December ISSA Meeting Executive Security Presentation
Cyber Threat to Public Safety Communications
1. Cyber Threat to Public Safety Communications
Kory W. Edwards
Webster University
May 2016
2. Abstract
Public safety communications are the most crucial point of defense within the communication
critical infrastructure (CI) sector. This paper explores the past mistakes, the threats, challenges,
vulnerabilities and solutions in protecting public safety communications systems to ensure
communications flow from the public to the first responder and all the coordination between
them. This research paper traces the progression of public safety communications during the 9/11
attacks to modern infrastructure changes and the new threats they pose. Once identified,
solutions are offered for those vulnerabilities.
Keywords: Cybersecurity, Public Safety Communications, Cyberattack, Communications
Security, Disaster Response
Post 9/11 Connectivity Created Ubiquity
Public safety communication vulnerabilities attained prominence in the aftermath of the
September 11th
, 2001 terrorist attacks. Once the two planes hit the World Trade Center,
approximately 55,000 calls went out to the 911 emergency call center, of which 3,000 were
received within the first few minutes. (Sharp, et al 2011) Cell phone networks promptly became
overloaded as well, thus complicating first responder communications which typically used cell
phones as a back-up to land mobile radio (LMR) systems.
Radio repeaters on the Twin Towers were damaged and LMRs being used by police and
firefighters could not operate at a power strong enough to hear the evacuation calls from within
the buildings. (Sharp, et al 2011) With the addition of noise, operators talking over each other,
incompatible systems, differences in radio jargon and the confusion, public safety
communications underwent a significant break down during the crisis. America needed a remedy
for the future.
Since 9/11, the most common buzz words in emergency management are “redundancy” and
“interoperability”. Federal funding continues to flow to agencies of all levels of government,
Federal, state and local in order to procure systems that can operate in the same network or
bridge into each other’s networks. The big push for more powerful radios, converters for cell
phones to talk to LMRs, audio bridges to link LMR networks into a single channel, converters to
merge LMR and other communication platforms into a voice-over-IP communication and
broadband communications that ride over the internet have all increased interoperability and
redundancy of public safety communications significantly. But emergency managers often
overlook a key fact- connectivity creates ubiquity.
The ability to connect all these platforms together offers many benefits, but the more
components connected to the internet also provides for more entrances for cyber-attack.
Components linking systems then become single points of failure that a cyber attacker can reach
from literally anywhere around the world with the right skills.
Attacks on Public Safety Communications
3. What is an attractive target?
Just in the year 2013, there were over 600 instances where citizens were denied emergency
services as a result of a cyber-attack; 200 of these attacks directly targeted offices of public
safety and their systems. (Macri 2014) Since 9/11, significant emphasis is placed on
interoperability between agencies and levels of government. Interoperability plans often rely on
increased connectivity to the open internet for remote maintenance, remote diagnostics and
conversion of signals between networks. Each of these connections offer a cyber attacker
additional access points from which they can monitor public safety communications, intercept
sensitive data or conduct a cyber-attack.
Aside from the actual public safety communications systems, which are increasingly more
complex and composed of more secure components, the public’s ability to communicate with
911 services presents a prime target. Cyber-attacks have become so increasingly routine that IT
professionals and their executive chain no longer focus on individual or repetitive attacks. The
sheer volume and variety of penetrations and probes do not garner attention unless there is a
significant loss of data or productivity. As Federal funds flow to agencies large and small to
improve interoperability and redundancy, few agencies invested in protecting the public’s link to
911 call centers. As of May, 2015, over 200 attacks were conducted against 911 call centers
using a telephone denial-of-service (TDOS) attack. (Viebeck 2015) Similar to a distributed
denial-of-service (DDOS) attack, the attackers launch a large volume simultaneous calls to 911
which ties up the system and prevents the receipt of legitimate emergency calls.
The most attractive targets are those easiest to get access to and most likely to cause the biggest
effect. These would be the ability of the public to call 911, 911 call center’s ability to receive and
process calls, and the single points of failure within interoperable bridge systems.
