October 31 signified the end of National Cybersecurity Awareness Month, a topic of which the government sector has become more than just aware. Meanwhile, November 1 marked the start of Critical Infrastructure Security and Resilience Month—an initiative being led by the Federal Emergency Management Association (FEMA). The call to action is for public agencies to encourage resilience through preparedness and exercises, and to promote smart, secure investment in resilient and national infrastructure.
This comes at a time when the need has never been greater. Today, cyberattacks against state and local governments are at an all-time high, with more than 400 documented since early 2017 on public-safety infrastructure alone.
We recently sat down with Federal Bureau of Investigation (FBI) cybersecurity experts, who advised us that it is a virtual certainty that any individual public safety communications network is going to be attacked, sooner or later. While the majority of attacks go unreported, the ones that are reported generally involve ransomware. Ransomware is a specific type of malware that hackers use to exploit a system vulnerability and then launch a program that encrypts the organization’s data files, essentially locking them and rendering them unusable. Then the hacker demands a ransom—hence the name—to provide the key that unlocks the files.
The good news is that most attacks on public-safety organizations exploit conditions that are preventable, such as password policies. That bad news is that when they occur, the majority of agencies are woefully ill-prepared to recover within a timely fashion and resume normal service operations. And according to the FBI, in many cases the crypto keys are not returned even if the ransom is paid.
While National Cybersecurity Month may have ended, it is still critical to think about preparedness, and what public safety agencies can do to lessen the effects of cyberattacks if they occur.
IT Standards – the Foundation of a Solid Cybersecurity Approach
There are several key considerations regarding how to forge the right cybersecurity approach.
One is that cybersecurity planning no longer should be managed as a standalone IT initiative. Instead, it must be driven from the top—with agency leadership emphasizing its importance within the organization and among its stakeholders. Another key consideration is that managing an effective cybersecurity plan must be viewed as more than a one-time event—rather, it should be viewed as a never-ending journey.
Here are some other key questions that public safety officials should ask themselves concerning the six-step approach for protecting IP-based public-safety networks recommended by the Federal Communications Commission (FCC) Task Force on Optimal PSAP Architecture (TFOPA):
Step 1: Identification/Discovery
The key question that should be asked is whether the agency truly understands and has a current view of all of its network assets. Keep in mind that any network that facilitates the transport of a public safety application and all of the networks physically connected to it are potential entry points for an attack.
Step 2: Assess/Prioritize
How many agencies are fully aware of their cybersecurity risks? In discussions with clients, we’ve found that less than half have conducted a cybersecurity assessment in the last 12 months. To fully understand the network’s risks, a third-party expert should perform such an assessment once a year, at a minimum. Plans should be developed from these assessments to remediate found risk conditions.
Step 3: Implement/Operate
Has the agency trained its personnel? Internal training among first responders, telecommunicators, technology leads, leadership and more regarding the policies and procedures developed as part of the strategy is of the upmost importance.
Step 4: Monitor/Evaluate
As previously mentioned, “ongoing” is the key word. The key question in this step is whether an agency has an ongoing plan to monitor its network on a 24 x 7 x 365 basis. Is there a plan to track network events? Has anything outside the ordinary been observed?
Step 5: Test/Evaluate
When was the last time the continuity of operations plan (COOP) and disaster recovery (DR) plan were reviewed? Better yet, when were they last exercised? The cybersecurity plan, as well as the COOP and DR plans, should be reviewed on a regular basis.
Step 6: Improve/Evolve
Is the plan fluid? Agencies should have a long-term strategy that helps them ensure that the cybersecurity plan continually evolves, just as the cyber-attack threats evolve and cybercriminals get smarter with every attack.
In conclusion, make cybersecurity a priority not just during National Cybersecurity Awareness Month, or during Critical Infrastructure Security and Resilience Month, or in the days following an attack that generates national headlines, but every day. Take time to prepare for a truly scary experience with a smart, proactive and preventive plan.