Security

Campus Safety- What Part Does a PSAP Play?

fau

Boca Raton is a beautiful city of approx. 91,000 located in southern Palm Beach County. Florida Atlantic University (FAU) sits on 850 acres within the city limits-  a mere 2 miles from the ocean. About 31,000 students attend this campus.

The university has its own sworn officers, giving it legal jurisdiction over the campus. 9-1-1 calls originating from the campus, however, are routed to the Boca Raton Police Department PSAP.

Here is an example scenario- a student on the FAU campus calls 9-1-1 for assistance. The call is answered by Boca Raton PD.  Medical and fire calls were (and still are) handled by Boca PD, while all others (law enforcement) were transferred to the FAU Campus Police. The call was answered on a traditional desktop phone.

There was no call back number displayed and no map to provide the callers location.

In 2015, FAU submitted a formal request to my department to become a Secondary PSAP. Their rationale was student safety.

fauboca

It was not uncommon for a campus 9-1-1 caller to NOT know their exact location (I’m in the parking lot!!!). After a few visits to the campus and meetings with both the Boca Raton PD and Campus Police, it was decided to move forward with the request. The State of Florida gave the project final approval and we recently went ‘live’ with the new PSAP.

FAU Campus Telecommunicators can now see the 9-1-1  callers location and their phone number.

west

Palm Beach Post Article

The University plans to integrate building floor plans into the 9-1-1 system- which could be of great benefit. One of the positive aspects of working with the University is that they own the buildings, so we do not need additional permissions, etc. (such as with, for example a regular business).

And so, while there is continued discussion across the country regarding primary PSAP consolidation, we need to also concern ourselves with safety.

There is no simple answer.

 

 

 

Ransom Attacks

OrElse

 

There are three broad categories of hackers:

  1. Destructive (crash a website, destroy data)

  2. Social Justice (Edward Snowden, WikiLeaks)

  3. Those that want to make a Profit 

One of the popular tactics used by those in category 3  is to hack into a company database (such as Target) and steal credit card information. The hacker can then take these to a “Cyber Pawn Shop” where the list would be published for sale on the ‘Deep Web’

yjYbypU

These ‘Cyber Pawn Shops’ sites will sell credit cards in bulk, the price is normally reduced as they ‘age’ in time. Bottom line- it is better to to steal LOTS of credit card info, which is why a hack such as Target was possibly a large financial score.

Now we are seeing a dramatic increase in Ransom Attacks. The hacker goes into the computer system, takes control and encrypts operational data, demanding payment for a password.

On one level this approach makes better business sense:

  1. Eliminate the middleman (Cyber Pawn Shops)

  2. Hackers set their own price

In some of the recent attacks, systems were simply shut down. Earlier this year a hospital had its medical records encrypted- basically shutting down the hospital (Hollywood Presbyterian Medical Center) until a ransom was paid. Hospitals, schools and cities are estimated to have paid hundreds of millions of dollars to date (source- CHRIS FRANCESCANI- NBC News).

Hackers are also targeting Police Departments nationwide.

A quote from the August 19, 2016 Wall Street Journal article by Robert McMillan:

“According to the U.S. Department of Justice, ransomware attacks have quadrupled this year from a year ago, averaging 4,000 a day. Typical ransomware payments range from $500 to $1,000, according to cyberrisk data firm Cyence Inc., but some hackers have demanded as much as $30,000.” Link

One aspect of this that is of great concern- in many cases these organizations have an IT department and security policy. They have purchased the typical ‘products’ such as firewalls, etc. So how can this be happening?

Today it is estimated that over 90% of the Ransom Hacks enter through a ‘phishing’ email, which an employee ‘clicks on’.

SO- based on the above, we can see two issues:

  1. The phishing email made it through the system

  2. Employees may not be properly trained regarding email security

If you’ve already transitioned to an IP based NG9-1-1 system you are safe- for the moment- as email is not directly connected.

But how about future hacking techniques or 9-1-1 text messages with hyperlinks? 

APCO Project 43, NENA and the FCC Task Force on Optimal PSAP Architecture (TFOPA) are all discussing the issue of security as we transition to IP. We should stay plugged into their ongoing recommendations…

 

 

 

SECURITY – sometimes difficult to define

Security

I received a letter from the U.S. Office of Personnel Management in Washington, D.C. recently. The OPM experienced a major security HACK, which they publicly admitted (thank you).  This breach of data  included, as I learned in the letter, details that were voluntarily provided and additional information from background investigations for thousands of security clearances, including mine (past life).

Anyone who has been involved in this aspect of working with the Federal Government knows that the higher the level of clearance, the more information required. This then needs to be verified (either through formal, feet on the street background investigations or the ever popular polygraph ).

polygraph

The bottom line – In my case – I am being provided credit monitoring, identity monitoring, identity theft insurance and identity restoration services, at no charge, for three years. I appreciate the Federal Governments action.

If you think about this breach, it has tremendous negative potential. In addition to the basics- name, social security number, place of birth, etc- they also have details on an individuals immediate family, business relationships, foreign travel, etc and admissions (again depending on the level of clearance) or revelations of intimate details of your personal life. So- this information could be used to identify and attempt to coerce or blackmail (reveal potentially damaging/embarrassing  information) someone in an influential role (industry or government). A pretty serious situation.

Hackers had the ability to penetrate secure, classified  government networks. We have to assume that there were policies/procedures in place and contractors tasked with securing these systems.