The Attacks
In recent years, we’ve seen sporadic attacks on both 911 systems, other public safety networks or
supporting companies and infrastructure. Here’s just a small sample:
In early 2016, a cyberattack flooded Spartanburg County, SC non-emergency
phone lines and pushed the calls onto the 911 system which jammed the 911 call center
and slowed dispatching to respond to emergencies. (Stone 2016)
In April 2016, a cyberattack shut down various public safety systems of the
Newark Police Department, NJ. The virus used in the attack prevented staff from
accessing criminal data and the primary system used to dispatch first responders for 3
days. The police had to use their back-up system until the virus was remediated.
(Coleman 2016)
In March 2016, a cyberattack flooded VOIP Innovations, a leading provider of
voice over IP services, with service requests and denied their customers access to the
system. The attack was so intense and so frequent that the FBI considered the attack a
national security threat. (Hartmans 2016) Why? Because first responder agencies use
VOIP in their primary networks or use components such as the Raytheon ACU-1000 for
interoperability. The ACU-1000 converts numerous land-mobile-radio (LMR) and other
communications systems to a single VOIP signal, which allows them to talk to each
4. other. (Raytheon 2012) This becomes a single point of failure in a mass casualty of major
event situation management.
In December 2014, cyber attackers disrupted the emergency 911 system in
Indianapolis, IN for several days. The attackers either entered the system directly or by
way of an individual computer. Not only did the penetration of the system occur, but the
attackers stayed within the system to see how police responded to the incident. (Brilliant
2015)
Threat of Secondary Attacks
If the inability to contact emergency services were not concerning enough, the combination of a
major terrorist attack followed by a cyber-attack on first responder systems could significantly
compound the loss of life. Currently, cyberattacks from terrorist organizations have inflicted
minimal damage and mostly consist of nuisance attacks. The concern with cyberattacks being
combined with a physical attack within the U.S. relates to both future capabilities and the
organizations’ ability to purchase cyberattack capabilities. The Islamic State of Iraq and the
Levant (ISIL) obtained significant financial support from oil field seizures and other means.
These funds could easily be used to recruit a successful cyber attacker to provide a secondary
attack in the aftermath of a physical attack.
Security Challenges of Public Safety Communications
Complacency
Recent mass casualty incidents in previously little known locations like San Bernardino, CA,
Charleston, SC, Colorado Springs, CO, and Fort Hood, TX show us that public safety
communications are of concern in places outside of the major metropolitan areas that most often
receive attention. Many agencies and local governments believe that their city, county or town
will never see such an event occur. And they might be right. Especially when facing significant
expenses in upgrading their public safety networks, why put forth the effort and funding for a
small possibility?
Between frequently changing legal and technological requirements and the massive coordination
needed to improve interoperability and continuity between agencies, most heads of agencies are
not willing to dedicate time, manpower and a large portion of their budget to fix their
cybersecurity vulnerabilities. (Burger, et al 2016) Public safety officials are not likely to pay
close attention to cyber-attacks that happened “over there” in a distant city or state. In fact, many
heads of agencies that hire security experts become complacent over the daily threat briefs and
worries of their security staff. The security director who constantly cries wolf cannot get the
action they need when it is significant. So, should a cyber security professional not mention the
daily threats? Our society has become tone deaf to the headlines about cybersecurity issues. And
our complacency becomes a major challenge in address the security needs to public safety
communications.
