Transitional 911 systems have ‘very, very broad attack surface,’ working group warns
Members of a federal working group to guide the nation’s transition to an IP-based 911 system warned during a virtual event Wednesday that the emergency call system has a particularly large attack surface during this transitional period.
States and their emergency call centers have been upgrading their equipment and regional telecommunications infrastructure for several years in anticipation of next-generation 911, which will allow sharing of data like photos and videos. But in a session during the Cybersecurity and Infrastructure Security Agency’s annual summit, Laurie Flaherty, coordinator of the U.S. Transportation Department’s National 911 Program, said 911 poses “unique challenges” to the field of cybersecurity that practitioners across the country must reckon with.
Flaherty and other speakers outlined current and future concerns surrounding the security of 911 and highlighted work performed by a Federal Communications Commission working group called the Communications Security, Reliability, and Interoperability Council, or CSRIC, as particularly important in securing the nation’s 911 system. Brandon Abley, a technical issues director with the National Emergency Number Association and member of the working group, said that “transitional 911” poses threats that no one has seen before.
“The recent recommendations that have been developed by CSRIC … consider a very, very broad attack surface,” Abley said. “It’s not just the conventional walled garden that we used to think of where we have an emergency services network that we aggressively protect, but we also look at other things like the external network, your own staff, even your 911 caller’s device are all considered attack surfaces in the new world.”
Attacks against the 911 system and public safety answering points are already prevalent, said Mary Boyd, an executive at the telecommunications company Intrado who has chaired CSRIC working groups, citing recent survey data showing that more than one-third of PSAPs reported experiencing cybersecurity incidents in the past five years that “impacted their ability to communicate.”
Abley said today’s transitional 911 systems are vulnerable to the attacks launched against legacy systems, such as telephony denial of service attacks, which are designed to overwhelm traditional phone systems, and the IP-based attacks that are common today, as next-generation 911 capabilities come online.
“We kind of have the worst of both worlds,” Abley said. “Transitional NG911 systems that are operating today may not support all of the security mechanisms that are expected for end-state NG911. For example, their integration and support for [public key infrastructures]. Attacks that wouldn’t be successful against an end-state NG911 network might be successful against a transitional one just because of the maturity level.”
He also warned of ransomware threats, noting there have been “a lot of high-profile” ransomware attacks against 911 systems in recent years.
For emergency management officials seeking to secure their systems against these threats, Abley pointed to several resources, including guidance from CISA and recent reports from the CSRIC working group.
“In the CSRIC report, we recommend that implementing even basic, low-tech cybersecurity controls — and we include a list of controls at the end of the document — can greatly improve even a small agency’s cybersecurity posture. It’s not just hi-tech stuff, but it’s the everyday stuff like educating people about what suspicious activity looks like, what unsafe documents might look like and a lot of it is really basic. It doesn’t necessarily require a lot of money.”
Abley said NENA will also publish “quite a robust program” for securing 911 systems in the coming months.