As our cities, our transportation, our energy and manufacturing – our everything – increasingly embrace Internet of Things (IoT) and Industrial Controls Systems (ICS), securing its underlying cyber-physical systems (CPS) grows ever more crucial. Yet, even among engineers and cybersecurity specialists, one potential attack trajectory is often overlooked: Intentional Electromagnetic Interference (IEMI).
ICS and IoT – digital systems that run today’s modern society – rely on changes in electrical charges flowing through physical equipment. Creating the 1s and 0s of which all digital information is composed requires electronic switching processes in circuits. The current used in this process is not confined to the circuits and the wiring connected to them. It also creates electromagnetic (EM) fields around them that could leak information. Potentially even more concerning is that the flow of 1s and 0s through the physical equipment or through electromagnetic wave-based communication can be disturbed or stopped by external electromagnetic interference (EMI) sources causing unpredictable results.
Electromagnetic interference (EMI) that can affect performance of electronic circuits or impact digital data paths could be caused by any of the myriad of electromagnetic fields that surround us. Electric and magnetic fields are produced by natural sources like solar flares, lightning or auroras, and man-made sources such mobile networks, radio and TV broadcasts, radars, integrated circuits, ignition systems, electric power transmission lines, toaster ovens, and countless other things.
The industry has established a number of legal requirements and standards for electromagnetic compatibility (EMC). The goal is to ensure correct operation of devices in common electromagnetic environment and resilience to unintentional EMI. With the exception of aircrafts, these EMC requirements are typically not sufficient to protect against intentional electromagnetic interferences (IEMI) generated by malicious actors in order to disrupt performance of electronic equipment. This might invite terrorists, criminals and other adversaries to intentionally interfere or damage critically important CPSes such as telecommunications, power networks, financial systems, medical care, broadcast media, industrial plants, traffic control systems, food and water supply, critical manufacturing, mass transit and others.
IEMI was until the turn of the millennium essentially a military concern but have since then generated quite a lot of interest in the civil arena. Capabilities of IEMI attackers have been growing steadily over the last two decades. On the other hand, growing complexity and distribution of CPSes and decreasing power requirements for the devices that make up the Internet of Things (IoT) make it increasingly possible to connect more and more components of our physical world to monitoring and control devices. This provides a growing pool of increasingly vulnerable targets for attackers. Together, these few trends increase the threat of IEMI attacks exponentially.
What IEMI is
A widely accepted definition for IEMI came out of a workshop held at the Zurich EMC Symposium in February 1999:
“Intentional malicious generation of electromagnetic energy introducing noise or signals into electric and electronic systems, thus disrupting, confusing or damaging these systems for terrorist or criminal purposes.”
To put it bluntly, “[Systems] can be laid low by short, sharp pulses high in voltage but low in energy – output that can now be generated by a machine the size of a suitcase, batteries included.”
Why IEMI matters in cybersecurity
Although most people view cybersecurity as applying only to protecting systems against remote malicious cyber hackers, it should go well beyond that limitation. Especially when applied to cyber-physical systems. It should apply to protection against all threats to such digital systems.
Technically speaking, IEMI is a cyberattack only because it targets “cyber” elements, such as computers, networks and devices. It is not, however, “cyber” in the sense of being a digital attack that directly manipulates 1s and 0s. Rather than manipulating 1s and 0s, IEMI focuses on analog interference with the EM signals that are used in our electronic devices and communications.
With that in mind, threats to digital systems, and therefore areas of concern for cyber-physical systems security specialists, could be broken down into three areas:
- Physical security – protecting the physical components of digital systems from unauthorized physical access or tampering;
- [Core] Cybersecurity – protecting embedded computation core – that controls physical processes – from being hacked, its data from being compromised or its functions from being hijacked by unauthorized persons;
- EMI – protecting the electronic components in CPSes from disruption from IEMI as they operate at low internal voltages and that communicate via low-power wireless networks.