Expense/Funding
Budgets always have been a battle for any security professional. The biggest challenge facing a
Chief Information Security Officer (CISO) is normally not identifying the vulnerabilities and
5. solutions, but obtaining the budget necessary to fortify their networks. Take for example the
following headlines over just the last year:
How to be a successful CISO without a “real” cybersecurity budget (SEP 2015)
How to calculate ROI and justify your cybersecurity budget (DEC 2015)
Rebalancing your cybersecurity budget with deception technology (APR 2016)
A recent study showed that across all industries, government failed industry-standard security
tests the worst. In fact, government agencies fixed fewer than 1/3 of detected cyber-security
problems and most often due to budget constraints. (Ward 2015) Whereas private companies
such as Target have been financially and legally held accountable for data theft, government
agencies are often not held to the same standards. The theft of millions of Federal employee
personal information during the Office of Personnel Management data breach is a perfect
example of why government should dedicate more funds to cybersecurity, but do not have the
same legal and financial incentives to do so as a private company does through litigation risks.
Interoperability
Since 9/11, many agencies have progressed in the issue of interoperability between agencies.
With the support of the Department of Homeland Security, universal standards of data
management, enabling of broadband capabilities for voice, data and video, and hardware
solutions such as audio bridges and higher-power land-mobile-radio systems have become
commonplace. Even joint command centers have sprung up to bring crisis management
participants face-to-face when needed.
The increased interoperability also comes with its own set of challenges though. Not every
agency can afford to participate in these joint interoperability ventures due to funding or
incompatible systems. Expenses often are cost prohibitive for smaller or rural agencies using
outdated and incompatible systems meaning they must bear a larger expense in order to become
interoperable. Instead, they end up relying on less expensive options such as augmenting LMR
networks with broadband. Aside from the broadband cyber vulnerabilities, this option typically
uses first responder commercial smartphones that lack mission-critical voice capabilities such as
radio-to-radio and one-to-many communications. (DHS 2014)
Shared systems between agencies also run the risk of being tied into an agency that has not
employed security measures, that lacks diverse routing or redundancy in electrical power. When
agencies lack common security policies and training, one of the agencies might be enabling
insiders to accidentally or intentionally disrupt operations or security throughout the share
network.
Vulnerabilities of Public Safety Communications
Next Generation 911 Systems
Today’s trend in 911 systems is the implementation of Next Generation 911 (NG911) systems
which operate on an Internet Protocol (IP). These systems offer a wide range of broadband
options for voice, data, video and interconnection of public and private networks. Unfortunately,
this new system subjects 911 communications to significant vulnerabilities that come with an IP
6. connected system. In order to be functional for a wide array of agencies, these systems require
standardized identity management and credentialing system-wide. The use of credentials allows
a potential attacker numerous attack vectors and wide-spanning access which would allow the
attack to spread quickly and proliferate across systems. (DHS 2015) DHS is of the opinion that
these risks do not undermine the benefits of the NG911 system; however, they acknowledge that
as attacks increase in complexity and sophistication beyond the TdoS attacks currently used, the
system will be more at risk. But such a statement begs two questions, how do we know these
more sophisticated attacks do not already exist? And, how soon before we begin to see these new
attack strategies. By ascribing to a new system with known flaws and multiple chokepoints, and
especially by publishing these vulnerabilities, are we not encouraging new attack development?
Reliance Upon Telephony
Modern public safety communications systems rely heavily upon telephony. The New York
Police and Fire Departments, for example, operate a dedicated, private LTE carrier using the 2.5
GHz spectrum leased by the Brooklyn Archdiocese. (Careless, et al 2011) This now subjects the
entire New York emergency response to standard LTE attacks on the commodity hardware and
software used, rogue base stations renegotiation attacks (forcing the communications to less
secure GSM channels), man-in-the-middle (MiM) attacks, jamming, attacks using stolen secret
key (K) attained from the carrier’s HSS/AuC or the UICC manufacturer, physical attacks on base
stations or availability attacks on eNodeB and Core. (Bartock, et al 2015)
Those public safety communications systems that rely on VOIP communications for
interoperability also have significant vulnerabilities to deal with. Internet bound packets can be
intercepted or significant strain on VPN hardware can cause delays and broken communications.
