A communications network is a lot like the human body. Both are intricate compilations of individual components capable of vital tasks by themselves but when interconnected act holistically to deliver powerful performance. For example, a Next-Generation 911 (NG911) system — consisting of an emergency services Internet Protocol (IP) network (ESInet), next-generation core services (NGCS), compliant call-handling equipment (CHE) and fiber optics — is analogous to the body’s cardiovascular system replete with the heart, lungs, kidneys and vascular system. Everything works together to deliver the needed performance. Just as the body has numerous systems that enable it to function as intended, so too does a public safety agency.
The body’s various systems and those of a public safety agency are similar in a couple of other ways as well. First, a lot can go wrong with each individual component and when it does, the results can be catastrophic for the system. Second, regular screenings often can prevent problems from occurring, and when they do occur, help to mitigate them quickly so that the damage is lessened.
This article examines what can go wrong with public safety communications networks from a cybersecurity perspective. More importantly, it offers suggestions regarding what agencies should be doing proactively to guard against the threats and to resolve them quickly should they occur.
It’s a scary world — and getting scarier
Just as the human body is susceptible to viral and bacterial infections, computer networks are prone to cyberattacks. This is particularly true of IP-based networks, and no sector is immune, including public safety — perhaps especially public safety. The Federal Bureau of Investigation (FBI) advises that it no longer is a question of if, but rather when, any individual public safety communications network is going to be attacked.It wasn’t always this way. In the beginning, corporations were the primary targets of hackers seeking to steal trade secrets or other vital information. When public safety agencies ended up in the crosshairs, the goal was mischief — think denial-of-service attacks — or, more simply, a way for hackers to demonstrate their prowess. In the last few years, however, things have taken a more sinister turn.
Today, ransomware is the biggest threat to the public safety community. The FBI says that ransomware has become the largest threat for public safety, and the reason is that it has become a big business for the hacker community. The cybersecurity firm Bitdefender reported that about $2 billion was paid out in 2017. Since early 2017, more than 400 cyberattacks against public safety agencies have been documented, with fewer than 50 percent of attacks being reported.
Ransomware is a specific type of malware that hackers use to exploit a system vulnerability and then launch a program that encrypts the organization’s data files, essentially locking them and rendering them unusable. Then the hacker demands a ransom — hence the name — to provide the crypto key that unlocks the files. Also, in a large percentage of cases, even after paying the ransom the crypto keys are never returned to the ransomware victim. Cybersecurity Ventures predicts that businesses worldwide will suffer a ransomware attack every 14 seconds. Public safety agencies are especially vulnerable because of the data they leverage — when this data is compromised, mission-critical systems, e.g., 911 call-handling and computer-aided dispatch — can be rendered inoperable, which would have a severely negative impact on emergency response, perhaps bringing it to a halt, at least temporarily. After some of the most notable ransomware attacks, in places such as Baltimore and Atlanta, full restoration took several months to complete. This is the ultimate nightmare scenario for a sector whose business is saving lives.
Even worse news is that the law enforcement community — including the FBI — is powerless to stop the attacks, in part because of a lack of resources but also because the hacker community is enormous, ever-growing and stretches around the globe. It also is getting better at what it does, virtually by the day. Hackers today utilize innovative techniques to worm their way past firewalls, and once inside the network they navigate laterally, sometimes for months, until they discover vulnerabilities to exploit.
Fortunately, there is a lot that public safety agencies can do on their own to increase the difficulty of hacking their networks and lessen the effects of cyberattacks, if not entirely prevent them.
The Treatment Regimen
Five years ago, the Federal Communications Commission (FCC) created the Task Force on Optimal PSAP Architecture (TFOPA), which was staffed by public safety professionals to build the requirements for NG911, including network and cybersecurity, for the public safety community. Its primary goal was to determine the best path forward for implementing NG911 nationwide. In the process, however, TFOPA also identified a six-step approach for protecting such networks. It’s an approach that every public safety organization should be following to protect their communications networks, NG911 or otherwise. The six steps are as follows:- Identification/Discovery. This arguably is the most important step because it provides the foundation for everything that follows. In fact, each of the six steps builds upon the previous steps. This step’s purpose is to understand the network environment. The first thing to do is to conduct a comprehensive inventory of all network assets and connectivity, which involves updating network diagrams. Without a current network inventory, it is difficult to troubleshoot the network when issues do arise. Often, the only network diagrams that public safety agencies have are those provided by the vendors when the network and its subsystems were first implemented.
- Assess/Prioritize. The idea behind this step is to fully understand the network and the cybersecurity risks to the network. Ideally, a third-party expert would perform the assessment. Once the risks have been identified, they need to be prioritized and then a plan needs to be developed to address them — a critical element of establishing the plan is to develop and document related policies and procedures. An equally good idea is to develop a punch list of items to which the policies and procedures will apply, so that nothing gets overlooked.
