Cyber Threat to Public Safety Communications

Kory W. Edwards

Webster University

May 2016

Abstract

Public safety communications are the most crucial point of defense within the communication

critical infrastructure (CI) sector. This paper explores the past mistakes, the threats, challenges,

vulnerabilities and solutions in protecting public safety communications systems to ensure

communications flow from the public to the first responder and all the coordination between

them. This research paper traces the progression of public safety communications during the 9/11

attacks to modern infrastructure changes and the new threats they pose. Once identified,

solutions are offered for those vulnerabilities.

Keywords: Cybersecurity, Public Safety Communications, Cyberattack, Communications

Security, Disaster Response

Post 9/11 Connectivity Created Ubiquity

Public safety communication vulnerabilities attained prominence in the aftermath of the

September 11th, 2001 terrorist attacks. Once the two planes hit the World Trade Center,

approximately 55,000 calls went out to the 911 emergency call center, of which 3,000 were

received within the first few minutes. (Sharp, et al 2011) Cell phone networks promptly became

overloaded as well, thus complicating first responder communications which typically used cell

phones as a back-up to land mobile radio (LMR) systems.

Radio repeaters on the Twin Towers were damaged and LMRs being used by police and

firefighters could not operate at a power strong enough to hear the evacuation calls from within

the buildings. (Sharp, et al 2011) With the addition of noise, operators talking over each other,

incompatible systems, differences in radio jargon and the confusion, public safety

communications underwent a significant break down during the crisis. America needed a remedy

for the future.

Since 9/11, the most common buzz words in emergency management are “redundancy” and

“interoperability”. Federal funding continues to flow to agencies of all levels of government,

Federal, state and local in order to procure systems that can operate in the same network or

bridge into each other’s networks. The big push for more powerful radios, converters for cell

phones to talk to LMRs, audio bridges to link LMR networks into a single channel, converters to

merge LMR and other communication platforms into a voice-over-IP communication and

broadband communications that ride over the internet have all increased interoperability and

redundancy of public safety communications significantly. But emergency managers often

overlook a key fact- connectivity creates ubiquity.

The ability to connect all these platforms together offers many benefits, but the more

components connected to the internet also provides for more entrances for cyber-attack.

Components linking systems then become single points of failure that a cyber attacker can reach

from literally anywhere around the world with the right skills.

Attacks on Public Safety Communications

What is an attractive target?

Just in the year 2013, there were over 600 instances where citizens were denied emergency

services as a result of a cyber-attack; 200 of these attacks directly targeted offices of public

safety and their systems. (Macri 2014) Since 9/11, significant emphasis is placed on

interoperability between agencies and levels of government. Interoperability plans often rely on

increased connectivity to the open internet for remote maintenance, remote diagnostics and

conversion of signals between networks. Each of these connections offer a cyber attacker

additional access points from which they can monitor public safety communications, intercept

sensitive data or conduct a cyber-attack.

Aside from the actual public safety communications systems, which are increasingly more

complex and composed of more secure components, the public’s ability to communicate with

911 services presents a prime target. Cyber-attacks have become so increasingly routine that IT

professionals and their executive chain no longer focus on individual or repetitive attacks. The

sheer volume and variety of penetrations and probes do not garner attention unless there is a

significant loss of data or productivity. As Federal funds flow to agencies large and small to

improve interoperability and redundancy, few agencies invested in protecting the public’s link to

911 call centers. As of May, 2015, over 200 attacks were conducted against 911 call centers

using a telephone denial-of-service (TDOS) attack. (Viebeck 2015) Similar to a distributed

denial-of-service (DDOS) attack, the attackers launch a large volume simultaneous calls to 911

which ties up the system and prevents the receipt of legitimate emergency calls.

The most attractive targets are those easiest to get access to and most likely to cause the biggest

effect. These would be the ability of the public to call 911, 911 call center’s ability to receive and

process calls, and the single points of failure within interoperable bridge systems.

