Public Safety’s Biggest Cybersecurity Challenge: Legacy Equipment
Tuesday, January 12, 2016 | Comments
The FCC’s Public Safety and Homeland Security Bureau (PSHSB) and the Interdisciplinary Telecom Program (ITP) at the University of Colorado at Boulder hosted a joint summit last month to discuss cybersecurity issues affecting public-safety and commercial networks.

“It is critically important that as these networks converge around IP that we are conscious that there are people in the world that would like to do us harm and would like to couple cyber attacks with physical attacks,” said PSHSB Chief David Simpson during opening remarks at the summit. “We must ensure that we are not opening up our public-safety communications networks — at a time when we are adding wonderful new functionality — to an attack that could manifest itself half a world away.”

Panelists described several challenges public-safety and critical-communications networks face, as well as vulnerabilities that could emerge as networks transition to next-generation technologies.

“Budgets are fixed,” said Simpson. “No one has enough money to do everything they want to do to provide basic functionality today let alone address new functionalities associated with cybersecurity.”

Legacy equipment is one of public safety’s biggest cybersecurity vulnerabilities, panelists said. Existing network equipment is rarely upgraded to incorporate security enhancements, and agencies that are now looking toward next-generation technologies are increasingly reluctant to invest in security upgrades for equipment they are planning to replace.

High availability requirements on critical networks also make it difficult, if not impossible, to install patches that could bolster security. In addition, when a breach occurs, it isn’t possible to shut down part of the network to isolate the problem because that could mean disrupting first responder communications.

Vern Mosley, chief cybersecurity engineer with PSHSB, said public safety should take a lesson from the airline industry. When an issue happens during a flight, pilots must isolate the problem while the plane continues to fly. Public safety should have a similar goal when planning how to address security breaches on networks that can’t be taken offline, he said.

As with any network, human factors create the biggest threats to security. Identity management is particularly important for public-safety communications, especially as smart devices proliferate among first responders, said panelists. But identity management creates unique issues for public safety, because while devices need to be secure enough to keep bad actors from accessing them, they also need to be easily accessible to first responders. Requiring a police officer to enter a password repeatedly to log on to the network is not realistic. Biometrics is one possible solution to identity management in public safety, but it is not without its own set of issues.

Another unique cybersecurity challenge faced by public safety is the highly federated and decentralized nature of the nation’s public-safety answering points (PSAPs) and first responder agencies.

“Colorado has 95 PSAPS,” said Brian Shepherd, broadband program manager for the state of Colorado. “There are 1,400 public-safety entities, all with their own network connections. When you talk about mandating security standards, do we have the legal authority to do that? Some will say you have no ability to tell me what to do.”

Next-generation networks will bring their own cybersecurity threats. One of the advantages of broadband networks is their ability to facilitate the transfer of multimedia files, often touted as a tool to simplify and improve a variety of first-responder functions. However, there also is the potential for malware and viruses to be embedded in multimedia files that could then be forwarded to 9-1-1 call centers and first responders. Panelists stressed the importance of finding a way to automatically scan incoming multimedia files to ensure they are safe before they are delivered, because call-takers and first responders don’t have time to scrutinize incoming data to make sure it is secure.

Next-generation networks also will incorporate countless sensors — the Internet of Things (IoT) — that function independently and don’t have anybody watching them for security breaches. In addition, devices store personal information and represent an attractive target for cyber threats.

“I think it is important as the industry develops 5G to recognize that and incorporate strategies to combating threats,” said Simpson.

A final challenge is the transition from an environment that historically was dominated by a single vendor and proprietary technology to one of many vendors supplying different pieces of the network and applications that will run on it. This will require agencies to define best practices and preferences for managing all of those relationships to ensure security requirements are met across the board.

As next-generation networks and technologies begin to emerge, security needs to be “baked in” from the start, said the panelists.

Security is a key component of several recent public-safety communications initiatives, including the Third Generation Partnership Project’s (3GPP) Long Term Evolution (LTE) Release 12 and the First Responder Network Authority (FirstNet) nationwide public-safety broadband network request for proposals (RFP). A large chunk of the FCC’s Spectrum Frontiers order, which seeks to develop use of spectrum bands above 24 GHz for mobile radio services, addresses cybersecurity directives.

Because of widespread budget constraints as well as the disparate nature of U.S. public-safety communications, agencies need to think about cooperation and information sharing as effective ways to address cybersecurity going forward, said Simpson.

Effective security efforts will require agencies to evaluate what they are capable of handling in house, what they need to outsource to security-focused companies and organizations, and what they can gain by sharing information and resources with other agencies. Information sharing is key because it can provide details and trends that will help agencies anticipate cyber attacks rather than reacting to them after a breach.

Shared services and networks also can reduce the attack surface of IP networks. The FCC’s Task Force on Optimal Public-Safety Answering Point Architecture (TFOPA) included a working group focused on next-generation cybersecurity considerations and released recommendations that include development of emergency communications cybersecurity centers (EC3).

Public-safety agencies must determine what level of security they need. While end-to-end security sounds great, in reality it could degrade network performance and introduce latency.

“Not all encryption is created equal,” said Simpson “For public safety, in some respects the data is actually secondary to the transaction because you have a bias toward availability. What I think we need to look at is an architecture with just enough encryption for the function we are trying to achieve without negatively encumbering the mission we are trying to achieve.”

Panelists also emphasized the need to build a security workforce, including investing in education initiatives and developing career paths that employees can understand and commit to. Several panelists said it is difficult for agencies to find and retain skilled cybersecurity employees, and a larger pool of potential employees is needed. Efforts to educate the next generation of security personnel should start in middle school and high school science, technology, engineering and math (STEM) programs and continue at the university level, where the public sector should partner with schools to develop cybersecurity curriculums, panelists said.

Would you like to comment on this story? Find our new comments system below.

Post a comment
Name: *
Email: *
Title: *
Comment: *

On 2/10/16, James B. Parson said:
I heard a lot about cloud computing and its role in operating users' data. It's convenient and safe for personal data. Is it safe enough for business data that is hacked much more often than personal data? I know that virtual Ideals data rooms are trusted and protected enough for this purpose, but still I have some doubts.

On 1/14/16, Leon van der Linde said:
Biometrics fingerprint scanning is not as reliable as the industry is trying to tell everybody.
For the past 25 years I cannot use fingerprint scanners as they do not see my fingerprints. You can print them in the old way but believe me a scanner does not see them. I cannot enter high-security customers' premises with biometric scanners. Driver's license renewal is a nightmare. My company had to change our security access because of this. My PC had to be changed because of this. Be very careful with biometric scanners. It could be a big embarrassment.

Magazines in Print

May 2019

5 - 10
APCO Western Regional Conference 2019
Scottsdale, Arizona

June 2019

14 - 19
NENA Conference and Expo
Orlando, Florida

More Events >

Site Navigation