The cybersecurity problem that public safety agencies have is very big and it’s not going away—if anything, it’s only going to expand as time passes. That was the consensus of a panel convened for MCP’s inaugural Conference for Advancing Public Safety, which was presented last month.
“The threat’s there—something is going to happen, and we need to be prepared for it,” said Thomas Stutzman, director, Indiana County (Pennsylvania) Emergency Management Agency.Fortunately, the panel, which you can listen to on-demand here, offered some excellent advice that every public safety agency can use—regardless of size or resources—to avoid being victimized by a cyberattack and build into their cybersecurity program .
Much of the discussion centered on teaching network and system users, and their supervisors, what to do and what not to do. A major point of emphasis was on ensuring that supervisors are well aware of what network and system operation is supposed to look like.
I want my technicians and my team to know what it looks like on a good day, so that when we’re looking at it on a bad day … we understand what’s happening,” said Nathan Kizer, executive director, Lubbock County (Texas) Emergency Communications District.
Scott Brillman, a captain with the City of Baltimore Fire Department and the city’s 911 director, agreed. “A (cybersecurity) plan, for me, starts at my supervisors … the folks who are in the center working 24/7 have to know about cybersecurity, and they have to know how to respond to an attack,” he said.
When crafting a cybersecurity plan, Mark Perkins, MCP’s vice president of delivery, advised agencies to lean heavily on industry standards.
“Step one is to have a plan and step two is to leverage standards,” Perkins said.
He cited the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), a unit of the Department of Commerce, as a place to start, as well as guidelines developed by the Federal Communications Commission’s Task Force on Optimal PSAP Architecture (TFOPA), specifically Section 4 of the task force’s 2016 report.
“It provides a very useful step-by-step structure for public-safety entities to forge an appropriate strategy and appropriate plan,” he said.
But more than even an effective cybersecurity plan, Perkins stressed the importance of establishing an organizational culture that nor only is cybersecurity aware, but also is dedicated to the cause.
“This is a holistic organizational plan—it’s not just an IT project,” he said. “It’s got to come from leadership. It’s going to be a component of almost everything you do going forward. It’s going to be ongoing—you’re not going to be able to check a set of boxes and say, ‘Oh that’s great, we’re done with that cyber thing.’”
It generally is acknowledged that if a hacker wants to infiltrate a network, he or she will do so, regardless of what an agency does from a cybersecurity perspective. However, it equally is acknowledged that agencies should do everything possible to make it as difficult as possible for hackers to access their networks. This is analogous to home security. If a burglar really wants what’s inside a home, he’ll simply use a pry bar to break the door jamb. But if the target is random, dead-bolt and window locks and home-security systems could cause the burglar to move on to an easier target.
The equivalent of the dead-bolt lock is multifactor authentication, and all of the panelists extolled its importance.
“I’m a multifactor evangelist. … It’s an extra step and nobody loves it, and it’s not 100 percent foolproof, but it goes such a long ways towards protecting those systems,” Kizer said.
All of the public-safety panelists also indicated that their agencies employ both internal and external resources, to varying degrees, to support their cybersecurity postures.
“Baltimore is fortunate enough to have some resources that focus on cybersecurity or cyber-related projects,” Brillman said. “But we do outsource. I don’t think any jurisdiction has enough bandwidth, personnel or whatever to handle all the projects you need to do. … That’s the future—hiring experts to assist.”
On that note, MCP has a stable of subject-matter experts, led by Perkins, who are adept at helping clients with their cybersecurity needs, from developing plans to monitoring and securing networks and systems to troubleshooting disruptive events when they occur—please reach out.