Increased Connectivity Brings Cybersecurity Threats to 911 Call Centers

Accompanying important benefits of the switch from analog to digital, one challenge looms large: the increased risk of cyberattacks on 911 call centers.

by / October 21, 2016

Emergency Management has published several articles about the movement toward a next-generation 911 (NG911) system based on modern Internet protocols that will allow responders to take advantage of capabilities such as text and video messaging. 

Beyond the capability to send and receive texts and multimedia, there are other benefits to the new types of networks. Public safety answering points (PSAPs) will be able to transfer calls and activate alternative routing to share the burden during an emergency or when they are closed by disaster.

But accompanying all these important benefits of the switch from analog to digital, one challenge looms large: the increased risk of cyberattacks on 911 call centers once they are connected to so many devices and other networks.

With the current generation of 911 networks, PSAPs have seen telephony denial-of-service attacks in which attackers flood a call center with calls to disrupt service. There have been more than 300 telephony denial-of-service attacks against public safety organizations, including PSAPs, police departments, hospitals and fire departments in the last couple of years. Along with the high-profile ransomware attacks on hospitals, several police departments also have been victims.

Jay English, the Association of Public-Safety Communications Officials International’s (APCO) director of communications center and 911 services, said PSAPs could be vulnerable to distributed denial-of-service attacks, which attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. “In order to take out a police department, the attacker has to obtain access to that police department and make a dedicated attack,” he said. “But in order to take out five police departments and five fire departments, a hospital and an EMS agency, all they really have to do is find one PSAP that serves all of them. A single attack could affect multiple responding agencies.”

English, who is a former PSAP director, said that as we move toward NG911, PSAPs are going to become just as vulnerable as any home computer or wireless phone, laptop or tablet.

“If you talk to directors of the largest PSAPs in the country, even they are not aware of the level of the threat they face today,” English said. “We have operated in a very secure, closed-loop analog environment for decades, and now as we move to an open IP environment we will be subject to the same kind of threats and multiple-vector attacks that any IP-based system is vulnerable to. So we have to start educating our folks and rethinking our defensive strategy.”

The interconnection with other systems and networks adds to the level of complexity. “Not only do you have the 911 inbound traffic, you also have the computer-aided dispatch [CAD] system, and both are dependent on GIS databases,” said English. “You have records management systems for all the agencies that tie into that CAD. All these are becoming IP-based and integrated, and for good measure throw in FirstNet, which is IP-based. All of a sudden you have end-to- end IP networks and end-to-end vulnerabilities. We have to defend not just a single element, but multiple elements across the enterprise. And we have to do it 6,000 times, because there are 6,200 to 6,700 PSAPs and every one of them has to be defended.”

Scott Somers, a professor in Arizona State University’s College of Public Service and Community Solutions, agreed with English that this is a far more complex and dynamic problem than we have seen historically. “It is going to take money and expertise to stay vigilant,” said Somers, who is a senior fellow at George Washington University’s Center for Cyber and Homeland Security. “This is not a one-time thing. It is not buying a device in order to protect a system; it is monitoring threats and addressing them as they emerge. It is a very dynamic concern.”

One approach PSAPs can take is to start collaborating more to share best practices and threat information, Somers said. “PSAP operators tend to be in law enforcement, EMS or fire bureaus, and their business is being first responders, so they may not have much knowledge about potential cyberthreats, and those threats are always evolving,” said Somers, who also served on the FirstNet Public Safety Advisory Committee and SAFECOM Executive Committee.

Somers recommended that the federal government work with PSAPs and the private sector to share information on threats. One model already in place is the Multi-State Information Sharing and Analysis Center, which offers cyberthreat prevention, protection, response and recovery for state and local governments.

Somers also is concerned that PSAPs with fewer financial and manpower resources may fall behind. “If you look at 911 call centers as they convert to NG911, you will find great diversity in approaches to confronting the cybersecurity threat,” he said. “Cities like New York and other large metropolitan areas are putting a lot of money into it because they have more revenue and more resources. The smaller ones may not have the funding or expertise to address the emerging cyberthreat. We see that a lot in other areas of preparedness, so why would this be any different?”

The nation’s 911 call center executives must see their function as part of the country’s critical infrastructure, said Keith Fricke, a principal consultant with Overland Park, Kan.-based tw-Security and a former health system chief security officer. “As they move to an IP-based infrastructure, it is crucial that security is baked into that evolution. They will be subject to the same digital threats affecting all other members of the critical infrastructure.” He recommended they become active members of the local chapter of InfraGard, a partnership between the FBI and the private sector to share information and intelligence to prevent hostile acts against the United States. “They can network with other people in their industry and in other industries to tap into the collective knowledge out there to guide them in securing themselves,” Fricke said.

APCO’s English, who served on the cybersecurity working group of the Federal Communications Commission’s Task Force on Optimal PSAP Architecture (TFOPA), said the task force recognized that security has to be baked into the architecture upfront.

“You can’t build a system and then decide we have to protect it,” he said. “By then it’s too late. The PSAP community is very good at being flexible and scalable as long as they are educated and know the threat they are facing. Like anyone in public safety, we are used to addressing threats head on, but we have to know what it is and how to defend against it.”

A January 2016 TFOPA report proposed the creation of an Emergency Communications Cybersecurity Center. The idea is to create a security operations center designed to tie together information from multiple PSAPs and defend PSAPs as an enterprise rather than a stand-alone element.

As they work on NG911 networks, English said, PSAP directors should prepare lists of questions for vendor partners. “I approach vendors as partners because I don’t want someone to sell me hardware and drop it off at the front door and leave. I want someone who is going to be working with me on a solution. To do that, they have to be willing to answer those tough questions and help me defend my enterprise,” he said. “For PSAPs that are updating from analog systems that have been in place for 10 years, this is a brave new world. They should draw up a checklist from the TFOPA report and the NIST [National Institute of Standards and Technology] cybersecurity framework for creating an RFP and better understand which vendor is going to be a partner versus which just wants to sell you some hardware.”

English said that if this transition is to take place over the next five to 10 years, PSAPs have to start talking about it now. “As with anything in government, if you start talking about it and planning for it now, you just might get it three years from now and it will take two years to implement, so five years from now we may be able to do something.”

David Raths Contributing Writer

David Raths is a contributing writer for Emergency Management magazine.