The Attacks

In recent years, we’ve seen sporadic attacks on both 911 systems, other public safety networks or

supporting companies and infrastructure. Here’s just a small sample:

In early 2016, a cyberattack flooded Spartanburg County, SC non-emergency

phone lines and pushed the calls onto the 911 system which jammed the 911 call center

and slowed dispatching to respond to emergencies. (Stone 2016)

In April 2016, a cyberattack shut down various public safety systems of the

Newark Police Department, NJ. The virus used in the attack prevented staff from

accessing criminal data and the primary system used to dispatch first responders for 3

days. The police had to use their back-up system until the virus was remediated.

(Coleman 2016)

In March 2016, a cyberattack flooded VOIP Innovations, a leading provider of

voice over IP services, with service requests and denied their customers access to the

system. The attack was so intense and so frequent that the FBI considered the attack a

national security threat. (Hartmans 2016) Why? Because first responder agencies use

VOIP in their primary networks or use components such as the Raytheon ACU-1000 for

interoperability. The ACU-1000 converts numerous land-mobile-radio (LMR) and other

communications systems to a single VOIP signal, which allows them to talk to each

other. (Raytheon 2012) This becomes a single point of failure in a mass casualty of major

event situation management.

In December 2014, cyber attackers disrupted the emergency 911 system in

Indianapolis, IN for several days. The attackers either entered the system directly or by

way of an individual computer. Not only did the penetration of the system occur, but the

attackers stayed within the system to see how police responded to the incident. (Brilliant

2015)

Threat of Secondary Attacks

If the inability to contact emergency services were not concerning enough, the combination of a

major terrorist attack followed by a cyber-attack on first responder systems could significantly

compound the loss of life. Currently, cyberattacks from terrorist organizations have inflicted

minimal damage and mostly consist of nuisance attacks. The concern with cyberattacks being

combined with a physical attack within the U.S. relates to both future capabilities and the

organizations’ ability to purchase cyberattack capabilities. The Islamic State of Iraq and the

Levant (ISIL) obtained significant financial support from oil field seizures and other means.

These funds could easily be used to recruit a successful cyber attacker to provide a secondary

attack in the aftermath of a physical attack.

Security Challenges of Public Safety Communications

Complacency

Recent mass casualty incidents in previously little known locations like San Bernardino, CA,

Charleston, SC, Colorado Springs, CO, and Fort Hood, TX show us that public safety

communications are of concern in places outside of the major metropolitan areas that most often

receive attention. Many agencies and local governments believe that their city, county or town

will never see such an event occur. And they might be right. Especially when facing significant

expenses in upgrading their public safety networks, why put forth the effort and funding for a

small possibility?

Between frequently changing legal and technological requirements and the massive coordination

needed to improve interoperability and continuity between agencies, most heads of agencies are

not willing to dedicate time, manpower and a large portion of their budget to fix their

cybersecurity vulnerabilities. (Burger, et al 2016) Public safety officials are not likely to pay

close attention to cyber-attacks that happened “over there” in a distant city or state. In fact, many

heads of agencies that hire security experts become complacent over the daily threat briefs and

worries of their security staff. The security director who constantly cries wolf cannot get the

action they need when it is significant. So, should a cyber security professional not mention the

daily threats? Our society has become tone deaf to the headlines about cybersecurity issues. And

our complacency becomes a major challenge in address the security needs to public safety

communications.

Expense/Funding

Budgets always have been a battle for any security professional. The biggest challenge facing a

Chief Information Security Officer (CISO) is normally not identifying the vulnerabilities and

solutions, but obtaining the budget necessary to fortify their networks. Take for example the

following headlines over just the last year:

How to be a successful CISO without a “real” cybersecurity budget (SEP 2015)

How to calculate ROI and justify your cybersecurity budget (DEC 2015)

Rebalancing your cybersecurity budget with deception technology (APR 2016)

A recent study showed that across all industries, government failed industry-standard security

tests the worst. In fact, government agencies fixed fewer than 1/3 of detected cyber-security

problems and most often due to budget constraints. (Ward 2015) Whereas private companies

such as Target have been financially and legally held accountable for data theft, government

agencies are often not held to the same standards. The theft of millions of Federal employee

personal information during the Office of Personnel Management data breach is a perfect

example of why government should dedicate more funds to cybersecurity, but do not have the

same legal and financial incentives to do so as a private company does through litigation risks.

