January 28, 2016 - 3:15 pm
By Rear Admiral (ret.) David Simpson | Chief of the Public Safety and Homeland Security Bureau

America’s 911 call centers handle thousands of emergency calls each day, often involving life-or-death situations where every second counts. Now imagine how disruptive it would be for a 911 call center (known as a Public Safety Answering Point, or PSAP) to deal with a cyberattack on its information systems while performing its lifesaving mission. Unfortunately, this is a very real threat facing PSAPs today – and one that will grow over time. For example, the press has reported on several local law enforcement agencies that were locked out of their computer networks by hackers who demanded ransom to restore access.  The good news, however, is that there are resources available and steps that PSAPs of all sizes can take to protect themselves.

To those PSAPs that have not yet started a cybersecurity program, the following list may appear daunting, but even the smallest PSAPs can manage the challenge by working with others in the 911 community – your neighboring PSAPs, your State 911 Administrators, NENA, APCO, your vendors, and your communication service providers – and using a “building block” approach that combines internal, contracted, and shared cybersecurity services.

New Technologies: Bringing Both Improvements and Cyber Challenges

First, some background: If you work at a PSAP, you know about the dramatic transformation of 911 systems that is underway. There has been an explosion of IP-based technologies in the market, including new technologies for consumers, dispatchers, and responders.  These technologies can vastly improve emergency response – for example, call-takers will be able to receive photos and videos from an accident scene and then relay that information to emergency responders en route to the incident for greater situational awareness. At the same time, without adequate safeguards in place, these technologies – part of the move to Next Generation 911 – can also introduce new vulnerabilities and expose 911 systems to cyber threats that didn’t exist in the legacy 911 environment. It is therefore imperative that PSAPs create a culture of cybersecurity.

How PSAPs Can Boost Cybersecurity

The FCC recently partnered with the University of Colorado at Boulder to hold a summit that examined the unique cybersecurity challenges facing public safety communications. Here are some tips culled from that event, which can help PSAPs to begin assessing and meeting their cybersecurity needs:

  • Adopt cybersecurity risk management policies.  The Center for Internet Security (CIS), a non-profit organization dedicated to cybersecurity preparedness in the public and private sectors, lists 20 Critical Security Controls that have been developed and honed over time by expert cyber defense organizations. Translate these into “plain speak” policies relevant to your PSAP to guide the actions of your staff.
  • Assess your risk.  Use the NIST Cybersecurity Framework to identify your infrastructure and data assets, and the adversaries that may seek to exploit them.  Evaluate your ability to detect and defend against the most likely and the most dangerous threats.  Most PSAPs won’t be able to do this alone, so determine what you can do yourself, what you’ll do in partnership with others, and what you’ll outsource. Communicate clear roles and responsibilities for each. 

  NENA has generated a useful “self-audit” guide for PSAPs that can help pace your effort, and the Department of Homeland Security (DHS) can provide a Cyber Resiliency Review.

  Of course, it is important not just to plan how to prevent attacks but also to plan your response against likely successful attacks, including a recovery strategy, and to ensure your backups are in place and functioning.

  • Train your staff.  There is no better cyber protection than well-trained staff who understand and implement good cyber hygiene.  To achieve this, every member of every PSAP and any partner organizations must be aware of basic cybersecurity procedures.  Programs offered by DHS, such as the Critical Infrastructure Cyber Community C3 Voluntary Program, as well as other organizations and their programs can provide affordable technical, skills-based cybersecurity training. 
  • Test your staff.  You won’t know if your cyber training is effective if you don’t follow up. Tabletop exercises and simulations can be used to keep staff skills sharp. For example, testing staff with mock phishing e-mails can provide positive reinforcement for trained employees while identifying staff who need a refresher.  Consider coupling this with penetration testing (that is, certified ethical hackers attempting to breach your defenses), a service that may be obtained through a third-party security services provider.
  • Find gaps in security and address them.  There are a number of basics that sound easy, but all too often are rationalized away.  For example, be sure to regularly patch and update all software and devices on your network, verify that no security misconfigurations exist on the network, adopt a “Principle of Least Privilege” for user access (meaning that employees should not have system access beyond what they need to perform their jobs), and use a unified set of authentication and session management controls to ensure that all of your security measures are actually doing what they are intended to do. You can also use Network Mapping (Nmap) tools and similar vulnerability discovery resources to scan your network-connected endpoints, uncover vulnerabilities, and illuminate your progress in their remediation.
  • Protect data at rest. Ensure that data stored on your network is regularly backed up and that stored data is encrypted.  “Known good” back-up data should be stored in a reliable, redundant facility so that you’re ready to rapidly respond and recover if your access to primary data is lost, such as in a ransomware attack like CryptoLocker or another major corruption event.
  • Protect data in motion.  Use virtual private networks to connect your servers locally and remotely.  Ensure that all Web transactions utilize https and Transport Layer Security (TLS). Also, create both black lists and white lists to block known malicious sites and constrain high-risk transactions to specified addresses, respectively.  Use strong encryption methods (e.g. Advanced Encryption Standard (AES), not weaker legacy standards like Data Encryption Standard (DES)). And don’t forget to protect the encryption keys themselves!
  • Be a hard target.  A solid Identity, Credential, and Access Management (ICAM) program screens for authorized users, validates that they are who they appear to be, and ensures that controls are in place to link permissions for each user to their job functions. Only support the “least privilege” required for your users to get their jobs done, and look for unauthorized attempts by users to elevate their privilege level.  Periodically change IP/MAC addresses, configurations, and user account and machine names.  When you do this, sophisticated hackers may try to follow the changes you make to probe for vulnerabilities, so look for tell-tale threat indicators after changes. If you find you’ve been breached, coordinate recovery operations through communications on a different network than the one that has been breached.    
  • Monitor internal communication.  Set up automated ways to analyze network and user behavior, which can alert a PSAP or ESInet administrator of any unusual activity on the network and prompt subsequent actions as necessary.  You can also configure security appliances to monitor key servers.
  • Monitor external communication. Many PSAPs engage in active social media and outreach efforts, so be sure these don’t introduce risks.  For example, be aware of what’s in the background of publicly posted pictures to avoid easy operational security mistakes – for example, a photo that inadvertently reveals a post-it note with a help desk number, password, username, or organizational chart could make penetrating your network all too easy for hackers! Keep social media and other public-facing web activities separate (physically or cryptographically isolated) from your ESINets.

Smaller PSAPs Face a Bigger Challenge

While there is much that individual PSAPs can do now to secure their operations, smaller PSAPs may lack the resources to effectively defend themselves.  Therefore, the first step for smaller PSAPs may be to have a frank discussion with their governing authorities about how to support an effective cybersecurity program. Spreading the costs through a multi-jurisdictional ESINet, joining a state-wide Security Operations Center, or outsourcing more challenging tasks to the commercial sector may be cost-effective options.    

Meanwhile, the broader community of public safety stakeholders must also work together on solutions to address evolving cyber challenges. That is why the FCC charged the Task Force on Optimal PSAP Architecture, an expert panel developing recommendations to facilitate the transition to Next Generation 911, with examining how PSAPs can improve their cybersecurity strategies both now and in a full NG911 environment.  Later this week, the Task Force will finalize a report that will include recommended cyber best practices for PSAPs, including smaller call centers.   

We hope PSAPs will review these tips and resources, share them within the public safety community, and perhaps share best practices of your own.

January 28, 2016