Intentional Electromagnetic Interference Effects in ...

Intentional Electromagnetic Interference Effects in Cyber-Physical Systems J F Dawson IEEE EMC Society March 2016

1

Taxonomy of IEMI effects

2

Jamming • Radio signals are easy to jam – Very small signal levels at receiver

• Increasing reliance on wireless services – GPS – GSM-R – M2M – Radar – Communications 3

Jamming Examples

• GSM-R – Adaptation of GSM mobile phone system for European Train Management System (ERTMS) – Train must stop if GSM-R signal fails

• Radar – Electronic warfare since WW II – Now becoming widespread on vehicles and autonomous vehicles

Image: http://www.ladyada.net/make/wavebubble/index.html

4

Jamming Examples • GPS Jamming – Used for theft of vehicles or cargos – Possible disruption to infrastructure relying on GPS for timing (banking, power grid etc.) – Increasing reliance on GPS for Navigation • Autonomous vehicles (cars, drones etc.) • Shipping • Aircraft

http://www.emcuk.co.uk/awareness/Pictures/Cartoons/wherearewe.jpg

5

Spoofing Examples

• GPS Spoofing – Harder than jamming – becoming easier – Demonstrated by several researchers • “Hijacking” UAV • “Hijacking” boat

Image: http://gpsworld.com/drone-hack/

6

Spoofing Examples

• Wifi, M2M etc. – Much in the literature on spoofing – Recent hi-jacking of connected car • “The most disturbing manoeuvre came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.” Quote and image: http://www.wired.com/2015/07/hackersremotely-kill-jeep-highway/

• RADAR Spoofing • LIDAR Jamming recently demonstrated http://spectrum.ieee.org/cars-that-think/transportation/self-driving/researcher-hacks-selfdriving-car-sensors

7

Countermeasures • Jamming – Detection – Avoidance • frequency hopping, CDMA, more power

• Spoofing – Detection • Cryptographic ID in data • Data validation (e.g. GPS + other position sensors)

– Avoidance • Data Encryption

• Don’t use wireless for critical links

8

Taxonomy of IEMI effects

9

Radiated coupling scenario • Back-door coupling – Coupling into circuits

• Front-door coupling – Coupling into antennas

Ref: Backstrom, M.G.; Lovstrand, K.G., "Susceptibility of electronic systems to high-power microwaves: summary of test experience, "Electromagnetic Compatibility, IEEE Transactions on , 2004

10

Temporary effects • Demodulation due to circuit non-linearity – CW interference causes level shift – Modulated CW is demodulated Op-amp output

Modulated CW into op-amp 11

Temporary effects • Effect of pulsed interference – Drives circuit away from operating point – Circuit may take longer than expected to recover – Sensor readings may be in error – Data corruption in digital circuits – Clock disruption may lead to metastable states in clocked finite state machines 12

Susceptibility of Computers

From: Hoad, R.; Carter, N.; Herke, D. & Watkins, S. , "Trends in EM susceptibility of IT equipment" , Electromagnetic Compatibility, IEEE Transactions on , vol. 46, no. 3 , 390 - 395 , aug. 2004.

CW (30µs pulse with a prf of 1 kHz)

Severe upset threshold of five PCs, trend data only.

13

Susceptibility of PC Motherboards

From: M. Camp and H. Garbe, “Susceptibility of Personal Computer Systems to Fast Transient Electromagnetic Pulses,” Electromagnetic Compatibility, IEEE Transactions on, vol. 48, pp. 829–833, Nov. 2006.

Breakdown threshold values of the tested PC motherboards pulse parameters: tr = 100ps, tfwhm = 2. 5ns

14

Susceptibility of PC Motherboards


CPU damage due to IEMI

15

Permanent Damage • IEMI can inject enough energy for permanent damage to occur

IEMI Damage resulting in the destruction of an IC (Image courtesy of Metatech Corp)

IEMI Damage resulting in the destruction of a surface mount capacitor (Image courtesy of Metatech Corp)16

Permanent Damage Electric field strength required for permanent destruction of circuit functionality at 2.0 GHz.

The green line shows the field strength required to destroy one of four circuits. The blue line shows the field strength required to destroy all of the four circuits. From: Hurtig, T.; Adelow, L.; Akyuz, M.; Elfsberg, M.; Larsson, A. & Nyholm, S. E. , "Destructive high-power microwave testing of simple electronic circuit in reverberation chamber" , Electromagnetic Compatibility (EMC), 2015 IEEE International Symposium on , 1133-1135 , Aug 2015. see also http://www.electronic.nu/2015/04/16/methodology-for-destructive-hpm-testing/

17

Permanent Damage


Destruction threshold values of the PC motherboard components pulse parameters: tr = 7.5ns, tfwhm = 180ns

18

Countermeasures • Mitigation of IEMI effects – Distance • Keep IEMI source away from sensitive systems

– Shield • Breaks in shield are the weak link: – – – – –

Apertures Joints Cable entry Incorrect termination of cable shields Deliberate breaking of cable shields 19

