Why EMP attacks should be on energy companies’ radar

In 1859, the most intense geomagnetic storm ever recorded hit earth. Astronomers had seen what became known as the Carrington Event coming, watching sunspots grow on the sun’s surface. But when the massive solar flare erupted, it set off a powerful electromagnetic pulse (EMP) event that took everyone by surprise. Auroras dazzled around the world, and telegraph systems failed across Europe and North America when the EMPs knocked out their power systems.

The Carrington Event had a huge impact — but can you imagine what would happen if such an incident occurred today? In our digital world, almost everything is powered by electronics, meaning our critical infrastructure is far more vulnerable to the effects of an EMP event. And, while these events are not common, we’re currently in a cycle of heightened solar activity, which, according to the US National Oceanic and Atmospheric Association ,?means we’re more likely to see the type of space weather storms that wreak this kind of destruction for the next few years.

More ominously, the risk of deliberate EMP attacks is growing, due to heightened geopolitical tensions and the suspected proliferation of nuclear capabilities. An EMP incident created as the by-product of a nuclear munitions detonation would be fairly localized, but a nuclear weapon deliberately detonated at high altitude (up to 40kms above the earth) would cause a high-altitude electromagnetic pulse (HEMP) event. This could affect an area the size of Europe. Another risk is an improvised EMP incident, a fairly localized event which would be caused by drone delivery of nonnuclear munitions.??

HEMP and nonnuclear EMP incidents won’t necessarily cause human casualties, but their impact is enormous. Creating indiscriminate damage over a wide geographic area, these events wipe out the electrical equipment that powers so much of our modern life, including our power grids, telecommunications, data centers, operational technology and IT assets. For example, a HEMP attack could damage or destroy around 15% of all microelectronics — the tiny components that power our electronic equipment. In 1962, a US government HEMP test above the Northern Pacific caused streetlights to blow up to 1,300kms away from the epicenter.

As our systems become increasingly connected through technology, it’s possible that impacts will cascade, with energy, sewage, water systems, etc. ceasing to function over entire regions, countries, even continents. And as our reliance on digital technology increases, the potential impact of EMP attacks grows exponentially.

Three questions can help build EMP resilience

Governments have long been building defenses against EMP attacks. In one Middle Eastern country, protections are well advanced, and, in the US, the Department of Homeland Security is coordinating preparations against an EMP event. But energy companies need to prepare too. As operators of some of the assets most vulnerable to an attack (particular in energy distribution and transmission), it’s critical that organizations put EMP threats on their cybersecurity agenda.

Building resilience starts with an assessment of the risk and its impact. Three questions can help companies get started:

What are the critical areas to protect?

Since it’s just not feasible to protect everything from EMP, companies should identify what’s most important — to their own operations, and to customers and communities. For power companies, this might be those critical nodes that supply electricity to hospitals, water plants, police and emergency services. For oil and gas, and mining companies, the priority will be on protecting critical operations and those areas of the business most dependent on digital tools — for example, remote operating centers or wellhead systems.

What components or suppliers are critical to our recovery plan?

Companies need to consider what will be needed to restore damaged infrastructure. After an incident, parts needed for repairs will be in short supply, and supply chains may break down due to system failure. Energy companies may be waiting weeks, months, even years for vital equipment. Identifying those components now, and ensuring adequate supply is housed in an EMP-protected facility, can help ensure rapid restoration in case of an incident.

How can we embed EMP resilience into design?

Retrofitting EMP protection is expensive compared with designing and building EMP resilience into design. For example, implementation of EMP-resilient features at the design stage typically makes up approximately 10% to 15% of project costs, but retrofitting resilience can be as high as 100%. Determining appropriate EMP protection will require specialist knowledge, but examples may include burying power lines to an appropriate depth or building EMP-shielded data centers.

A pragmatic approach can mitigate risk

The likelihood of an EMP incident is still low, but it’s higher than it was just a few years ago. And just like other risks that tend to be dismissed — such as that of the global pandemic we just experienced — failure to prepare can have catastrophic consequences.

For energy companies, defenses against EMP incidents should be firmly embedded as part of wider resilience planning. A proactive approach that builds EMP resistance into design and procurement when assets are refreshed or constructed is far more efficient and cost-effective than trying to protect existing infrastructure. I’d urge companies to consult now with experts in the field to develop a tailored, pragmatic plan that prioritizes critical assets and paths, and is underpinned by strong governance. It’s something we’re increasingly helping clients with — please get in touch if you’d like to chat about your own needs.

I hope you’re finding my series around emerging cybersecurity threats for energy companies insightful. If you haven’t yet seen my metaverse blog, you can read it here . My next blog will be about quantum computing, featuring my colleague Alexey Bocharnikov . Stay tuned!

Add your thoughts to the conversation around EMP or raise another cyber risk for energy companies by leaving a comment below.

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.