Cyber-physical systems security thus must protect systems on three levels, with the EMI level being the most often overlooked. As the physical and cyber worlds converge, though, we cannot afford to maintain artificial distinctions between these conjoined systems. Engineers charged with creating and maintaining the physical devices and systems must work together with cybersecurity professionals to ensure that vulnerabilities are addressed on a comprehensive level, with no cracks left open between the work of the different disciplines.
Nuclear Explosions and NEMP / HEMP
Most people are familiar with one of the IEMI types through frequent (albeit often incorrect) depiction in popular media – the concept of Nuclear Electromagnetic Pulse (NEMP) or High Altitude Electromagnetic Pulse (HEMP) because of talk of it as a side-effect of a nuclear explosion – a short burst of strong electromagnetic radiation that “fries” all the electronics and throws the target area back into the Middle Ages.
The U.S. and former USSR governments are known to have conducted extensive research since the 1950s on how to produce such pulses without a nuclear explosion, because it would give the nation that possessed that capability the ability to disable an enemy’s communication and critical infrastructure without direct human losses. Since the dissolution of the USSR, this research has spread to dozens of countries. Details of this work and how to generate non-nuclear electromagnetic pulses of an impact similar to a NEMP are relatively unknown outside the military.
More realistic types of IEMI attacks
There are, however, other types of IEMI attacks squarely within the reach of non-state adversaries such as criminals, terrorists, disgruntled insiders, hacktivists or simply curious teenagers. These are based on injecting EM pulses directly into electric or electronic systems, or by jamming electromagnetic wave-based communication (radio, WiFi, GSM, GPS, etc). Damage from IEMI attacks can range from extremely subtle disruptions that cause data stream errors to massive disruptions from narrowband attacks or nuclear explosions that cause system failure or even irreparable damage to equipment. Obviously, the more severe the disruption, the more serious the results.
IEMI attacks that aim to disrupt systems come, in the simplest of terms, in two forms: potentially destructive, but harder to accomplish, narrowband attacks, and wideband attacks that have greater success in targeting systems, but pack less of a punch.
Narrowband attack describes a single frequency that may be transmitted in a pulse on the order of microseconds in length. This type of threat is often referred to as HPM (high power microwave). Narrowband attacks could do permanent damage when successful, but must match the precise resonance pattern of the equipment to cause damage – not an easy task. While relatively easy to generate, ensuring that these attacks actually achieve their objective require sophisticated technology, infrastructure, knowledge and resources to design and build. Non-state actors or individuals could not easily replicate such devices, although they have proliferated throughout the world and could possibly be acquired through sale.
Wideband EMI pulse produces frequency content over a wide range of frequencies. The advantage of the wideband pulses is that the resonances of different sized systems can be stimulated simultaneously. By covering more bandwidth wideband attacks provide a greater chance of causing a disruption. The disadvantage is that the energy produced in a single pulse is spread over many frequencies packing less of a punch. Apart from the wideband disruption caused by a nuclear explosion, they are generally not powerful enough to “fry” the system. Their effectiveness is generally limited to temporary disruption. Wideband EMI sources are simple and inexpensive enough technologies that garage enthusiasts could construct them. As such, they are of more immediate concern, especially because technology for these kinds of attacks has been growing rapidly, and targets for this kind of attack have multiplied in our increasingly cyber-connected society.
Either narrowband or wideband attacks can be accomplished by broadcast attacks or hard-wired ones. Broadcast attacks have the advantage of not requiring attackers to physically breach a secured facility, but still require the attacker to be close, because the EM field diminishes quickly over distance. Hard-wired attacks require the attacker to physically connect to the targeted system. This guarantees that the attack will provide strong enough pulses to disrupt the system, but eliminates the advantage of being able to connect from outside a facility.
Weapons for such attacks range from simple, off-the-shelf devices, like microwaves, ESD guns used to test electronic devices for resistance to electro-static discharge, or electro-magnetic jammers disrupting radio communications (GSM jammers, GPS jammers, etc). More complex devices with greater ranges can be built from specialty components that are still readily available, with tools that most handymen own. They can be large enough to require transport by truck or small enough to fit into a briefcase.
