At the Association of Public-Safety Communications Officials’ (APCO’s) annual conference last year, the organization hosted a Cybersecurity for PSAP Management professional development session. The seminar featured Bill Hail, senior technical architect for Venture Technologies.
Early in Hail’s career as an emergency services engineer, he noticed a troubling pattern: Many people, particularly those who worked at 911 call centers, were woefully undereducated about cybersecurity, leaving their data vulnerable to attack.
While cybersecurity can feel like a daunting responsibility to tackle, Hail acknowledged, you don’t need to be a ‘Matrix’-level computer genius to better protect your PSAP; you just need to remember a few basic guidelines. During the seminar, Hail discussed important questions for PSAPs to ask their security vendors, different types of cybersecurity threats facing the emergency communications industry and what PSAPs can do to best protect themselves and their data from would-be thieves.
4 Key Takeaways for PSAP Cybersecurity
#1. Nothing is ever completely secure.
As enticing as the idea of total security may be, for now, it’s still just an idea, Hail emphasized.
There is absolutely nothing that I could put in place for you today that will not be obsolete tomorrow,” he said. “Nothing is completely or truly secure. There is always a way around or through any security precaution that we construct.”
Unfortunately, criminals are adept at changing their methods to try to conquer new defenses, and cybercriminals are no exception.
#2. Cybersecurity evolves; so do cybercriminals.
Many of us imagine hackers as basement-dwelling loners looking to prove a point. While this picture may have been accurate decades ago, today’s cybersecurity threats are more focused and sophisticated than ever, Hail explained.
“These are bona-fide cybercriminals,” he said. “They have skill sets.”
It’s not just the attackers themselves who have evolved, The strategies they employ have changed as well. Traditional, one-shot attacks have been replaced by multi-step launches of long-term, coordinated network attacks.
“They’re going to come after you with all these various attack strategies,” Hail explained. “Before, it was just someone who was penetrating different computing elements to see what [he] could find. Today, there are things that just sit on [computers], waiting. They could be there a year, months or weeks.”
Hail identified five elements that cybercriminals use to their advantage during an attack: infection, persistence, communication, command and control.
“Just like any disease, when you get infected, most of the time it’s a few days, maybe weeks, before you actually come down with the illness,” he said. “[Attackers] want to infect you, want persistence to make sure their infection is still alive, want to maintain communication with it and need command and control of that.”
The infection stage can last years before cybercriminals may decide to activate their attack.
“[They’re] not trying to blow you up at that time,” Hail continued. “They may wait a year, 18 months, and let it sit there. But what they do have to do is maintain command and control of their sleeper. And when they wake that sleeper up it’s all over but the crime. Because what they’re going to do is spread it through your network. They’ll move certain files through different elements in a way you won’t even notice if you’re not monitored.”
#3. Monitoring your networks is a must.
It’s not enough to simply refrain from clicking on suspicious links or opening email from unfamiliar senders; these days, it’s important to keep an eye on the entire network, including systems, applications and servers.
“Monitoring isn’t just saying it works or it doesn’t work — over time you know the processes,” Hail said. “You know what’s under the hood. And that’s what you’re actually monitoring. And if those processes [show] abnormal behavior, that’s your first indication that you have a problem.”
Networking monitoring can help prevent major security breaches, including those that come from malevolent systems or programs which are pre-loaded onto computers.
A chip called BIOS, which manages a computer’s basic operating system, is the first element to activate when a computer is turned on. Hail described a PSAP he worked with in Florida who found their chips were pinging a site in China.
As disturbing as this sounds, it’s not uncommon, Hail said.
“Right now, probably 60 percent of you in this room, if you’re on a network, have been talking to China,” he estimated. “Because [attackers] will disguise it as, ‘Well, this is just a maintenance check.’ And that leads to cyberattacks, not only by individuals, but by governments, organized crime, and a whole host of other people and entities out there who want your data.”
One way to avoid attacks like this, Hail explained, is by monitoring your PSAP’s networks.
Hail outlined three ways PSAPs can monitor networks:
- Signature-based monitoring
- Anomaly-based monitoring
- Behavior-based monitoring
Signature-based monitoring is what most people are familiar with, he said, because signature-based attacks include common threats like spyware, viruses and malware.
“With this form of monitoring, sections of network traffic are analyzed for predetermined attack patterns, which are known as signatures,” Hail said. “Only the specific attack that matches the signature will be detected.”
Anomaly-based monitoring uses average traffic during a typical workday to generate a baseline of what’s normal and what isn’t. Current activity is measured against the baseline to detect potential threats.
Behavior-based monitoring examines how applications and operating systems have behaved in the past and uses this framework to evaluate current activity. This method can stop applications that run fine one day and begin to act up later. This means behavior-based monitoring has an edge over the other two methods, because it can be run proactively without needing to be updated.
Hail advised asking vendors which method their system uses. PSAPs should ideally have all three.
#4. Disaster recovery means more than just backups.
When he worked with organizations trying to recover following Hurricane Katrina in 2005, Hail said he learned what happens when agencies don’t even take small precautions.
“Disaster recovery is more than just having [data] stored in the cloud,” he explained.
According to Hail, disaster recovery revolves around single points of failure. There should never be any information stored in only one place, or any one person who can access networks or data. elements The elements he looks for when assessing a PSAP’s disaster recovery ability:
- Power recovery
- Redundant data
- Redundant networking
- Redundant computing elements
- Redundant sites
- Redundant people
While it’s critical that these technological elements are maintained, the human element of disaster recovery is unmistakable, Hail said.
“So often we will silo everything in our world, and then when we leave and go onto other opportunities, there’s other people there and they’re left [without] all the elements of what was done before them,” he explained. “So make sure there’s at least two people constantly involved in the evolution of your PSAP.”
About the Author
Lexi Wessling is a freelance writer completing criminal justice studies. She has worked as a writer and copy editor for more than seven years.
Read more about PSAP cybersecurity and operations: