States and counties across the United States are gradually transitioning from legacy 911 systems to allow callers to transmit richer and more detailed information about their emergencies. Staff at 911 call centers, known as public safety answer points, or PSAPs, can then provide that comprehensive information to first responders.
However, as the migration to Next Generation 911 unfolds, and as the networks that feed information to PSAPs become IP-based, there is a growing realization that such systems could become more vulnerable to cyberattacks. The worry is that if NG911 systems are hacked or compromised, they could endanger more lives than they save.
That’s why state and local officials are increasingly focusing on the security needed for such systems. “The doors are going to be wide open,” Wisconsin CIO David Cagigal tells StateScoop. “These organizations are going to have to ramp up in an area they’re very unfamiliar with.”
The Cybersecurity Risks Facing NG911 Systems
As the Department of Homeland Security notes, legacy 911 services that run on voice-based telephone networks and computer-aided dispatch systems often operate on closed, internal networks. They face a lower risk of cyberattack because there are limited points of connection to outside networks.
In contrast, NG911’s interconnections and IP-based nature make them more vulnerable to compromise. “As cyber threats grow in complexity and sophistication, attacks could be more severe against an NG911 system as attackers can launch multiple distributed attacks with greater automation from a broader geography against more targets,” the DHS says.
NG911 systems have several elements vulnerable to attack, including Emergency Services IP Networks, applications and databases.
NG911 systems, according to the DHS, are susceptible to man-in-the-middle attacks, denial-of-service attacks and unauthorized network access. They are also vulnerable to insider threats, attacks from malicious applications and unauthorized data access.
Cybersecurity risks to NG911 systems “have severe potential impacts, including loss of life or property because of hampered response operations; job disruption for affected network users; substantial financial costs from the unauthorized use of data and subsequent resolution; and potential lawsuits from those whose data is breached or whose lives are adversely affected,” according to the DHS.
How to Protect NG911 Platforms from Attack
There are some basic steps that PSAPs can take to improve their cybersecurity posture. Cagigal says he worries about public safety officials’ ability to defend against attacks.
“They don’t have the skills and talents,” he says. “They don’t have a chief information security officer or an IT director to assist them if there is an issue. Next-generation 911 is necessary and very promising, but we must prepare for the eventuality that they’ll be susceptible to everything that’s facing us today. They’re going to be attacked.”
Given the dynamic nature of technology and the evolving cyber risk landscape, the DHS says, public safety organizations should use a cybersecurity risk management process.
That involves identifying new and evolving risks, assessing and prioritizing risks, developing and prioritizing mitigation strategies based on cost-benefit analysis and other factors, evaluating the impacts of mitigation implementation, and developing an approach to detection and effective response and recovery procedures.
The DHS strongly recommends public safety agencies use the NIST Cybersecurity Framework, which is “a flexible, risk-based approach to improving the security of critical infrastructure.”
One benefit of moving to NG11 is that if one PSAP suffers an attack and cannot take calls, others can handle that PSAP’s calls.
“If we have an issue with a PSAP that’s down, we have back-up ways that we can reroute traffic, and the end user never knows that they’re on a secondary versus a primary,” North Carolina CIO Eric Boyette tells StateScoop. “We have the same capability now with the copper, but you have a lot of [telecommunications companies] you have to work with to make sure the traffic is routed all the way through.”