Imagine dialing 911 and your call goes unanswered. That scenario could easily become a reality as our public safety systems become an increasingly attractive target to hackers. Trey Fogerty, government affairs director for the National Emergency Number Association noted in a TV interview that, “researchers found…that a trivial number of 911 calls from a small number of compromised devices …would be able to take down not just one 911 center, but actually many 911 centers across a region.” In 2015, Miami County call center paid a $700 ransom to regain access to their administrative network. While no 911 calls were impacted, the threat loomed large. Many reports exists of various successful and unsuccessful attacks against call center.
SEE: Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas (free PDF) (TechRepublic)
Today, public safety agencies and IT administrators have to be concerned about the security of their 911 call center. In the past, these traditionally disconnected, standalone, analog systems, were more difficult to penetrate and attack. However, with the advent of Next Generation 911 (NG911) these systems are now digital-enabled, IP connected networks. This makes an attacker’s barrier to entry much lower. And no one can question the attractiveness of a public safety system as a target.
The real question, now, is how we protect our 911 systems. Most agencies do not have experience in this arena, nor adequate funding. Yet, the risk remains real. In the absence of a cohesive national strategy and adequate funding are there steps that you, as an IT administrator or director of a 911 call center, can take? The answer is yes.
This article contains five simple steps to get started on improving the security of your 911 call center. Even if you are not responsible for a 911 call center, the above tips can be applied equally to just about any other environment from corporate IT to other government agencies.
1. Be accountable
Own your 911 system. By that, I mean recognize that no one is responsible for the security of your system but you. Your vendors may or may not provide some or all of the security, but ultimately, it’s you who will be on the front page of the newspaper when you get hacked. Understand your critical role in owning the security of your 911 call center. Once you recognize that it’s up to you and only you, you can start.
2. Get educated
You are a target. “911 center hacked” makes a great headline. And for someone with nefarious intent, “getting” a 911 center helps build their street cred; never mind the potential nation-state actors who may have far more serious intentions. Now that you know it’s your challenge, start to learn. First, try to understand what the unique risks facing your center are. For example, does your PSAP have external connections to third-party vendors that could be compromised? Does your center have a lax policy on passwords or software programs that may not support the installation of antivirus software without extensive testing by the provider? Are your computers regularly patched? Consultants or cybersecurity companies can help you understand what may not be readily apparent by conducting formal risk assessments or vulnerability scans.
SEE: Network security policy (Tech Pro Research)
3. Budget for it
911 funding overall is already scarce in many cities and counties. With the costs of moving to NG911 looming on the horizon coupled with regular raiding of 911 funds, it’s hard to pay for the 911 systems themselves let alone secure them. However, setting aside money explicitly for security is important and necessary. I suggest working with your finance departments, city council, and other government departments and agencies to start to make this a priority. Focus on helping them understand the risk if these critical vulnerabilities in your 911 system are left unchecked. Politicians speak “risk” and by shedding light on areas where risk can manifest can be a great motivator. Even small incremental budget allocations can help you get started and at least do the basics.
4. Do the basics
Some security is better than no security. Rather than waiting until you have all of the funding you need or have a complete picture of your risks, start. Do something. It’s likely you can buy basic security countermeasures from your current vendors at a reasonable price. Installing antivirus software, enabling firewalls, patching your systems, and conducting routine backups are all reasonably inexpensive steps to take. You don’t need a security consultant to tell you that you need antivirus or a firewall. You do. Start there. Build from that.
5. Go next-level
With some basic countermeasures out of the way, you can take a quick breath. But don’t relax too long. Security is an ongoing process. You fix one thing, there’s a new hole. And it’s likely your basic steps may stop unsophisticated attackers, but it’s likely it won’t defeat a sophisticated hacker. Start by writing a security plan. Do a formal risk assessment. Get organized. Perhaps security monitoring services make sense. Commit yourselves and your employees to an active cybersecurity posture.
There you have it. In NG911 the potential for attack is far larger and the results far more catastrophic. Today’s public safety leaders and IT administrators must start to take an active role in the security of their 911 call center. Be accountable, get educated, budget for it, knock out a few basics, and then keep going. Why take the risk by doing nothing?