Imagine what would happen if, suddenly, all of the electronic components for hundreds of miles around your house just cut out. Everything quit - from your coffee maker to your smartphone, to computer workstations and servers, to factory control systems and aircraft avionics, to operations centers and data centers in the area. And when they come back up again, they behaved randomly and erratically – not performing as expected. And some of them didn't come back up at all. Pretty well none of the critical infrastructure would be working properly. Power, telecommunications, transportation, emergency services ... all of these would be at best disrupted, and at worst dead in the water. It wouldn't take long before the economy, and then society, started to completely unravel.
Now imagine the same scenario ten years from today, when we have billions more electronic systems deployed in the world than at present. Smart cities, smart power grids, smart transportation systems ... all of a sudden, not so smart. An even faster and bigger domino effect on the economy and society.
This isn't just a sci-fi horror movie scenario. It's a very real threat, and it's called EMP, short for electromagnetic pulse. An EMP is a short burst of electromagnetic energy that interferes with electronics in its path. It's caused by a variety of events including car engines starting, power line surges, lightning strikes, solar flares, and nuclear explosions. EMP was first noticed in the 1960s, when American atmospheric nuclear tests were found to disrupt electronics for hundreds of miles around.
Most EMP events aren't of the catastrophic kind. The ones we need to be most concerned with are the last two that I mentioned: solar flares and nuclear explosions. Oh, and EMP weapons. The destructive potential of EMP isn't lost on the militaries of the world: China, Russia, and North Korea are all said to be in possession of EMP weapons today. We can only assume that these are powerful enough to visit major electronic disruption on their target destinations. Otherwise, why would they build them?
Solar flares are very rare events on a human time scale, but it will only take one time to really mess things up. According to EMP expert Michael Frankel, testifying before the US Congress on May 8, 2014: “ ... the likelihood that the US will face, at some point a single massive solar storm ... is about 100 percent". “It will happen. It could happen next year; could be 100 years. But probably not a thousand years.”
At the same hearing, Peter Pry of EMP awareness organization EMPact America, testified that: “A solar EMP event would black out the national electrical grid for months or years, and collapse critical infrastructures such as communications, transportation, banking and finance, food and water – all vital to sustaining modern society”.
EMP events of the military variety, whether caused directly by a specialized EMP weapon or indirectly by a nuclear blast, are, Frankel says, "an unknown probability". Which sounds like a professional way of saying he doesn’t know. That’s fine ... we all know that estimating probability is just a guessing game. I think it's reasonable to put the likelihood of a catastrophic EMP attack at about the same level as a nuclear detonation, which some experts put at between 10 and 30 percent for the US in the next 10 years. Peter Pry says: "A 1-kiloton nuclear blast detonated 18 miles over US territory would destroy all electrical systems in an area the size of New England."
The point of all this is, catastrophic EMP events may be very low in frequency, but (being catastrophic and all) they're high in impact. Really high. Weaponized EMP makes such events more likely, and the exponential growth in deployed electronic components that the IOT explosion will bring, increases and accelerates their impact. This thing is gonna happen at some time or another.
So, EMP needs to be a standard consideration in cyber risk assessments for critical infrastructure facilities. And today, it rarely is. Time for that to change.
Note: EMP threats can be mitigated by hardening electronic components, but as with most security controls, this works best when implemented before the event takes place.