The goal in most IEMI attacks is to inflict sharp high-voltage pulses capable of temporarily disabling digital systems. Researchers have also shown it possible, though, to use a targeted digital device’s EM properties to covertly access sensitive data. It is even possible to take limited control of some devices through IEMI attacks.
Known IEMI incidents
EM vulnerabilities came to public attention through an accident in 1967 where a degraded cable shield termination on a military aircraft landing on an aircraft carrier failed to protect the aircraft from the ship’s radar. The magnetic interference caused the aircraft to fire its weapons at a fully armed and fully fueled aircraft on the deck. The resulting explosion killed 134 people.
Other accidental incidents occurred when antilock braking systems first came out. Cars equipped with this feature on Germany’s Autobahn experienced braking malfunctions when passing a radio transmitter. Another incident occurred when a heart-attack victim’s defibrillator shut down every time the ambulance’s radio transmitter was used.
Not all incidents have been accidental. The following criminal uses of IEMI display some of the threats:
- An EM disruptor was used to interfere with a gaming machine and trigger a payout in Japan.
- An EM disruptor was used to disable a jewelry store security system in Russia.
- An RF jammer was used by Chechen rebels to disrupt Russian police communications during a raid.
- Jammers were used to disable security on limousines in Berlin.
- An EM disruptor was used by Chechen rebels to disable security and access a secured area.
- An EM disruptor was built by a disgruntled customer of a Netherlands bank to disable the bank’s IT system.
In each case, the devices used were extremely mobile and required little technical expertise. IEMI attacks are within reach of anyone willing to invest a little time studying documentation on the internet and purchasing readily available tools.
More advanced IEMI attacks can cause widescale disruption. In May 2012, North Korean jamming equipment caused GPS failures of more than 500 airplanes flying into or out of two South Korean airports, as well as hundreds of ships and fishing vessels in the nearby sea. Experts have quietly expressed concern that North Korea’s motives may have been to conduct testing for future, more destructive attacks.
It is impossible to document all IEMI attacks. On one hand, they are difficult to positively identify because of their lack of a physical or digital footprint. On the other hand, many suspected attacks are hushed up for security reasons or to avoid damaging the victim’s reputation.
Potential kinetic impacts of IEMI attacks
A paper by French national defence researchers calculates that a truck-mounted IEMI weapon with parabolic antenna could disrupt an aircraft to a distance of 1km.
An experiment irradiating an automobile with narrowband waveforms at high power and field levels (HPM) demonstrated that with a van-mounted HPM source it would be possible to stop automobile operations at the distance of 500 meters and cause permanent damage at 15 meters. The types of damage observed included: engine control units, relays, speedometer, revolution counter, burglar alarm, and a video camera.
Another experiment injected both narrowband and wideband waveforms onto the power lines entering a five story office building. The measurements indicated that voltages injected on external wiring could propagate well through the internal wiring of a building even when considering multiple switchboards inside the building. The experiment demonstrated that injected test pulses could have easily propagated through the building and cause damage to computer power supplies and potentially other types of connected equipment.
Swedish Defence researcher estimates that a suitcase-based HPM source could cause upset or damage to cars, PCs, etc. on up to 50 meters distance and even a permanent damage in close vicinity.
In my own practice, we have demonstrated how a simple GPS jammer could be abused to cause kinetic impacts in maritime or drones; or how a $15 GSM jammer could impact GSM-R communication that a train uses for the Communication-based Train Control (CBTC) which led to application of emergency brakes.
Examples of other types of IEMI threats
EM information leakage
Another way that EM can be misused is as an avenue for intercepting and decrypting sensitive information. Research on how to reconstruct information from the EM fields has been done since the 1950s and is commonly referred to by the codename of TEMPEST (Telecommunications and Electrical Machinery Protected from Emanations Security). Techniques have been demonstrated that enable an attacker to reconstruct information through analysis of the electromagnetic field generated by monitors, keyboards, printers or cryptographic devices. Such reconstructions were once thought possible only for government-level attacks, but they have long since passed into capabilities of virtually any determined attacker.
