When a local teenage hacker wrote malware that caused iPhones to automatically and repeatedly dial 911, the Maricopa County (Ariz.) Sheriff’s Office experienced firsthand the damage a cyberattack can inflict on call centers.
The distributed denial of service attack flooded emergency call centers last October with bogus calls, in Arizona as well as 11 other states, nearly crashing several systems over a 12-hour period.
The hacker initially spread the malware through a link in a tweet. The malicious code propagated as others shared the link. MCSO deputies stopped the attack when they figured out its origin, arrested the hacker and contacted Twitter to delete the tweets. Apple then patched its iOS software.
While the DDoS attack exploited an Apple software flaw and was not the fault of 911 technology, it reveals the vulnerability of dispatch centers everywhere to cyberthreats.
That’s why Cmdr. Chip Lemons, MCSO’s head of IT infrastructure and security, focuses on improving security for 911 infrastructure. His strategy: isolate the computer-aided dispatch system from other applications and the internet by placing it on its own virtual desktop.
“We put logical separations in place, so we are not exposing our CAD system to unauthorized access or viruses,” Lemons says.
Nationally, 911 emergency dispatch centers not only face the threat of DDoS attacks, but also must protect themselves against hackers, ransomware and other cyberattacks. Some agencies choose to upgrade 911 technology to improve security and performance, which includes migrating to faster, more efficient Next Generation 911 (NG911) systems. They, in turn, improve public safety and bolster cyberdefenses.
Next Gen 911 Systems Get Next Gen Security
IP-based NG911 allows the public to send text messages, photos and video. This provides defensive capabilities that prove difficult or impossible to implement in legacy, analog phone systems, says Trey Forgety, director of government affairs at the National Emergency Number Association (NENA), which represents government agencies and private firms involved with 911 systems.
New security measures for NG911 systems now under development will prevent DDoS attacks, including session origin inspection to differentiate between real and fake calls; blocking of bogus calls; and diverting of suspicious calls to interactive voice response systems, where callers must talk and prove themselves human before connecting to dispatchers, Forgety says.
“Those are still capabilities that exist in theory, but a theoretical defense is better than no defense,” he says. “It gives us something to work on.”
By their very IP-based nature, NG911 systems introduce risk; however, dispatch centers with analog phone systems are not immune. Many use IP-based CAD, mapping or radio systems, requiring every dispatch center to take a multilayered security approach regardless of the call-taking system in place, Forgety says. That means IT teams should also deploy firewalls, endpoint security and intrusion prevention tools.
Arizona Taps VMware for Virtual Help
In Arizona, Lemons deployed VMware’s Horizon virtual desktop infrastructure software in 2014 to strengthen security and simplify management at the dispatch center, which features 30 desks, each with thin client computers and eight monitors.
Today, MCSO provides dispatchers with two virtual desktops: one for the CAD system to log calls and to dispatch and message deputies; the other for office productivity, providing internet access and applications such as Microsoft Office.
Virtual desktops offer greater security because all data resides in the data center. If a virus enters the virtual desktop for productivity, the system deletes it the next time the dispatcher logs out and logs back in. “Virtual desktops prevent changes on endpoints,” says Lemons, who recently upgraded to new HP T730 thin clients, which feature better processor speed and an improved video card. “If something happens, you reboot it and it resets back to the known, good state.”
Cmdr. Chip Lemons, head of IT infrastructure and security for the Maricopa County (Ariz.) Sheriff’s Office, uses desktop virtualization to protect 911 systems. Photo: Jim David.
Through Active Directory, dispatchers can only access the CAD system while onsite at the main dispatch center, at a remote dispatch center at Chase Field stadium or at a mobile command post.
For further protection, Lemons installed Symantec endpoint security on the dispatch center’s ten servers and on each virtual desktop. To ensure uptime, he built redundancy into the data center. If the CAD database goes down, another will keep operations running, he says.
Henry County Deploys Backups as a Ransomware Counterattack
A year ago, when cybercriminals hit Henry County, Tenn.’s 911 Operations Center with a ransomware attack, dispatchers and first responders could no longer access the CAD system and maps. A message demanded that the county pay a $1,000 ransom in bitcoins to regain access.
Mark Archer, director of Henry County 911, refused to pay. Instead, a team of IT consultants rebuilt the CAD system and mobile server with clean installations of operating systems and applications, and restored data from backups. The consultants also erased dispatchers’ computers and first responders’ laptops and reinstalled software.
The process took three days. During that time, dispatchers used pen and paper to write down call details, and first responders made do without CAD and maps.
“We had the choice to pay the ransom, but I don’t play that game,” Archer says. “Fortunately, we have good backups, and that saved us.”
Henry County 911 IT Manager Chad Howard and his consultants discovered that the hacker entered the mobile server through an open port, by cracking a simple, easy-to-hack password used by a technician from the vendor that installed the server.
Since the attack, Howard has shored up the cyberdefenses of his new NG911 system and ordered vendors and users to create stronger passwords. He’s also upgraded to a next-generation firewall that provides more security features, including deep-packet intrusion detection, anti-virus and malware protection.
“With the new firewall, we made sure there are no open ports. We open ports only as needed,” Howard says.
Kansas Ups Resiliancy with 911 in the Cloud
In Kansas, a statewide cloud-based NG911 solution — hosted, secured and managed by AT&T — offers better network security and protection from other networks, says Jay Coverdale, the state’s director of network and telecommunications and the Kansas 911 Coordinating Council’s technical committee chairman.
“Their security posture protects our network from other networks,” he says. AT&T built the private cloud in 2015 by utilizing data centers in Wichita and Topeka. Individual 911 call centers log in to NG911 through a high-speed VPN. To ensure secure 911 communications, each dispatch center uses a dedicated router to connect to the service provider, and a dedicated switch for dispatchers’ computers, he says. Other networks can’t touch it, and it can’t connect to the web.
The five-story, $93 million headquarters of the Maricopa County (Ariz.) Sheriff’s Office opened in 2013 in downtown Phoenix. Photo: Jim David.
But that will soon change: Kansas plans to add text message capabilities by year’s end. In 18 months, the state will allow the public to send photos and video to provide dispatchers and first responders with more detail during an emergency. The state will continue to rely on AT&T to secure the outside connections, Coverdale says.
“Those apps will need to be vetted by our service provider to ensure they enter our network securely,” he says.
Homeland Security Grant Funds 911 Security Research
Researchers at the University of Houston will soon unveil technology and strategies to help Enhanced 911 and Next Generation 911 systems from distributed-denial-of-service attacks.
In 2015, research teams there received a three-year, $2.6 million grant from the Department of Homeland Security to investigate ways to mitigate DDoS attacks. Now, midway through the project, the teams have tapped private firms to pilot and test technology with several 911 centers.
Potential solutions include deep packet inspections of IP-based phone calls and algorithms that will analyze metadata from calls — including phone numbers, call origination and service providers — to determine whether calls represent true emergencies, says Larry Shi, the grant’s principal investigator and associate professor of computer science at the university.
“During a DDoS attack, our algorithm can home in on what is more likely to be a real emergency,” he says. “You can categorize calls and rank them based on the likelihood that they are real.”
Overall, Shi says, he is optimistic the teams will come up with workable solutions, despite the challenge before them. Because they deal each day with life-and-death situations, 911 centers can’t risk misidentifying a real call as fake, says Stephen Huang, professor of computer science at the university and a co-principal investigator.
“We can’t afford to make a mistake,” he says.