Interoperability

Since 9/11, many agencies have progressed in the issue of interoperability between agencies.

With the support of the Department of Homeland Security, universal standards of data

management, enabling of broadband capabilities for voice, data and video, and hardware

solutions such as audio bridges and higher-power land-mobile-radio systems have become

commonplace. Even joint command centers have sprung up to bring crisis management

participants face-to-face when needed.

The increased interoperability also comes with its own set of challenges though. Not every

agency can afford to participate in these joint interoperability ventures due to funding or

incompatible systems. Expenses often are cost prohibitive for smaller or rural agencies using

outdated and incompatible systems meaning they must bear a larger expense in order to become

interoperable. Instead, they end up relying on less expensive options such as augmenting LMR

networks with broadband. Aside from the broadband cyber vulnerabilities, this option typically

uses first responder commercial smartphones that lack mission-critical voice capabilities such as

radio-to-radio and one-to-many communications. (DHS 2014)

Shared systems between agencies also run the risk of being tied into an agency that has not

employed security measures, that lacks diverse routing or redundancy in electrical power. When

agencies lack common security policies and training, one of the agencies might be enabling

insiders to accidentally or intentionally disrupt operations or security throughout the share

network.

Vulnerabilities of Public Safety Communications

Next Generation 911 Systems

Today’s trend in 911 systems is the implementation of Next Generation 911 (NG911) systems

which operate on an Internet Protocol (IP). These systems offer a wide range of broadband

options for voice, data, video and interconnection of public and private networks. Unfortunately,

this new system subjects 911 communications to significant vulnerabilities that come with an IP

connected system. In order to be functional for a wide array of agencies, these systems require

standardized identity management and credentialing system-wide. The use of credentials allows

a potential attacker numerous attack vectors and wide-spanning access which would allow the

attack to spread quickly and proliferate across systems. (DHS 2015) DHS is of the opinion that

these risks do not undermine the benefits of the NG911 system; however, they acknowledge that

as attacks increase in complexity and sophistication beyond the TdoS attacks currently used, the

system will be more at risk. But such a statement begs two questions, how do we know these

more sophisticated attacks do not already exist? And, how soon before we begin to see these new

attack strategies. By ascribing to a new system with known flaws and multiple chokepoints, and

especially by publishing these vulnerabilities, are we not encouraging new attack development?

Reliance Upon Telephony

Modern public safety communications systems rely heavily upon telephony. The New York

Police and Fire Departments, for example, operate a dedicated, private LTE carrier using the 2.5

GHz spectrum leased by the Brooklyn Archdiocese. (Careless, et al 2011) This now subjects the

entire New York emergency response to standard LTE attacks on the commodity hardware and

software used, rogue base stations renegotiation attacks (forcing the communications to less

secure GSM channels), man-in-the-middle (MiM) attacks, jamming, attacks using stolen secret

key (K) attained from the carrier’s HSS/AuC or the UICC manufacturer, physical attacks on base

stations or availability attacks on eNodeB and Core. (Bartock, et al 2015)

Those public safety communications systems that rely on VOIP communications for

interoperability also have significant vulnerabilities to deal with. Internet bound packets can be

intercepted or significant strain on VPN hardware can cause delays and broken communications.

