The newest generation of 911 systems are open. That's good for innovation, but bad for security. Here's what you can do to protect your PSAP.
Next-Generation 911 (NG911) services are the future for emergency call centers. Unfortunately, so are cyberattacks. Over the past two years, there have been more than 180 cyberattacks on public safety agencies and local governments. About 20 percent of them impacted 911 call centers.
As we move from a legacy, landline network environment for Public Safety Answering Points (PSAP) to an open Internet protocol-based solution, we can more accurately pinpoint the exact location and nature of emergencies and help save many more lives. But a more open system is a more vulnerable system. This is the dilemma that NG911’s advancements have created: if you can communicate, you’re vulnerable. If you can’t communicate, you’re irrelevant.
Emergency call center managers must accept the reality that any NG911 solution that can interface with other applications and platforms (GIS technologies, remote sensor data, shot detection, remote camera access) is subject to compromise.
The good news? The risk cyberattacks pose can be mitigated by strong defenses. In fact, there are proven steps PSAP managers can take to maximize NG911 while minimizing the risk and impact of cyberattacks, and that starts with understanding the new environment at play.
There is no more walled garden, the safe and secure place where dedicated lines and data flows were isolated and unimpeded by outside interference. Today, there is a new ecology called the “cyber garden.”
The walled garden model assumed the wall itself was impenetrable. The cyber garden model assumes it’s not. PSAPs must adopt the attitude that the perimeter of the garden is constantly under threat; it must be patrolled vigilantly and reinforced with additional safeguards to thwart attackers who breach the perimeter.
To do this, PSAP managers must change the way they tend the garden. They need to replace lax practices with diligence and discipline. Use proven knowhow and experience, and implement meticulous short- and long-term cybersecurity plans that envision every contingency.
Here are the top three critical steps to keep PSAP centers secure.
In virtually all cyberattacks studied in 2016 and 2017, failure to patch — or update — systems regularly was the primary reason hackers were successful.
That’s why patching is the single most important way for PSAPs to limit the threat of cyberattacks. The key to successful patching is partnering with external and internal experts that possess the following qualities:
The obvious question is, “If patching works so well, why doesn’t everyone patch?” The answer: patching causes operational pain, and too few so-called experts possess the qualities enumerated above. Therefore, two additional patching strategies should be employed along with strong personnel:
As your Patch Plan evolves, it becomes harder to patch the most vulnerable older systems. The more frequently systems need patching, the costlier they become until, like an old car, repair costs outstrip replacement costs. Be wise about replacing older systems that are exposing you to risk. Track the costs, and use the savings and risk control to justify the capital costs of replacement.
Even if you have a new system, a solid Patch Plan and the right team to execute it, test it. Run a risk assessment before your NG911 system goes live.
Components of an effective risk assessment include:
Always assume criminals will get into your cyber garden and wreak havoc in myriad ways. Plan accordingly. That means developing extensive strategies and tactics — with help from cybersecurity experts — for addressing as many scenarios as possible.
Components of an effective cybersecurity plan include:
In the end, risk is always present. By originating and maintaining a dedicated Patch Plan, you can control and reduce risks. Once that plan is in place, evaluate where your risks are and what you’re trying to solve. Start with the basic question, “Who/what is going to get hurt, and what does that look like?” Next, conduct threat modeling and assess vulnerabilities by creating a Risk Registry. Finally, share the registry and explain it to decision-makers in non-technical terms. Come to agreement with them about tolerating those risks or providing funding to remediate them.
After that, it’s a matter of never getting comfortable in the new cyber garden. Plan for the worst. Plan for things to break or be impacted. It will make all the difference.