Cyber Security – You Probably Need a Consultant

NIST

It Was Not That Long Ago..

A few years ago, Next Generation 9-1-1 became THE buzzword in Public Safety. A lot of money was spent hiring consultants to develop an RFP, support the selection process  and assist in the migration.  The money was spent, in many cases, simply because the organization did not have the required expertise in house.

We are currently faced with a critical issue in Public Safety- cybersecurity.  Some will state that because they have anti-virus software and a firewall, they are fine. The answer to that is- maybe.

Hiring an outside consultant will not only provide expertise but, with the proper authority and span of access, give management a true view of the cybersecurity status, how networks are interconnected in the facility and provide a plan for overall cyber governance.

FCC Task Force on Optimal PSAP Architecture (TFOPA)

It will be important to utilize the NIST Cybersecurity Framework and the TFOPA report for this effort. The Cybersecurity section of the TFOPA report is based on the NIST Cybersecurity Framework and is geared towards 9-1-1. It  takes the complex NIST document and presents it in a more straightforward manner.

PSAP Map

The map above depicts the result of a recent cyber assessment from a PSAP in the Midwest. The PSAP serves a population of 250,000. There was two way traffic between the PSAP and the red shaded countries. The center was communicating with more than 600 individual IP addresses around the world over SSH. They had no idea.

Your challenge will probably be funding. My hope is that we can raise awareness of this critical issue in the community.

 

 

 

 

Review Your Network Traffic

Sweden

I spoke last week with a colleague regarding Cyber Security. While reviewing network traffic with his security contractor, they noticed a vendor server was reaching out to known criminal (out of respect for Chris Roberts I will not use the Hac*er word) sites for Domain Name System services- DNS. These sites were located in Sweden and Finland.

It appears that the rogue DNS code was injected into the 9-1-1 vendors software. The vendor was unaware that this breach had occurred (but is currently resolving the issue) . Fortunately, the firewall was properly configured and did not allow the DNS response, coming from our friends in Finland and Sweden, to invade his network.

Many 9-1-1 sites have a vendor or IT contractor administering their firewall. They will open and close ports on request. They are typically not under contract to monitor/evaluate outbound traffic.

Understanding the data traffic on your network is critical. There are other stories out there regarding 9-1-1 centers having active two way traffic with foreign nations (I’ve read the reports) that should induce a wake-up call.

High blood pressure is often called “the silent killer” because it typically has no symptoms until after it has caused significant damage. Putting together an overall cyber security strategy should include, at a minimum, conducting a cyber benchmark- sort of like checking your blood pressure…

 

 

 

Securing CAD in 9-1-1 Centers

 ~Cyber Attacks and Computer Aided Dispatch (CAD)~

800px-petyaa

9-1-1 Centers (PSAPs) serve two main Public Safety functions:

  • INBOUND– Answering a 9-1-1 call or text from the public
  • OUTBOUND– Dispatching first responders (fire, EMS, law enforcement)

In most centers, these systems exist on two separate networks. The inbound network is typically installed and maintained by the vendor or channel partner who provides the Call/Text product (TriTech, Motorola, West, Solacom, AT&T, etc..).  The outbound (Computer Aided Dispatch) CAD system, in many cases, resides on a network managed by the local municipality or county government.

We currently have a PSAP in South Florida that has been without CAD for three weeks. A ransomware attack via the city email system made its way through the municipal network, into the 9-1-1 center and locked down a number of law enforcement systems, including CAD. For the past weeks, communication with first responders is a manual, paper and pen process.  The attack was not directed @ the 9-1-1 Center, but the collateral damage is a major hit to operations.

ALSO: Currently, in a Mid-Atlantic state, there is a PSAP whose CAD system has been down for weeks as the result of a cyber attack.

I have spoken to numerous centers across the country who have experienced similar CAD outages. Most of these were not as well publicized as major cities like Baltimore.

Can’t Patch Me

There are still government entities out there running Really old stuff.. and in some cases REALLY REALLY OLD STUFF (e.g.  MS SQL 2003-  Microsoft only supports back to SQL 2008). We should not run applications that are considered critical infrastructure (9-1-1 CAD) on the same network as these systems…

9-1-1 Center  Managers and Directors may have no clue regarding this connectivity or how to patch and protect these outbound networks.

We need to rethink how we deploy mission-critical CAD in 9-1-1 Centers.

Today in the 9-1-1 community there is a lot of excitement around new vendors and product offerings, including enhanced location accuracy and cloud-based applications.  In my opinion, Cyber awareness needs to be included.

 

 

 

 

 

 

 

Crypto-Jacking: Using 9-1-1 Center Computers for Profit

CPU 4

Most of us have heard the term ‘crypto mining’. Cryptojacking is simply using the computer power and electricity of another person or company (in this case a 9-1-1 center or PSAP) without their knowledge to ‘mine coins’.

Simple Explanation

Cryptocurrency is, by design, decentralized. Transactions, which are encrypted, are added to a “block’, the block then gets added to a chain (blockchain). With a computer CPU, or graphics cards, crypto miners run a process to verify these transactions and keep the cryptocurrency world running. For this validation service, crypto miners receive a small payment.

It is less expensive for crypto miners to use ‘someone else’s’ (meaning your) computer processing and electricity.

Cryptojacking is becoming more popular. It is easy money and cryptojacking ’kits’ are available on the dark web for as little as $30.

The actual code can run in the background for a long time without detection. Unlike ransomware, the goal is not to lock up your computers and hold them hostage for payment, the goal is to use as much of your systems CPU as possible without detection. The culprit could be an unknown ‘bad guy’, an employee, contractor, etc.

Public Safety Answering Points (PSAPs) Compromised

We are starting to receive reports of 9-1-1 Centers conducting ‘Cyber Security Benchmarks’ and identifying cryptojacking software. For example, one 9-1-1 center found that cryptojacking was using 60% of the CPU on their Computer Aided Dispatch (CAD) workstations.

In addition to compromising the performance of ‘critical infrastructure’ systems,  whoever installed this software OWNS YOU. They may be content with simply using your PSAP to make money, but the fact is they have established two-way communications and are running hidden, malicious software. They could easily take your infected systems down hard.

In the 9-1-1 community, we need to step up our awareness of cybersecurity.  While this may be a line item PSAPs will consider putting in their budget for next year- the fact is every center should consider conducting a cyber benchmark asap.

A final thought:

APCO BLACKHAT DEFCON are all in Las Vegas next week.

Be careful out there.. turn Bluetooth off on your devices and please do not connect to unknown or free WiFi.