These VOIP systems all lead to virtual chokepoints at gateways and base station control
functions (BCFs) and securing them at a firewall is challenging. Other VOIP security is
depended upon updated patches to phones, good underlying network security, operating system
security, DoS attacks, packet interception, unsecure open ports, wireless connectivity exposure
and spam over IP telephony. (Ruck 2010)
The ability to conduct attacks on telephony is not complicated but does require specialized
equipment that is not difficult to obtain. Especially when dealing with cellular systems, the most
secure operating system is the Android or iOS operating system on the phones; however, at least
two other operating systems exist on handsets and they have significantly more vulnerabilities.
The base board operating system controls all functions involving radio frequency (RF)
transmission and controls. They rely on signals being dent on the downlink from a tower as
being both secure and direct commands. Shifting an LTE signal to GSM or UMTS where
security flaws are more exploitable can be done with a cause code 8 which bricks the handset
and instructs it to stop looking for LTE. This would knock a first responder’s handset off the
secure LTE network and since most of these specialized LTE systems do not have a GSM
channel in their neighbor list, the phone becomes dead at least until power cycled away from the
rogue base station’s reach.
SIM cards on cellular devices are also a vulnerability. Reverse engineering of a SIM card can
grant unauthorized access, or hacking of an authorized SIM card can give a cyber attacker access
7. to about 13% of authorized devices in order to steal data or conduct a TDoS attack from within
the specialized network. (Anthony 2013)
Shortage of Cyber Security Professionals
Despite all the improving hardware, software, encryption, awareness and companies willing to
sell and install the latest and greatest in cyber security and cyber defense systems, one final
vulnerability remains and is growing. This would be the shortage of cyber security professionals
to employ and acknowledgment of the need for these professionals. Many companies and
government entities have shifted their hiring practices to ensure new head of security are also
information security or cyber security trained; however, the fact remains that roughly 300,000
cyber security jobs remain unfilled in the U.S. and that number is likely to grow to over 1.5
million in the next 5 years. (Zarya 2016)
This shortage means that public safety agencies must compete for this talent pool with private
corporations which typically offer higher salaries than government entities can afford to pay. The
shortage also leads to expansion of the talent pool by hiring foreign cyber security experts or
relying on offsite cyber security companies for support through consulting roles or crisis
assistance. Hiring foreign professionals runs the risk of terrorist sympathizers infiltrating these
agencies to either conduct cyber reconnaissance or an attack. And the hiring of consultants or
outside crisis management companies means a delayed response to these attacks and a response
to only attacks that are blatantly noticeable.
What does a public safety agency do about the daily attacks that do not rise to the crisis threshold
but could be indicative of probing or planning for a larger attack? How can an agency respond
rapidly and effectively if their support is not onsite? It is imperative that we recognize the
vulnerability within our employee talent in addition to the hardware and software security issues.
Solutions for First Responder Communications
Communication of Information Via Fusion Center Network
One of the benefits of the actions taken by the Department of Homeland Security after the 9/11
Report was issued was the establishment of a state fusion center network. Federal funding
supports these state and major metropolitan area analysis centers that now exist in every state
and territory, with the exception of Wyoming. Embedded analysts and liaisons at these fusion
center connect agencies of all levels of government and private sector partners through face-to-
face interaction at the center. In addition, useful tools such as Adobe Connect sessions are
offered for free through the DHS portals. These communications systems remove crisis
discussions from the agency’s standard networks and onto an internet based platform that may
not be linked to the victim agency’s networks and therefore not targeted in the cyber-attack.
Use of these fusion center tools can allow access to key personnel using any device that is able to
connect to the internet via cellular or land-based Ethernet connections, regardless of the ISP or
connection. Voice, data, messaging and video are all offered on the platform and through the
embedded DHS Intelligence Officers, information can travel rapidly through the fusion center
network to other state, localities and centers which may need to prepare for subsequent or
simultaneous attacks. These DHS Intelligence Officers have already established rapport and
8. contact with key players within their area of responsibility. This is a significant resource that is
often under-utilized.
