Mission-Critical Networks Face Increasing Cybersecurity Threats
Tuesday, April 21, 2015 | Comments

As the nation’s 9-1-1 and critical infrastructure networks begin to evolve from closed systems to IP-based systems, including next-generation 9-1-1 (NG 9-1-1) technology, the potential for new cybersecurity risks could increase.

Both regional and state emergency services IP networks (ESInets) as well as customer premises equipment (CPE) may become attractive targets for hackers, said Jason Jackson, executive director of the Alabama 9-1-1 Board, which recently completed a study of cybersecurity risks to the Alabama Next Generation Emergency Network (ANGEN). Jackson shared some of the state’s lessons learned during a National 911 Program presentation.

The United States is the most hacked country in the world, accounting for about 37 percent of all hacking attempts, said Jackson. Government agencies are targeted more often than individuals, companies or other organizations, with more than one-quarter of hacking attempts directed at government networks.

A sizeable percentage of hacking attempts are distributed denial of service (DDoS) attacks intended to shut down a targeted network. This is of particular concern to public-safety answering points (PSAPs), which have already been targeted by DDoS attacks.

On the surface, 9-1-1 networks don’t seem to offer much in the way of information or tools that hackers could exploit because they don’t house sensitive information such as credit card numbers or social security numbers, said Jackson. However, in addition to DDoS attacks, 9-1-1 networks face several threats from hackers, including potential discovery and abuse of a PSAP’s 10-digit trunk number, spoofing of VoIP automatic location identification (ALI) records or the session initiation protocol (SIP), abuse of internal transfer DTMF tones, harvesting first responder pager and short message service (SMS) numbers, exploitation of real-time location data for field units from AVL, harvesting information about vulnerable citizens and publishing compromised data during lawsuits.

As increasing amounts of information are transferred over NG 9-1-1 networks, harvesting — the practice of gathering seemingly benign information that can then lead to more valuable information — could become an increasing concern. For instance, 9-1-1 networks may house a person’s name, phone number and address, information that can get a hacker three steps closer to finding a credit card number or social security number, said Jackson.

The potential for medical records and other personal information to be transferred over NG 9-1-1 networks also raises concerns. Jackson said the public-safety industry can learn lessons from other industries, especially the health care industry, which has already evolved to newer network technologies and continues to be a large target for cyber attacks.

Hacker Activity

To predict and mitigate security threats, understanding hacker behavior is key, said Jackson. In general, the motivation for hacking falls into one or more broad categories, including to make money, for political reasons, to steal information, to conduct warfare activities, or for the challenge and bragging rights.

The process of hacking into a network can take many forms but generally follows several steps. First, the hacker uses reconnaissance techniques to read network traffic and then uses the information gathered to look for open ports or vulnerabilities in the network. Once a vulnerability is found, hackers gain access to the network and install malware to achieve their objectives, Jackson said. In many cases, hackers will look for ways to maintain access to the network by installing backdoors into the system. Finally, hackers will try to cover their tracks by removing the tools and files they used to gain access to the network.

Research shows that once a network has been hacked, it takes an average of 205 days to detect the hack, said Jackson. In more than two-thirds of hacking cases, the threat is discovered and reported by an external entity rather than the breach being discovered internally.

The Alabama 9-1-1 Board worked to understand the weaknesses and vulnerabilities in its networks by essentially hacking into its own system. The board then developed a color-coded system that depicted the severity of the threats it uncovered.

During the study of its network vulnerabilities, ANGEN experienced an outside breach. The system is highly integrated with other government systems, including public schools and universities, said Jackson. A university student trying to hack into the school’s system eventually gained access to the 9-1-1 network and attempted to launch a DDoS attack.

In response, ANGEN increased its firewalls, updated all of its routers and has a plan to isolate breaches and shut down affected PSAPs until the problem can be solved, said Jackson.

Some of the best practices developed by the Alabama 9-1-1 Board to mitigate cybersecurity threats include:
• Using robust authentication
• Keeping antivirus software up to date
• Continually training personnel
• Employing multiple layers of security
• Proxying all Port 80 traffic
• Ensuring proper design of network architecture and proper configuration of all computers, network devices and tools
• Performing routine security assessments
• Increasing resources for battling cyber threats

“To me our biggest concern is always at the PSAP level,” said Jackson. “The likelihood of getting to the network is slim to none. The biggest concern is getting through to a PSAP. I always say my No. 1 fear is that we are one flash drive and one USB port away from shutting this whole thing down.”

Critical Infrastructure Threat

Cybersecurity threats to critical infrastructure networks are also increasing, according to a new study by the Organization of American States (OAS) and Internet security company Trend Micro titled “Report on Cybersecurity and Critical Infrastructure in the Americas.” Fifty-three percent of respondents said they have experienced an increase in incidents directed at their computer systems, and 76 percent said incidents are becoming more sophisticated.

As critical infrastructure organizations look for ways to use IP networks to improve operational functions, such as site monitoring and management, that Internet connectivity has increased vulnerability to destructive cyber attacks, said the report. According to the report, the government and energy sectors are the top two industries that experience destructive attacks, followed by communications, finance and banking, security, and manufacturing.

Respondents to the survey said spear-phishing tactics, which use email spoofing to attempt to access confidential data, are the biggest attack method they face. Exploiting unpatched vendor software vulnerabilities is a distant second. Other attacks reported by respondents include DDoS attacks, SQL injection, cross-site scripting, hactivist-originated attacks and advanced persistent threats (APTs).

Trend Micro said it has observed an increasing use of malware to compromise supervisory control and data acquisition (SCADA) systems. The trend has manifested itself as both malware disguised as valid SCADA applications and malware used to scan and identify specific SCADA protocols.

“While the reason for this scanning has not been determined, the purpose is likely intelligence gathering for industrial espionage or future targeting for an attack,” said Trend Micro. “We have observed increased interest in SCADA protocols, attacks and malware and expect this trend to continue.”

The report is available here.



 
 
Post a comment
Name: *
Email: *
Title: *
Comment: *
 

Comments

No Comments Submitted Yet

Be the first by using the form above to submit a comment!


Magazines in Print







Events
May 2018

2 - 3
Comms Connect Auckland
Auckland, New Zealand
www.comms-connect.co.nz/

15 - 17
Critical Communications World (CC World)
Berlin
www.critical-communications-world.com/

More Events >

Site Navigation

Close