These VOIP systems all lead to virtual chokepoints at gateways and base station control

functions (BCFs) and securing them at a firewall is challenging. Other VOIP security is

depended upon updated patches to phones, good underlying network security, operating system

security, DoS attacks, packet interception, unsecure open ports, wireless connectivity exposure

and spam over IP telephony. (Ruck 2010)

The ability to conduct attacks on telephony is not complicated but does require specialized

equipment that is not difficult to obtain. Especially when dealing with cellular systems, the most

secure operating system is the Android or iOS operating system on the phones; however, at least

two other operating systems exist on handsets and they have significantly more vulnerabilities.

The base board operating system controls all functions involving radio frequency (RF)

transmission and controls. They rely on signals being dent on the downlink from a tower as

being both secure and direct commands. Shifting an LTE signal to GSM or UMTS where

security flaws are more exploitable can be done with a cause code 8 which bricks the handset

and instructs it to stop looking for LTE. This would knock a first responder’s handset off the

secure LTE network and since most of these specialized LTE systems do not have a GSM

channel in their neighbor list, the phone becomes dead at least until power cycled away from the

rogue base station’s reach.

SIM cards on cellular devices are also a vulnerability. Reverse engineering of a SIM card can

grant unauthorized access, or hacking of an authorized SIM card can give a cyber attacker access

to about 13% of authorized devices in order to steal data or conduct a TDoS attack from within

the specialized network. (Anthony 2013)

Shortage of Cyber Security Professionals

Despite all the improving hardware, software, encryption, awareness and companies willing to

sell and install the latest and greatest in cyber security and cyber defense systems, one final

vulnerability remains and is growing. This would be the shortage of cyber security professionals

to employ and acknowledgment of the need for these professionals. Many companies and

government entities have shifted their hiring practices to ensure new head of security are also

information security or cyber security trained; however, the fact remains that roughly 300,000

cyber security jobs remain unfilled in the U.S. and that number is likely to grow to over 1.5

million in the next 5 years. (Zarya 2016)

This shortage means that public safety agencies must compete for this talent pool with private

corporations which typically offer higher salaries than government entities can afford to pay. The

shortage also leads to expansion of the talent pool by hiring foreign cyber security experts or

relying on offsite cyber security companies for support through consulting roles or crisis

assistance. Hiring foreign professionals runs the risk of terrorist sympathizers infiltrating these

agencies to either conduct cyber reconnaissance or an attack. And the hiring of consultants or

outside crisis management companies means a delayed response to these attacks and a response

to only attacks that are blatantly noticeable.

What does a public safety agency do about the daily attacks that do not rise to the crisis threshold

but could be indicative of probing or planning for a larger attack? How can an agency respond

rapidly and effectively if their support is not onsite? It is imperative that we recognize the

vulnerability within our employee talent in addition to the hardware and software security issues.

Solutions for First Responder Communications

Communication of Information Via Fusion Center Network

One of the benefits of the actions taken by the Department of Homeland Security after the 9/11

Report was issued was the establishment of a state fusion center network. Federal funding

supports these state and major metropolitan area analysis centers that now exist in every state

and territory, with the exception of Wyoming. Embedded analysts and liaisons at these fusion

center connect agencies of all levels of government and private sector partners through face-to-

face interaction at the center. In addition, useful tools such as Adobe Connect sessions are

offered for free through the DHS portals. These communications systems remove crisis

discussions from the agency’s standard networks and onto an internet based platform that may

not be linked to the victim agency’s networks and therefore not targeted in the cyber-attack.

Use of these fusion center tools can allow access to key personnel using any device that is able to

connect to the internet via cellular or land-based Ethernet connections, regardless of the ISP or

connection. Voice, data, messaging and video are all offered on the platform and through the

embedded DHS Intelligence Officers, information can travel rapidly through the fusion center

network to other state, localities and centers which may need to prepare for subsequent or

simultaneous attacks. These DHS Intelligence Officers have already established rapport and

contact with key players within their area of responsibility. This is a significant resource that is

often under-utilized.

