Why your business continuity and disaster recovery plans should account for EMP attacks and GMD events

Solar flares or North Korean nukes: What's the bigger worry?

7 solar flare emergency doomsday
Getty Images

Dawn came early on September 2, 1859. Shortly after midnight an aurora borealis brighter than the moon woke residents as far south as New Orleans. A Baltimore paper reported that "The light appeared to cover the whole firmament, apparently like a luminous cloud, through which the stars of the larger magnitude indistinctly shone."

Elsewhere, telegraph operators fought to keep their systems online. The telegraph was 20 years old, and the event so powerful that it disrupted operator batteries and made effective telegraph operation impossible. Other operators turned off their batteries in frustration, only to find to their astonishment that the telegraph worked normally again — powered exclusively by the aurora borealis.

The Carrington Event of 1859, so named for the British astronomer who recorded the sun spot activity that day, was the largest geomagnetic disturbance (GMD) event of modern times. Apart from a telegraph outage, the largely analog world of 1859 continued with little consequence. But what would happen today if a solar flare of similar magnitude occurred — or if a human-made electromagnetic pulse weapon (EMP) produced similar results?

Both threats pose risks to the enterprise and should be considered as part of your business continuity and disaster recovery planning. Here are some gotchas you might not have thought of when considering the risks of an EMP attack or a GMD event.

What is an EMP attack?

During the Cold War, military planners chased the chimera of a neutron bomb, a nuclear weapon that would kill everyone in a city but leave the infrastructure intact. EMP weapons, widely believed to be possessed by the United States and other nuclear powers, are small nuclear weapons designed to be detonated at high altitude over a large city that would fry all the electronic equipment within the blast area — energy grid, cell phones, computers of all kinds, modern vehicles and so forth.

The current worry, overhyped according to some, is the risk of North Korea launching an ICBM with an EMP payload and detonating it over San Francisco. While such an attack would almost certainly invoke mutually assured destruction and turn Pyongyang into a glass parking lot, it would also fry most of Silicon Valley and grind America's information-based economy to a halt for months, since every piece of electronic equipment affected would have to be junked and replaced.

The risk of an EMP attack ever happening is low, Brian Harrell, assistant secretary for infrastructure protection at the U.S. Department of Homeland Security (DHS), tells CSO. "We have absolutely no specific or credible intelligence that suggests that an EMP attack is likely to happen," he says. "GMD events are certainly a higher risk for occurrence than EMP attacks, but nonetheless have similar characteristics from a scientific perspective."

Despite the low risk, the White House issued an "Executive Order on Coordinating National Resilience to Electromagnetic Pulses" in March. The order outlines what steps agencies such as the Department of Defense (DoD), the Commerce Department and the DHS should be doing to minimize the risk from EMPs.

What is a GMD event?

A GMD event is a solar flare that affects the energy grid and other electronics the way the Carrington Event disrupted telegraph infrastructure in 1859. We don't have to go back to pre-Civil War times, though — the 1989 solar flare event disrupted the North American energy grid and turned off the power in Quebec for eight hours in the middle of a Canadian winter.

Because of the way the Earth's magnetic field works, with poles near the north and south geographic poles, respectively, solar flare events disproportionately affect systems the further north (in the Northern Hemisphere) and further south (in the Southern Hemisphere) that you go. In North America energy grid systems in Canada have the most experience dealing with space weather events that affect the power grid.

As a result of the 1989 blackout, the North American energy grid providers worked together to research the risk and better understand how to prevent such a blackout in the future. According to Dave Roop, director of electric transmission at Dominion Virginia Power, the North American energy grid is well-prepared for a GMD event larger than the 1989 solar flare, and maybe even larger than the Carrington Event.

"We've done a lot of modeling to see where we stand, not only for what we consider a 100-year storm but storms above that," Roop tells CSO. "We've placed sensors across our network and we're working with NASA and NOAA [National Oceanic and Atmospheric Administration] and the U.S. Geological Survey to improve our modeling and forecasting tools."

So, what specific concrete steps should an enterprise take to mitigate the risk of a GMD event or EMP attack?

Mitigating the risk of a GMD event or EMP attack

While both involve similar types of electromagnet radiation, mitigating the risk for each is quite different. A GMD event is lower severity over a larger geographical area and is a well-understood problem that the energy sector has been working to solve for decades. An EMP attack is much, much lower probability but would have a much higher severity over a smaller geographical region.

"An EMP attack would reduce a city like San Francisco to the Stone Age," Mike Overly, an engineer-turned-cybersecurity lawyer at Foley & Lardner, tells CSO.

Enterprises should include both GMD events and EMP attacks in their business continuity and disaster recovery planning scenarios. Because defending against a direct EMP blast is extraordinarily expensive, the easiest thing to do is to review the location of your secondary backup recovery facilities and ensure they are in a part of the country unlikely to be affected by an EMP blast, perhaps a less-populated region in the middle of the country.

One gotcha security teams should watch out for, Overly says, is to review the legal language in any contract with a disaster recovery facility, which often says that the secondary facility can prioritize resources to other customers. Negotiate in any contract that your enterprise will not be treated to the detriment of another client. "Most of those agreements give the provider the right to do just that and leave you hanging."

This is important because an EMP blast would likely require the permanent transition of operations to a secondary facility, as it could take months to a year to replace fried electronics and to decontaminate any radioactive fallout to make the primary facility suitable for humans again.

Of the 16 named critical infrastructure sectors in the United States, sectors that ought to prioritize thinking about EMP attacks are financial services, utilities and healthcare. For those companies worried about the survival of their data in the event of an EMP blast, a handful of cloud providers have begun offering nuclear-hardened facilities designed to resist an EMP blast, if not, perhaps, a direct hit by a nuclear weapon.

The big takeaway here is that while solar flares pose a far higher risk than an EMP attack. enterprises should include both in their disaster recovery and business continuity plans and evaluate how to diversify their infrastructure to be resilient in the face of either happening.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!