Network In-A-Box
An alternate cellular back-up solution would be a closed cellular network such as the Multi-
Radio Network-in-a-Box system offered by a joint venture between Radisys, Octasic and
Quortus. (Radisys 2015) This product is a portable cellular base station platform that can handle
up to 32 cellular devices per box and is deployable via UAV, vehicle or backpack. It uses
4G/LTE, 3G and 2G air interfaces, allowing any cellular device to connect to it but allows the
agency to restrict which devices can connect to the platform by using a whitelist/blacklist
authentication.
In order to cover larger distances or urban environments, the system can be deployed with
multiple platforms and establishing a crisis specific cellular channel, frequency and neighbor list.
How is this platform different from a carrier platform? It offers the security of being a closed
network that does not connect to outside carrier networks. This inhibits a rogue tower or internet
attack since it is detached from public cellular networks. If the frequency were to be intercepted,
that frequency can be changed for the authorized devices. A visual log of SMS transmissions
between devices can also serve as a time-stamped record of the event management and decisions.
Satellite Backup
There is a common misperception that redundancy and diversity of communications can be
achieved through multiple options of terrestrial communications. Unfortunately, this ends up
leading to diversity of the carrier but not the pathway. (Bardo 2015) If the entire infrastructure
collapses due to a major terrorist attack or natural disaster (as in 9/11), what options remain?
This is where satellite communications become essential. Just as satellite communications can be
deployed at sea or on a battlefield without significant infrastructure, these satellite
communications systems are a fail-safe in a catastrophic event. Modern satellite communications
allow for sleeve devices that can be added to off-the-shelf cellular devices to convert them to
satellite capable handsets. Satellite communications should be an integral part of any continuity
of operations planning.
Recruitment of Cyber Security Professionals
As mentioned in the vulnerabilities section of this paper, there is a shortage of cyber security
professionals. A solution to this problem is to recruit or train IT personnel within the agency to
understand cyber security issues. Agency sponsorship of certification courses such as Certified
Information Systems Security Professional (CISSP) and Security + courses, attached with an
employment commitment obligation (to prevent employee loss) could augment the agency’s IT
skills.
In addition to training and recruitment, executives must break the complacency mindset and
dedicate resources and attention to improving their cyber security status. In government, where
loss is not as much of a concern, policies must be adopted to hold government executives
accountable in the event that their agency suffers a significant loss of data or service capability.
9. Conclusion
No public safety communications system is 100% secure from cyber-attack and no agency has
the funding to reach the pinnacle of cyber security. However, it is incumbent upon public safety
leadership to seek out solutions to improve their security standing. Lives are on the line, as we
learned during the 9/11 attacks, those lives can be first responders and citizens. Communications
are the key to an effective disaster response and our attackers understand that by disrupting these
communications they can maximize the effects of their attack. The solutions outline above are
just a few of the possibilities and as technology evolves, so must our communications defenses.
10. References
Sharp, K.; Losavio, K. (2011) 9/11, 10 Years Later., PSC Online, Retrieved from:
http://psc.apcointl.org/2011/09/06/911-10-years-later
Macri, G. (2014) Emergency services like 911 n longer cyber-safe, GAO reports.
TheDailyCaller.com, Accessed from: http://dailycaller.com/2014/01/30/emergency-
services-like-911-no-longer-cyber-safe-gao-reports/
Viebeck, E. (2015). DHS: 911 Call Centers Vulnerable to Cyber-Attack. TheHill.com, Retrieved
from: http://thehill.com/policy/cybersecurity/241442-dhs-911-call-centers-vulnerable-to-
cyberattack
Stone, A. (2014) Cyberattack: The Possibilities Emergency Managers Need to Consider.
EmergencyMgmt.com, Retrieved from:
http://www.emergencymgmt.com/safety/Cyberattack-Emergency-Managers.html
Coleman, V. (2016) Cyber Attack Temporarily Shut Down Newark Police Computer Systems.,
NJ.com, Retrieved from:
http://www.nj.com/essex/index.ssf/2016/04/cyber_attack_shuts_down_newark_police_co
mputer_sys.html
Hartmans, A. (2016) VOIP Innovations Suffers Cyberattack., Pittsburgh Business Times.
