Tennessee to test cybersecurity of its next-generation 911 systems
Tennessee, one of the states furthest along in adopting next-generation 911 technology, has hired a consulting firm to evaluate the cybersecurity preparedness of the state’s emergency call centers.
The company, Mission Critical Partners, said Wednesday that it will conduct assessments of Tennessee’s public safety answering points — at least those that opt into the review process — in search of vulnerabilities on an increasingly digital network. Though next-generation 911 is championed within the public safety industry as an important and inevitable evolution in how first responders are dispatched to emergencies, they’ve also warned that the technology’s defining features, such as the ability to share videos, photos and text, and to seamlessly route caller data between answering points, will necessarily expose the system to new attack vectors.
While many states are still converting their decades-old analog systems to internet-based platforms, Tennessee led states in adopting digital 911 systems and is now completing a conversion of its IP-based call routing technology to a platform designed with next-generation 911 in mind, called ESInet. According to Mission Critical Partners, the state plans to have next-generation 911 ready at all 142 of its PSAPs sometime next year.
Molly Falls, who’s managing the Tennessee program for Mission Critical Partners, said the Tennessee Emergency Communications Board added cybersecurity to its strategic plan for 911 last year, and that this evaluation will help prepare the state to eventually push next-generation technology live to the public.
“They recognize that cyberattacks and vulnerabilities are increasing every day as they deploy the IP networks for 911 services,” Falls said. “As next-gen 911 is maturing, so are the standards for next-generation 911, and as the standards are evolving, cybersecurity has been an increased focus.”
The program, funded in part by a $109 million 2019 federal grant that’s shared by 34 states, will assess the digital and physical security of each PSAP’s computer-aided dispatch system and call processing networks. Mission Critical Partners will also prepare a report of the vulnerabilities it finds and recommendations on how to fix them.
Of the 100 emergency communications districts that operate Tennessee’s emergency call centers, 25 have opted into the assessment program so far, said Kevin Walters, a spokesman for the Tennessee Emergency Communications Board, adding that more may join later in the process.
According to a 2019 white paper published by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, next-generation 911 systems face the same cyberthreats facing all digital technology connected to the internet, including data breaches, malware and denial-of-service attacks, which “have severe potential impacts, including loss of life or property.”
Through the manipulation of a caller’s originating address, CISA warned, next-generation 911 could even become a new avenue for malicious pranks like “swatting,” in which the caller makes a bogus threat prompting the deployment of a SWAT team.
The techniques for protecting, detecting, responding and recovering from cyberattacks against 911 systems also look largely the same as they do in other domains — from data encryption and back-ups to incident response and continuity planning — but several key differences set 911 apart. One of those differences, said Brian Fontes, CEO of the National Emergency Number Association, is that that most of the country’s roughly 6,000 emergency call centers lack on-site cybersecurity personnel.
“These 911 centers may have to rely on either their county or city or other IT experts,” Fontes said. “I’m not so sure that these people, although I believe they’re well intended and many of them are extraordinarily competent, but I’m just not sure they have the tools to understand what’s happening in the 911 space in terms of exposure to cyberattacks and would be able to intervene or address those cyberattacks appropriately.”
Call centers also face the added challenge of being highly desirable targets for bad actors, which is partly to account for why they’ve suffered an increasing number of ransomware attacks over the past two years, said NENA technical director Brandon Abley.
“Harming the public’s ability to call for help is something that a foreign state actor might absolutely want to do,” he said.
Worse, he said, is that 911 systems are, by design, necessarily open to the public, which makes them more difficult to secure than some other IP-based systems. Some locales have more resources to secure their 911 systems than others, Abley said, leading to a decidedly “uneven” landscape of cybersecurity practices inside the nation’s 911 system.
“Every agency has a different level of funding and a different level of expertise. So you see case studies where there are relatively basic exploits that really should not have been successful get pulled off over and over again,” he said. “The more you learn about cybersecurity, the more concerned you are about the state of the world in general and the fragility of the world’s infrastructure.”