For example, different colors of pixels displayed on a screen generate different patterns of electromagnetic fields that can be analyzed and reconstructed. Different keys on a keyboard translate into different electromagnetic patterns for each key pressed. The messages received by printers are translated from electromagnetic patterns into print instructions. And secret keys on cryptographic devices can be detected by finding common patterns in the electromagnetic fields they generate.
This last one is particularly concerning, considering the rapidly increasing demand for secure transmission of confidential information. Standard cryptographic algorithms have stood up exceptionally well to digital attacks, but their hardware and software have proven vulnerable to side-channel attacks, such as power analysis and fault injection attacks.
In fault injection attacks, the attacker injects faults into the cryptographic device to obtain faulty ciphertexts. They then derive the secret key from faulty ciphertexts. This was not seen as a threat in the past because it required physical access to cryptographic modules. But recent research has shown ways to accomplish IEMI fault injection from a distance through EM waves leaded from cryptographic modules.
Countermeasures to this “information leakage” generally involve either masking such patterns by introducing additional “noise” that makes the pattern more difficult to decipher, narrowing the range of differences within the signals or taking measures to reduce the escape of EM signals. The third of these approaches, reducing unintended emissions and increasing shielding, is the most commonly practiced.
Compromising smartphones through EM attacks
A 2015 study showed the vulnerability that FM-capable smartphones possessed to being hijacked by attackers. Smartphones that have FM capability can receive FM’s VHF waves only by plugging in the headphones, which also serve as an antenna. This opens the possibility that the headphones could also serve as an antenna to inject commands into the smartphone.
In most voice-interface-capable devices, the voice interpreter always runs in the background, so users can access it instantly by speaking the keyword that alerts the device to an incoming voice command. This practice, itself, poses a well-documented risk to users’ privacy. But the fact that it can be used to insert commands into the device remotely is of even greater concern.
Speaking the keyword activates the voice interpreter. The voice interpreter then sends the subsequent command to the service provider to carry it out. Smartphone users who leave the voice command function always on are especially at risk. Even when users program their smartphones to activate the voice interpreter only after the user pushes a button the smartphone is still vulnerable. By sending an AM radio wave to simulate the button push, followed by an FM voice command, an attacker can send a voice command that bypasses the speaker and activates a command silently.
By doing this, an attacker could:
- Covertly track the smartphone user
- Activate a phone call to the attacker’s phone and eavesdrop on the smartphone user
- Covertly place texts or calls to pay-per-text or pay-per-call services
- Use the smartphone owner’s text, phone, social networks or email to send false information under the smartphone owner’s identity or to conduct phishing
- Cause the browser to visit a site that downloads malware onto the smartphone to further compromise the operating system
Voice command is one of the most commonly used interfaces. It is already prevalent in smartphones, cars, desktop computers, smart watches and other “smart” devices in the Internet of Things (IoT). Because it fits so naturally with the way humans interact, it is perfectly positioned to become the most common user interface of the future as technology advances make it more reliable. That makes it a possible threat not only to smartphones, but to a wide range of devices.
Countermeasures are available for this vulnerability, but they reduce usability, a tradeoff that many users are unwilling to make. Users can improve headphone shielding and turn off the always-on access of the voice interpreter to reduce opportunities for attack. Other features that manufacturers could build into smartphones are voice recognition, which would require the voice commands received to match the user’s voice signature, and internal sensors that detect unusual EM activity concurrent with the voice command and reject the command.
Problems with securing against IEMI
Intrusions via IEMI are largely undetectable. Unlike a hacker, whose attempts to access a system can be identified and countered, the only way to detect an IEMI attack is by seeing the attacked system fail.
In addition, IEMI attacks leave no physical trace in the materials they penetrate or digital trace in the systems they compromise. They are hard to detect even by examining system error logs, because error detection systems are programmed to record errors based on normal system operations. Thus, they are likely to misidentify disruptions caused by IEMI attacks as internal system malfunctions rather than as an attack.
Additional difficulties with large grids
Adding to the problems in securing systems from IEMI, is the fact that many of today’s systems are quite widespread. For example, an electrical grid or railway network can cover hundreds of square miles and offer attackers thousands of potential access points. Securing such a massive network can border on impossible.
