterprise ITDM, the migration to hybrid and cloud infrastructure is also making it a headache for the SMB ITDM as more data is being held on third party systems.
And if it is a lower priority for SMB ITDMs because there are so many other threats from more conventional cyber-attacks, it might be a good idea to enlist the services of an managed service provider (MSP) as HelpNetSecurity suggests:
“MSPs can play a vital role for SMBs when it comes to cybersecurity support. Since many SMBs don’t have the resources to hire several in-house IT / cybersecurity professionals, MSPs can shoulder a lot of that load, providing services to help reduce risk, enable growth opportunities, and support end users and customers alike.”

cyber-attacks are set to rise in 2023 for enterprise and smb

Even without the emerging threat of EMP strikes, state sponsored, criminal and other generated cyber-attacks are set to rise in 2023 for enterprise and SMB alike, with more sophisticated software and the growing use of Artificial intelligence.
Although EMP strike is the worst case and hopefully only a theoretical scenario, the number and sophistication of cyber-attacks is growing at an exponential rate with more state-sponsored attacks accompanying criminal groups, mercenaries and ‘hacktivist’ attacks on business, governmental systems and critical infrastructure.
Security vendor Kaspersky has noted there is a “looming threat of reoccurring attacks” of state sponsored attacks in 2023:
“If a company was compromised once, with the attack successfully remediated, attackers are highly likely to try hacking this organization again. After an unsuccessful attack this organization is most likely to be attacked again, as it is a long-term goal of threat actors. This is especially noticeable in government organizations, which tend to get attacked by state-sponsored actors.”

As well as the state sponsored attacks there is also the growing threat and sophistication of other ‘bad actors.’ For example, since its discovery in 2014, Cloud Atlas has, according to research by cyber security vendor Check Point:4
“Launched multiple, highly targeted attacks on critical infrastructure across geographical zones and political conflicts, however its scope has narrowed significantly in the last year (2022), with a clear focus on Russia, Belarus and conflicted areas in Ukraine and Moldova.”

rise of the machines

And although cyber-attacks are increasingly using AI and other sophisticated malware to launch attacks, email is still the major delivery vehicle for initiating cyber-attacks, and people clicking on links are still the unwitting culprits of launching them, according to Check Point that noted that in 2022 86% of file-based attacks in the wild were delivered-by email.
In the US a major energy provider found malware on its system that operated turbines, controllers, and other industrial machinery. It had been undiscovered for a year and infiltrated the network due to an employee clicking a bad link in an email!

86% of file-based attacks in the wild were delivered-by email in 2022

according to check point

And with AI being deployed to create more convincing and genuine emails this threat emphasises the importance of zero-day prevention of attacks, across the entire IT infrastructure, including email, endpoint, network, cloud, and everything in between according to Maya Horowitz, VP Research at Check Point Software Technologies who noted:

“In the last days of 2022, we witnessed a dramatic advancement in the field of generative artificial intelligence, which is able to generate highly professional text (code included) on demand in seconds. As we step into 2023, we should keep in mind that this technology may quickly be adopted by threat actors, to craft even more malicious emails, in even better quality than those typically authored by threat actors, and with endless variations of malware and malicious code in general.”
Although the technology exists, it may not be possible to completely guard systems from a Grid-Down scenario the likes of which the WEF want us all to be mindful of. As well as EMP and electronic based warfare that will also look to spread disinformation on mainstream and alternative media outlets, there is still the risk of more conventional ‘kinetic’ warfare that can pose a similar threat, like the discovery of an apparent Russian spy ship that was thought to be observing undersea power and internet cables that connect the UK from the rest of Europe, according to Dutch intelligence services. Gas, electricity and wind farm critical infrastructure are also likely targeted by the Russians, according to Dutch Intelligence. Such conventional or nuclear strikes would be very difficult to prevent.

However, for the other cyber security vulnerabilities the weakest chain in the link, humans, can be managed in order to prevent or mitigate an attack and with email still being the primary vehicle for such attacks , raising awareness and continual training are perhaps the most important areas to focus on either internally or with the assistance of an MSP as these factors can be controlled whereas other scenarios such as EMP are more problematic.

KNOWLEDGE EXCHANGE: SPOTLIGHT

· Geopolitical landscape for nuclear powers standing off against each other has not been as dire since the Cuban Missile crisis in the 1960s.
· Developments in smaller footprint nuclear EMP devices could be behind recent sightings of high-altitude vehicles being spotted in the US, Canada, and other regions.
· EMP can bring down infrastructure and critical infrastructure without the same levels of devastation and radiation than conventional, however the consequences would be equally catastrophic as a nuclear strike and affect power, communication, supply chain.
· Businesses and Governments have been slow to patch vulnerabilities in critical infrastructure and to move to EMP proof premises.
· EMP proofing IT infrastructure is relatively cheap to do and underground cloud infrastr ucture looks likely to become the new norm, but time is running out if action is not done now.
· Despite emerging EMP threats, state sponsored attacks on critical and business infrastructure will further increase.
· Email is still the most likely vehicle for transmission for malware/cyber-attacks.
· Employees that are not trained or regularly briefed about emerging and existing cyber threats will be the weakest link in the security chain.
· Rise of AI combined with sophisticated malware looks likely to be more commonplace.