Access control: distance 𝑃𝑟 = 𝑃𝑡 𝐺𝑡 𝐺𝑟

𝜆 4𝜋𝑑

2

𝐸0 𝑑0 𝐸𝑑 = 𝑑

𝑑

𝑃𝑟 , 𝐸𝑑

20

Shielding: Buildings • Many building materials give some shielding – Internal walls may help

• Windows, doors, ventilation are apertures – Standard windows give little shielding – Transparent meshes and conductive films can increase shielding

• Cables and pipes may couple energy in 21

Shielding: Buildings

SE computation for a building: The scenario

From; Antonelli, M. , "Numerical Analysis" , EMC Europe 2015 , Electromagnetic Compatibility (EMC Europe), 2015 International Symposium on: WS26 Workshop on IEMI Effects on Critical Infrastructures: The European Project STRUCTURES: 2015.

22


The internal field relative to external incident plane-wave


23


The internal field relative to external incident plane-wave


24

Shielding: Buildings Indicative range of SE values

Type of Building Wood/dielectric Cinder block Pre-fabricated aggregate Concrete Cinder block + metal Metal

Nominal SE (dB) 0 5 10 15 20 25

Measurement

Ref: Savage, E.; Gilbert, J. & Radasky, W. , "Expedient Building Shielding Measurement Method for HEMP Assessments" , Electromagnetic Compatibility, IEEE Transactions on , vol. 55, no. 3 , 508-517 , June 2013.

25

Layered shielding • • • •

Separation Building walls Shielded rooms Equipment enclosures

Countermeasures • Mitigation of IEMI effects – Filter • Viable when interference is “out of band” • Filter specification – IEMI may be large enough to saturate inductors – May need non-linear transient suppressor too – Don’t assume filter works at frequencies above those on the data sheet

27

Conducted coupling scenario

Direct coupling to cables is possible Coupling of radiated sources is also possible! “From: The Threat of Radio Frequency Weapons to Critical Infrastructure Facilities" , NAVAL SURFACE WARFARE CENTER DAHLGREN VA DIRECTED28 ENERGY TECHNOLOGY OFFICE , Technical Support Working Group 2005. , Available from: http://www.dtic.mil/docs/citations/ADA593293

Propagation in cabling

Diagram of simple home or office wiring layout

29

Propagation in cabling Propagation over 25m of 240V wiring

0 unloaded loaded

-10

• Frequencies below a few MHz propagate efficiently

-20

S21 (dB)

-30

• Higher frequencies suffer substantial attenuation

-40 -50 -60 -70 -80

0

50

100

150 200 Frequency (MHz)

250

300

30

Propagation in cabling • Pulses – Pulses wider than a few microseconds propagate with little attenuation – Shorter pulses may be significantly attenuated. – Pulses of a few kV can cause upsets Refs: Parfenov, Y.; Zdoukhov, L.; Radasky, W. & Ianoz, M. , "Conducted IEMI threats for commercial buildings" , Electromagnetic Compatibility, IEEE Transactions on , vol. 46, no. 3 , 404 - 411 , aug. 2004.

Radasky, W. & Savage, E. , "Intentional Electromagnetic Interference (IEMI) and Its Impact on the U.S. Power Grid" , Metatech Corporation , no. Meta-R-323 , January 2010. , Available from: http://www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity/ferc_meta-r-323.pdf Prepared for Oak Ridge National Laboratory, Attn: Dr. Ben McConnell, 1 Bethel Valley Road, P.O. Box 2008, Oak Ridge, Tennessee 37831, Subcontract 6400009137.

31

Radiated Coupling to cables • Hard to do precise calculations • Voltages comparable to 𝑉 = 𝐸. 𝑙 can be induced • Low source impedance (𝑍 ≈ 73Ω) possible when 𝑙 > 𝜆 4 – Implies 𝐼 ≈ 10A for 1m cable for 𝐸 = 1kV/m

• Kreitlow et al observed – 𝐼 ≈ 1A for network cables for 𝐸 = 1kV/m Kreitlow, M.; Sabath, F. & Garbe, H. , "Analysis of IEMI Effects on a Computer Network in a Realistic Environment" , EMC Europe 2015 , 1063-1067 2015.

32

Countermeasures • Mitigation of IEMI effects – Detect • IEMI detector allows correct action to be taken – E.g. look for source

33

Countermeasures • Mitigation of IEMI effects – Data validation • Data CRC/checksum • Are sensor readings sensible ?

– Fast recovery • Limit size of disturbance in analogue circuits • Periodically re-initialise peripherals • Watch dog timers 34

Conclusions • IEMI is being used by: – Criminals, Terrorists, Governments

• Much of our infrastructure is potentially vulnerable

https://www.flickr.com/photos /martinduggandesign/581146 2374/

– Wireless systems very sensitive – Analogue circuits quite sensitive – Digital circuits more immune

• IEMI must be considered in critical and safety related systems 35