Until recently, 9-1-1 Centers (PSAPs), with their traditional analog phone line connectivity, have not been concerned with the type of ‘hacking’ or security issues normally associated with IP (internet protocol) networks. As we all know, this is changing.

Most of us have heard the terms firewall or encryption. In reality, we are going to require the expertise of our vendors and consultants to make sure that our information and system functionality is safe as we move to these IP based networks. There have been critical scenarios described, such as having an ‘event’ in a major city and the 9-1-1 system being totally disabled as part of the attack.

The challenge is, who really understands all of the aspects of security? Not unlike taking your car to be serviced. The mechanic basically has you at a disadvantage. You need to make a decision – should you trust him? We should not move into IP networks with this approach.  The individual, consultant or vendor we might ‘trust’ may candidly not really have an in depth knowledge of this very complex subject.

Make sure that your security advisor is aware of the following efforts:

National Institute of Standards and Technology:

Cybersecurity Framework

CSRC

NICE

Federal Communications Commission (FCC)

CSRIC

 

Text to 9-1-1 and Language Translation

 

text

 

In certain areas of the United States there are large segments of the local population that do not speak English.

In 9-1-1 Call Centers (PSAP’s) today, it is common practice to have a third party language translation service under contract. For example, a 9-1-1 call is received and the call taker does not speak Spanish. It is a simple process to add a Spanish speaking translator to the 9-1-1 call.

Most translation firms offer this service for numerous languages.

We recently held a meeting with Miami-Dade, Broward and Palm Beach counties to discuss the implementation of Text to 9-1-1 on a regional basis. Paul McLaren, of West Safety Services (formerly Intrado) provided a technical overview. I was surprised to learn that -Today- it is not possible to ‘bridge in’ a third party translation service to a 9-1-1 text ( or any third party). There were a number of reasons identified, technical limitations, security, etc.

Here in South Florida, launching an ‘English-Only’ 9-1-1 Text service will need careful consideration and approval.

What would happen if you were working a shift in a 9-1-1 center and, on your screen, you receive a text in a foreign language?

If you have plans to move forward with a Text to 9-1-1 solution in your area, it will be important, in today’s scenario, to educate the public on language availability. You also need an emergency ‘contingency plan’.

Text can certainly be a useful tool, it is important that we understand all of the facts prior to implementation.

 

No Funded Plan for NextGen 9-1-1 in Your State?

Strategy

In the perfect world there is a plan and approved funding for a NextGen ESInet Emergency Services IP Network in your State (disclaimer.. this is my personal opinion). This will serve as the public safety broadband network for all of the 911 centers (PSAPs). There is local control of the PSAPs, the state has simply removed a major technical hurdle by providing the ESInet backbone as a utility.

This is a great scenario…

With over 30 ‘home rule’ states – the state constitution grants cities, municipalities, and/or counties the ability to pass laws to govern themselves as they see fit (decentralized authority)- it can be challenging to establish a funded statewide 9-1-1 initiative.

In many counties across the US, staff responsible for 9-1-1 are maxed out. They have full time jobs, often serving in an Emergency Management, Police or Fire Rescue position, maybe even managing the PSAP(s). Strategic planning for Next Generation 9-1-1, securing funding and contracting for technical expertise at the local level represents a major undertaking.

SO.. if you are the responsible party at the county level, with no State initiative on the horizon, what do you do?  We are starting to see a grassroots movement where local counties are working together. In Illinois, Florida, New York and Pennsylvania, to name a few,  counties are teaming together to adopt a regional model, migrating to an IP based network with hosted (centralized) call processing. A great first step.

This is not wasted effort, as it lays the foundation for connecting to a full ESInet solution at a future date.

Here in Florida, there are a large number of counties who have begun to ‘self organize’, holding regular meetings to look at options.

Laurie Flaherty,  National 911 Program Coordinator, and her team have put together an annual report that provides an overall view of what is happening nationwide:

National 911 Data

 

 

 

Security and IP Networks – John Mcafee

John Mcafee Perspective

john

As we discuss the need to provide secure IP networks in the world of Public Safety , this article by John Mcafee, the creator of the first commercial antivirus program and no stranger to controversy, is out there.

John has led a wild life full of tabloid material. This post, totally correct or not, is worth a read, as it it surely makes one think!

John Mcafee Perspective

ESInet as a Service (EaaS)

There is a desire by numerous groups and agencies (NENA, APCO, FCC, DHS, DOT to name a few) that, as a nation, we transition as  quickly as possible to NextGen 9-1-1 technologies.

FCC

Recently, my team and I spent the day here in Palm Beach County with Alan Benway, Executive Director of Product Management for AT&T ESInet and Mike Nelson, VP and Sr Technical Officer for West Safety Services (formerly Intrado).  West pioneered the Field of Dreams concept for ESInets- “build it and they will come.”

Press Release

After receiving an in-depth technical dive into the offering,  I believe that the West/ AT&T  ESInet as a Service (EaaS) offering, rather than a RFP based- build a dedicated system model- will gain tremendous momentum. It simplifies an extremely complex aspect of  moving to NG9-1-1. West has other Partners reselling their current two node offering (e.g. Motorola and CenturyLink), but AT&T is investing millions in buildout, adding nodes and aggregation points across the US.

I believe that this partnership will inspire others to provide a similar EaaS product offering. Now, if we can encourage State level funding, we can get some serious traction.

Simply plug in..