- Implement/Operate. As the name implies, this step’s purpose is to put the network and cybersecurity plan into motion. A critical element involves training personnel on the policies and procedures, especially those that govern access to the network. All too often, agency personnel unwittingly open backdoors into the network by plugging external devices into their computer’s universal service bus (USB) port, or by clicking on a link contained in a phishing email. Such devices and links often contain malware that enables hackers to infiltrate and then navigate through the network.
Best practices include implementing two-factor authentication for gaining network access. At the very least, passcodes should be rotated regularly. If they are not, a former employee could sit in the agency’s parking lot and log onto its virtual private network (VPN) with just a user name and passcode — and then they’re on the other side of the firewall, able to go anywhere on the network that they wish. Often, personnel write passcodes on sticky notes and then affix the notes to their computer monitors, making it incredibly easy for passersby to pilfer the passcodes.
- Monitor/Evaluate. This step’s purpose is to monitor and assess the network environment on an ongoing basis to identify anomalies. “Ongoing” is the key word. “One and done” isn’t good enough, because hackers continually evolve, and just because the network is clean today doesn’t mean it will remain so next week — or even tomorrow. Corollary to this is the need to understand and implement event logging and to define metrics that enable a baseline to be established. Every time someone logs onto a network device, it is an event, and every event should be logged. By doing so, normal behavior patterns can be identified. Later, when three times the normal amount of login attempts occurs, for example, it will be a clear indication that something suspicious is afoot.
It should be noted that hackers typically navigate through a communications network for a minimum of three months before launching their attacks. Agencies that do not monitor their networks — ideally 24 x 7 x 365, automatically, using software built for that purpose — are completely unaware of the hacker’s presence. In addition, physical security should not be ignored. We know of one instance where a hacker donned the work uniform of a service provider and, upon arrival at a law enforcement facility, announced that he was there to perform maintenance in the server room. An officer then escorted the hacker to the room and allowed him to enter — without first verifying his credentials. This sort of thing happens much more often than one might think.
- Test/Evaluate. This step involves a calendar-driven review of the plan to ensure that it is performing as intended and to provide an opportunity to adjust it because hackers most assuredly are adjusting their tactics. The more often the review is done the better, but at least quarterly.
- Improve/Evolve. This is the “rinse and repeat” step.
All of the above is intended to keep bad actors out of a public safety agency’s communications networks. A comparison can be made to home security. Burglars always look for the easiest target, so installing multiple deadbolt locks and actually locking them — while also installing a security system — keeps one from being the easiest target. But the truth is, if the burglar really wants to gain entry, he’s going to use a pry bar and break the door jamb. It works the same way in cybersecurity — hackers typically take the path of least resistance, but if they want to penetrate a specific network, they’re going to do so — it’s just a matter of time. That’s why a critical step to supplement the TFOPA-suggested steps described above is to develop a continuity of operations plan (COOP) and a disaster recovery (DR) plan.
Key elements of a COOP/DR plan include the following:
- Real-time, dynamic data backup. As the agency processes emergency calls, all activity that is recorded in the production database also should be recorded in a backup database that is stored offsite. Cloud storage, which is inexpensive and reliable, is an ideal way of going about this. Any data used to locate emergency callers or to dispatch emergency response should be backed up in this manner. Backing up data in real time will make it faster and easier for agencies to resume operations if a hacker is able to encrypt and hold hostage their primary databases.
- Procedures and guidelines. Agency personnel need to know how to respond to a cyberattack, and where decision-making responsibility resides. An internal communications plan needs to be developed, as does an external plan for communicating with government officials, citizens and the media. Staff members need to be assigned specific roles and trained on them. All of this needs to be well-conceived, tested and implemented long before any cyberattack occurs. Doing so afterwards is analogous to closing the barn door after the horse is gone — while the barn is burning to the ground.
Like the cybersecurity and network management plan, the COOP and DR plans need to be reviewed at least once a year at a minimum, quarterly if possible.
Conclusion
Cyberattacks are a serious threat to any public safety communications network, a threat that grows by the day. Steps based on industry standards and best practices — such as those suggested by TFOPA and others, such as the Association of Public-Safety Communications Officials (APCO), National Emergency Number Association (NENA), National Institute of Standards and Technology (NIST) and the Information Technology Infrastructure Library (ITIL) — need to be taken to make it as difficult as possible for hackers to penetrate and then navigate through the network.In addition, plans must be developed to restore operations quickly and effectively, because a very real possibility exists that an attack will occur even if strong network management and cybersecurity plans are in place.
All of this activity depends on a culture shift within the agency such that all personnel, from top to bottom, are cyberaware and capable of executing on the various policies and procedures that are implemented to establish a strong cybersecurity posture.
Author/Company bio
Mission Critical Partners is a professional services and network and IT support firm that helps clients enhance and evolve their public safety systems and operations through extensive experience, knowledge and resources. By providing insight and support every step of the way, we help our clients to transform their mission-critical operations, maximize the value of their investments, and ensure optimal performance and success. For more information, visit MissionCriticalPartners.com