Assuming that systems are protected because components have been tested to meet industry standards is not enough. Such testing checks only for components’ ability to withstand normal interference. Components are not tested for ability to withstand IEMI attacks stronger than those encountered in normal operating conditions.
Typical EMI testing also is done in a fragmented way. Individual components are tested rather than complete systems. And they are generally tested in environments that do not match their ultimate destination.
And just because individual parts prove resilient doesn’t mean that the assembled system will. Continued efforts like the Bundeswehr Research Institute for Protective Technologies and NBC-Protection (WIS) testing of systems in a mobile office facility may help to close that gap.
The risk of IEMI attack can be determined by calculating three parameters: technological challenge, threat level and mobility. Technological challenge focuses on the skill level of the attacker, the availability of off-the-shelf IEMI sources that could be used against the target (or of components needed to build one), as well as the cost of such equipment or components. Threat level focuses on what level of risk of being disrupted a system has if exposed to an IEMI attack. Mobility focuses on how close to the targeted system the attacker’s equipment must be to successfully accomplish the attack.
These parameters are useful in that they consider more factors than traditional IEMI risk assessment processes do. Researchers Frank Sabath and Heyno Garbe have taken this approach even further, breaking its components down further to quantify and calculate what level of protection is needed against the level and severity of potential threats.
So what can be done
Research on potential IEMI attacks shows more vulnerabilities with each passing year. That is not surprising considering how our society increasingly uses systems that rely on EM sources. Certain countermeasures can help protect against IEMI attacks, though.
Proper equipment grounding is essential. Run each chassis to a single ground system rather than grounding chasses individually. And make sure that the technician creating the grounding system is well versed on proper grounding procedures. Otherwise you may unknowingly create a grounding system that increases EM resonance and makes your system more prone to IEMI attacks.
Provide, if possible, a large open area outside critical facilities to reduce the chances of attackers getting close enough to launch a broadcast attack without being detected. This takes advantage of the fact that electromagnetic energy falls off as the square of the distance between the interfering and interfered with devices.
Building architecture can provide protection. Outside walls reinforced with metal rebar, windows with metal mesh and cables with metal casings can attenuate EM fields but, again, be careful of unwarranted assumptions. A metal clad building would seem to protect systems within it from IEMI attacks, but if unshielded conductors lead into the building, the strength of the field inside the building can be intensified.
Because cables that come from the outside could potentially be used as avenues for an IEMI attack, it is best to run them through filters. Don’t count on filters designed to protect from the types of surges that come from lightning strikes, though. Although lightning strikes are high-voltage disruptions, they are slow compared to the rise times of most IEMI attacks, which are measured in nanoseconds (billionths of a second) or picoseconds (trillionths of a second) compared to lightning strikes, whose rise times are measured in microseconds (millionths of a second).
Where possible, replace copper wires with fiber-optic cables. They are immune to EM pulse interference
In recent years, it has become increasingly possible to install affordable detection systems in facilities whose protection was robust enough to withstand minor interruptions without suffering permanent damage. Although systems capable of providing interruption-free operation are exorbitantly expensive, more basic systems can still gather useful data for analyzing whether a more expensive detection system is needed.
Government and industry initiatives
Governments and industry bodies are taking these threats seriously. Steps are being taken to address them.
For example, the STRUCTURES (Strategies for The improvement of critical infrastrUCTUes Resilisnece to Electromagnetic attackS) program is one of several EU-funded research programs that evaluate the effects of IEMI on critical infrastructure, including protection and detection.
Similarly, SECRET – SECurity of Railways against Electromagnetic aTtacks – focuses on assessing and mitigating risks of EM attacks on railways. Finally, the EU’s HIPOW Project aims to develop a holistic regime for protection of critical infrastructures against threats from electromagnetic radiation.
IEMI attacks that take advantage of the very nature of digital systems are becoming more common. They often require little technical expertise and often make use of off-the-shelf EMI-generating devices. While not as well-documented as other forms of attack on digital systems, it is essential to recognize their danger and protect against them.
Marin Ivezic is a Cybersecurity & Privacy Partner in PwC Canada focused on risks of emerging technologies.