Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information. In our November Special Feature, Pyramid’s Project Manager and award-winning former 911 Director, Gary Bates, discusses the importance of protecting Emergency Communication Centers from cyber-attacks.
October was Cybersecurity month and critical information was distributed by the federal government on a larger view of cybersecurity. In this article, we are going to take another look at it, but with more of a view from a personal and business level within Emergency Communications Centers (ECC’s). We will look at where we are and where we need to go to protect ourselves and our ECC’s.
The title of this article says it all, in this world of cybersecurity in the ECC’s, Digital Destruction can be just one click away. It is frighting at best, but we need to take the initiative and not wait until you or your ECC becomes a victim.
One of the largest cybersecurity attacks on the American infrastructure was when a pipeline was compromised by a former employee whose password was compromised. The company never deactivated the former employee’s account and cybercriminals were able to launch a ransomware attack on the company using the former employee’s stolen credentials. Other major attacks include Target stores, which released personal information on shoppers and was started when an air condition unit was remotely accessed, and the store’s network was compromised because they did not have a firewall enabled to stop intrusion from the online monitoring device. These are only two examples of dangerous cyber-attacks which could have been prevented with an update of employees and proper firewalls.
The need for cybersecurity came about through the Industrial Revolution. The first industrial revolution was using water and steam to power mechanize production. It followed in the second revolution with the use of electric power for mass production. The third revolution used electronics and information technology to automate production. Now we are in the fourth revolution characterized by the fusion of technologies which blurs the lines between the physical, digital, and biological spheres. Welcome to the Digital Revolution and the need for cybersecurity.
In our critical services areas, ECC’s are quickly becoming a mainstay for hosted and cloud computers. Remember, the ECC is a system of systems, so all systems must be protected. From the hosted or cloud solutions to workers checking their private emails on work machines, has increased the threat. To prevent cyber-attacks, you must stop allowing employees from checking personal emails and streaming, including shopping, and planning a vacation on company computers. Give them Wi-Fi access to utilize their own devices such as their cell phone or tablet.
Additional measures to reduce the cybersecurity threat include multi-factor authentication, training on cyber security, and software updates. In your cybersecurity training, the goal is simple operations. Do not make them so complex or cumbersome the employees cannot or will not follow.
Another method is to make sure your systems are on separate networks and cannot be penetrated by one attack. The backbones of 911, radio, and CAD must operate on separate networks. While premise-based CAD normally resides on the county or city network, a hosted or cloud-based CAD can separate this critical function. Keeping these separate from a complete infrastructure failure or hack.
Another simple method is to not allow cell phone users to plug into network systems to recharge their devices. Cell phones are computers and if the cell phone has been compromised it can easily allow the hacker to gain access to the company network. Design or install charging stations that only connect to a power source, not network connections.
Complete a cybersecurity audit to check your compliance to state and federal requirements and then have an outside cybersecurity company review your findings and system to have a multi-level view for compliance. System monitoring must be accomplished either by the system owner or an outside agency. Anti-virus software is the first step to ensure the lowest level of protection. Data integration must be a local decision and one process will not fit all. Tailor it your individual needs.
Do not hinder the procurement of a system by establishing unrealistic expectations or requirements on cybersecurity. When completing an RFP, include cybersecurity and your Software Licenses or SLA to ensure updates are provided and there is the monitoring of the system. However, when purchasing systems, use the Power of the Purse, in making vendors comply with cyber security requirements. Cloud procurement by call volume, not positions or devices, is important as remote workplace environments utilize multiple devices on an as-needed basis.
A change in thinking must occur also in your planning and purchasing of systems. Concentrate less on long-term capital expenditures and develop your operational and budget to plan for yearly updates. Move from Capital Expenditures (CAPEX) to Operational Expenditures (OPEX) planning.
The move for most companies and agencies is to the cloud environment. Types of cloud environments include public, private, and government. Public clouds could include Amazon Cloud Services or Microsoft Azure. Private clouds are within the company for their use only. Government cloud is not the government running your cloud but ensuring it meets federal security guidelines. When determining your operating environment, remember the Cyber security acronym is CIA or Confidentiality, Integrity, and Access to systems.
If you have a cyber-attack, take these immediate steps: notify users of the attack by a different notification system, instruct them on what to do as they will not remember especially if they only do annual training, and keep them updated when it is safe to continue operations.
If you are in the Emergency Communication Center make sure everyone is trained and familiar in the use of non-automated procedures such as run cards and maps showing district responses for the police, fire, and EMS.
Make sure you have a Crisis Communications Plan so everyone knows what to do if connections are lost and access is denied or degraded. This plan needs to cover all your critical systems such as phone, both emergency and administrative systems, computer-aided dispatch, and radio operations. Lastly, the internet, in general, is being utilized to run a wide range of web-based programs and interfaces, and services and can easily be shut down by the hacking of your system.
Cybersecurity is needed to protect and defend individuals or organizations from losing critical and personal data which could cause a public challenge to its operations and reputation. Cybersecurity training is raising awareness of a specific or general threat, how to react to the threat, and specific behaviors to reduce the threat.
Remember, in this internet-connected world, the hacking of a system may not be specific to your system but the overall internet or phone systems, so you need to include the processes to take if outlying systems are addressed in your plan.
Another important step to take is to protect your data with a backup to the backup. Do not rely on one backup or being reliant on a single fiber or microwave system, which further protects you from a service slowdown. Another example for maintaining connection is if you are using a mesh network for a wide area coverage, make sure it includes multiple frequencies in case one is degraded or becomes unusual. Do not forget to evaluate all your backup systems to ensure it is being completed properly maintained and can be reloaded into the system with a minimum of disruption or loss of data. You may lose data since the last backup, but you will not lose historical data which is more than 24 hours old.
You can avoid being a victim through simple cybersecurity training and procedures and if you are compromised, as no system is completely safe, have a plan in place to notify users, instruct them on what to do, and keep them updated to protect them from further loss and harm.
North Region Communication Center 