Network In-A-Box

An alternate cellular back-up solution would be a closed cellular network such as the Multi-

Radio Network-in-a-Box system offered by a joint venture between Radisys, Octasic and

Quortus. (Radisys 2015) This product is a portable cellular base station platform that can handle

up to 32 cellular devices per box and is deployable via UAV, vehicle or backpack. It uses

4G/LTE, 3G and 2G air interfaces, allowing any cellular device to connect to it but allows the

agency to restrict which devices can connect to the platform by using a whitelist/blacklist

authentication.

In order to cover larger distances or urban environments, the system can be deployed with

multiple platforms and establishing a crisis specific cellular channel, frequency and neighbor list.

How is this platform different from a carrier platform? It offers the security of being a closed

network that does not connect to outside carrier networks. This inhibits a rogue tower or internet

attack since it is detached from public cellular networks. If the frequency were to be intercepted,

that frequency can be changed for the authorized devices. A visual log of SMS transmissions

between devices can also serve as a time-stamped record of the event management and decisions.

Satellite Backup

There is a common misperception that redundancy and diversity of communications can be

achieved through multiple options of terrestrial communications. Unfortunately, this ends up

leading to diversity of the carrier but not the pathway. (Bardo 2015) If the entire infrastructure

collapses due to a major terrorist attack or natural disaster (as in 9/11), what options remain?

This is where satellite communications become essential. Just as satellite communications can be

deployed at sea or on a battlefield without significant infrastructure, these satellite

communications systems are a fail-safe in a catastrophic event. Modern satellite communications

allow for sleeve devices that can be added to off-the-shelf cellular devices to convert them to

satellite capable handsets. Satellite communications should be an integral part of any continuity

of operations planning.

Recruitment of Cyber Security Professionals

As mentioned in the vulnerabilities section of this paper, there is a shortage of cyber security

professionals. A solution to this problem is to recruit or train IT personnel within the agency to

understand cyber security issues. Agency sponsorship of certification courses such as Certified

Information Systems Security Professional (CISSP) and Security + courses, attached with an

employment commitment obligation (to prevent employee loss) could augment the agency’s IT

skills.

In addition to training and recruitment, executives must break the complacency mindset and

dedicate resources and attention to improving their cyber security status. In government, where

loss is not as much of a concern, policies must be adopted to hold government executives

accountable in the event that their agency suffers a significant loss of data or service capability.

Conclusion

No public safety communications system is 100% secure from cyber-attack and no agency has

the funding to reach the pinnacle of cyber security. However, it is incumbent upon public safety

leadership to seek out solutions to improve their security standing. Lives are on the line, as we

learned during the 9/11 attacks, those lives can be first responders and citizens. Communications

are the key to an effective disaster response and our attackers understand that by disrupting these

communications they can maximize the effects of their attack. The solutions outline above are

just a few of the possibilities and as technology evolves, so must our communications defenses.

References

Sharp, K.; Losavio, K. (2011) 9/11, 10 Years Later., PSC Online, Retrieved from:

http://psc.apcointl.org/2011/09/06/911-10-years-later

Macri, G. (2014) Emergency services like 911 n longer cyber-safe, GAO reports.

TheDailyCaller.com, Accessed from: http://dailycaller.com/2014/01/30/emergency-

services-like-911-no-longer-cyber-safe-gao-reports/

Viebeck, E. (2015). DHS: 911 Call Centers Vulnerable to Cyber-Attack. TheHill.com, Retrieved

from: http://thehill.com/policy/cybersecurity/241442-dhs-911-call-centers-vulnerable-to-

cyberattack

Stone, A. (2014) Cyberattack: The Possibilities Emergency Managers Need to Consider.

EmergencyMgmt.com, Retrieved from:

http://www.emergencymgmt.com/safety/Cyberattack-Emergency-Managers.html

Coleman, V. (2016) Cyber Attack Temporarily Shut Down Newark Police Computer Systems.,

NJ.com, Retrieved from:

http://www.nj.com/essex/index.ssf/2016/04/cyber_attack_shuts_down_newark_police_co

mputer_sys.html

Hartmans, A. (2016) VOIP Innovations Suffers Cyberattack., Pittsburgh Business Times.