Retrieved from: http://www.bizjournals.com/pittsburgh/news/2016/03/17/voip-
innovations-suffers-cyberattack.html
Raytheon (2012) ACU-1000 Datasheet. PSI Company. Retrieved from:
http://www.psicompany.com/man-prod-info/Raytheon-JPS/Control-Equipment/ACU-
1000/ACU-1000-Datasheet.pdf
Brilliant, J. (2015) Hackers Target Indianapolis 911 Center. WTHR.com Retrieved from:
http://www.wthr.com/story/27897557/hackers-target-indianapolis-911-center
Burger, E.; Welch, T. (2016) Complacency in the Face of Evolving Cybersecurity Norms is
Hazardous, Legaltech News, Retrieved from:
http://poseidon01.ssrn.com/delivery.php?ID=04310512712102512509107200409409412
100903600008206109110602100102511101202308307301112005810012204202405311
407111201207411107602009003403703409907012109909207106504204600000007712
5102095114095093001086003092000106100109001126026102125106089113097006&
EXT=pdf
Ward, M. (2015) All Industries Fail Cybersecurity, Govt The Worst., CNBC.com, Retrieved
from: http://www.cnbc.com/2015/06/23/all-industries-fail-cybersecurity-govt-the-
worst.html
Department of Homeland Security (DHS) (2014), The Hybrid Public Safety Microphone (Turtle
Command) Land Mobile Radio Converging with Broadband., Retrieved from:
11. https://www.dhs.gov/sites/default/files/publications/The%20Hybrid%20Public%20Safety
%20Microphone-Turtle%20Command-
Land%20Mobile%20Radio%20Converging%20with%20Broadband_0.pdf
Department of Homeland Security (DHS) (2015) Cyber Risks to Next Generation 911., Retrieved
from:
https://www.dhs.gov/sites/default/files/publications/NG911%20Cybersecurity%20Primer
%20FINAL%20508C%20(003).pdf
Careless, J. and Bischoff, G. (2011) What a Difference a Decade Makes., Urgentcomm.com,
Retrieved from: http://urgentcomm.com/networks-amp-systems-mag/what-difference-
decade-makes
Bartock, M.; Cichonski, J.; and Franklin, J. (2015) LTE Security – How Good Is It?, National
Institute of Standards and Technology (NIST), Retrieved from:
http://csrc.nist.gov/news_events/cif_2015/research/day2_research_200-250.pdf
Ruck, M. (2010) Top Ten Security Issues Voice Over IP (VOIP), Designdata.com, Retrieved
from: http://www.designdata.com/wp-
content/uploads/sites/321/whitepaper/top_ten_voip_security_issue.pdf
Anthony, S. (2013) The Humble SIM Card Has Finally Been Hacked: Billions of Phones at Risk
of Data Theft, Premium Rate Scams., Extremetech.com, Retrieved from:
http://www.extremetech.com/computing/161870-the-humble-sim-card-has-finally-been-
hacked-billions-of-phones-at-risk-of-data-theft-premium-rate-scams
Zarya, V. (2016) How These Mormon Women Became Some of the Best Cybersecurity Hackers
in the U.S., Fortune.com, Retrieved from: http://fortune.com/2016/04/27/mormon-
women-cybersecurity/
Radisys (2015) Radisys, Octasic and Quortus Partner to Deliver a Multi-Radio Network-in-a-
Box for Defense and Public Safety Sectors., Radisys.com, Retrieved from:
http://www.radisys.com/press-releases/radisys-octasic-and-quortus-partner-deliver-multi-
radio-network-box-defense-and-public-safety
Bardo, T. (2015), Why Public Safety Plans Should Include Satellite Communications.,
Hughes.com, Retrieved from: http://www.hughes.com/resources/why-public-safety-
plans-should-include-satellite-communications?locale=en