MCP Insights

If you’re operating an IP-based 911 network, plan to be attacked

Posted on April 24, 2018 by Mark Perkins

From coast to coast, public safety agencies are implementing Emergency Services Internet Protocol (IP) Networks (ESInets) to provide Next Generation 911 (NG911) services. Such broadband-enabled networks promise to greatly enhance emergency response, as they will enable bandwidth-intensive files, such as streaming video, to be received by NG911-capable public safety answering points (PSAPs) and then shared with first responders in the field, bringing situational awareness to new, lofty levels.

At the same time, ESInets will enable PSAPs to share data with each other seamlessly and in real time, and will enable them to serve as backups to each other in the event that one or more PSAPs in a region are rendered inoperable, inaccessible or uninhabitable due to a disaster.

More than 180 PSAP cyber attacks in the last two years

That’s the good news. The not-so-good news is that municipal communications systems, especially 911 systems, are viewed in the black-hat hacker community as a very large notch in the belt, so they increasingly are being targeted. More than 180 cyber attacks on PSAP infrastructure have been recorded in the last two years alone. A huge factor is that IP networks are far more vulnerable to cyber attack than the closed networks provided by telecommunications carriers that carried 911 calls to PSAPs for most of the last half century. (Learn more about this and how 911 network management is changing in our upcoming webinar on 4/26.)This is going to be a bigger problem in the future, and not just because of the ongoing NG911 migration; the major telecom carriers will eventually retire their legacy copper infrastructure in favor of IP-based infrastructure, which puts any PSAP connected to such infrastructure—even those that are not contemplating a transition to NG911 over the near-term—at greater risk for attack.

Numerous ways to attack 911 systems exist. Denial of service (DoS) and distributed denial of service (DDoS) attacks attempt to unleash a tsunami of fake emergency calls with the intent of crashing a 911 system. The difference between them is that DoS attacks usually involve a hacker using one computer and one internet connection, while the DDoS attacks use hundreds of thousands, sometimes millions, of devices—including personal computers, digital video recorders, routers, smartphones, Internet of Things (IoT) gadgets (e.g., sensors, thermostats), even watches—pretty much anything capable of collecting and exchanging data. What they have in common is that create a lot of havoc, sometimes over a wide swath. In November 2016, for instance, an Arizona teenager launched a DDoS attack that disrupted PSAP operations in at least 12 states.

Malware and ransomware attacks also can be devastating and are on the rise. Malware is an overarching term that covers any program—e.g., viruses, rootkits and Trojans—designed to infect and damage a computer or computer system without the user’s knowledge or consent. The attack usually is launched by exploiting a system vulnerability, though human factors also come into play, such as when someone clicks on a malicious email or web link, or inserts an unauthorized USB drive into their computer. Hackers use software specially designed to automatically probe for system vulnerabilities on a 24 x 7 basis. When one is found, an attack is launched, sometimes automatically, sometimes manually.

Ransomware is a specific type of malware. The hacker exploits a system vulnerability to launch a program that encrypts the organization’s data files, essentially locking them and rendering them unusable. Then the hacker demands a ransom to provide the key that unlocks the files.

Alleviate Your Risk: Conduct Regular Vulnerability Assessments

Given the devastating nature of malware and ransomware attacks, it always is a good idea to conduct regular system vulnerability assessments, which consist of the following components:

  • Physical security—focuses primarily on information technology (IT) assets such as server rooms, wire closets, communication rooms and public areas where network access is available.
  • Network management and monitoring—focuses on detection of anomalies that often are related to malicious events; activities include:
    • Monitoring passwords to ensure that they are strong and up to date.
    • Ensuring that all cyber security patches are current.
    • Implementing intrusion-detection sensors.
    • Monitoring port traffic to identify suspicious traffic.
    • Regularly checking firewall settings; most organizations implement firewalls and then fail to check on them; while “set it and forget it” is a fine strategy for cooking chicken on a rotisserie, it should be avoided when managing firewalls.
  • External penetration test—focuses on assessing the system for external vulnerabilities.

Such assessments require considerable cyber security expertise to execute, and, as with financial audits, independent, third party review is of high importance. We recommend that agencies consider contracting with a consulting firm that specializes in cyber security assessments. Mission Critical Partners’ cyber security team—which is part of our lifecycle management services offering—stands ready to provide such assistance.

Reach out to us today—we’re eager to help you avoid a cyber attack.

Register for MCP's 911 Management Program Webinar