Retrieved from: http://www.bizjournals.com/pittsburgh/news/2016/03/17/voip-

innovations-suffers-cyberattack.html

Raytheon (2012) ACU-1000 Datasheet. PSI Company. Retrieved from:

http://www.psicompany.com/man-prod-info/Raytheon-JPS/Control-Equipment/ACU-

1000/ACU-1000-Datasheet.pdf

Brilliant, J. (2015) Hackers Target Indianapolis 911 Center. WTHR.com Retrieved from:

http://www.wthr.com/story/27897557/hackers-target-indianapolis-911-center

Burger, E.; Welch, T. (2016) Complacency in the Face of Evolving Cybersecurity Norms is

Hazardous, Legaltech News, Retrieved from:

http://poseidon01.ssrn.com/delivery.php?ID=04310512712102512509107200409409412

100903600008206109110602100102511101202308307301112005810012204202405311

407111201207411107602009003403703409907012109909207106504204600000007712

5102095114095093001086003092000106100109001126026102125106089113097006&

EXT=pdf

Ward, M. (2015) All Industries Fail Cybersecurity, Govt The Worst., CNBC.com, Retrieved

from: http://www.cnbc.com/2015/06/23/all-industries-fail-cybersecurity-govt-the-

worst.html

Department of Homeland Security (DHS) (2014), The Hybrid Public Safety Microphone (Turtle

Command) Land Mobile Radio Converging with Broadband., Retrieved from:

https://www.dhs.gov/sites/default/files/publications/The%20Hybrid%20Public%20Safety

%20Microphone-Turtle%20Command-

Land%20Mobile%20Radio%20Converging%20with%20Broadband_0.pdf

Department of Homeland Security (DHS) (2015) Cyber Risks to Next Generation 911., Retrieved

from:

https://www.dhs.gov/sites/default/files/publications/NG911%20Cybersecurity%20Primer

%20FINAL%20508C%20(003).pdf

Careless, J. and Bischoff, G. (2011) What a Difference a Decade Makes., Urgentcomm.com,

Retrieved from: http://urgentcomm.com/networks-amp-systems-mag/what-difference-

decade-makes

Bartock, M.; Cichonski, J.; and Franklin, J. (2015) LTE Security – How Good Is It?, National

Institute of Standards and Technology (NIST), Retrieved from:

http://csrc.nist.gov/news_events/cif_2015/research/day2_research_200-250.pdf

Ruck, M. (2010) Top Ten Security Issues Voice Over IP (VOIP), Designdata.com, Retrieved

from: http://www.designdata.com/wp-

content/uploads/sites/321/whitepaper/top_ten_voip_security_issue.pdf

Anthony, S. (2013) The Humble SIM Card Has Finally Been Hacked: Billions of Phones at Risk

of Data Theft, Premium Rate Scams., Extremetech.com, Retrieved from:

http://www.extremetech.com/computing/161870-the-humble-sim-card-has-finally-been-

hacked-billions-of-phones-at-risk-of-data-theft-premium-rate-scams

Zarya, V. (2016) How These Mormon Women Became Some of the Best Cybersecurity Hackers

in the U.S., Fortune.com, Retrieved from: http://fortune.com/2016/04/27/mormon-

women-cybersecurity/

Radisys (2015) Radisys, Octasic and Quortus Partner to Deliver a Multi-Radio Network-in-a-

Box for Defense and Public Safety Sectors., Radisys.com, Retrieved from:

http://www.radisys.com/press-releases/radisys-octasic-and-quortus-partner-deliver-multi-

radio-network-box-defense-and-public-safety

Bardo, T. (2015), Why Public Safety Plans Should Include Satellite Communications.,

Hughes.com, Retrieved from: http://www.hughes.com/resources/why-public-safety-

plans-should-include-satellite-communications?locale=en