Few would argue the overall advantages of NG9-1-1, and a few groups are working to protect the operations of the next generation of technology by employing cyber security measures. Cyber security entails keeping an organization’s mission critical infrastructure or systems and their information safe, secure and available.
One of the groups at the forefront of cyber security is the National Emergency Number Association (NENA), which will soon be completing the development of security standards for NG9-1-1. These standards, referred to as NG-SEC, will apply to all 9-1-1 call centers, telephone companies, vendors, content providers and organizations implementing the most advanced networks and systems. The first comprehensive cyber security standards for the public safety industry, NG-SEC is an attempt to provide standards for ensuring the security of 9-1-1 during and after the transition to NG9-1-1 as well as raise the prominence of security within the public safety community. FE/Kimball recently surveyed and received responses from approximately 100 directors and managers of local 9-1-1 systems; representatives of police, fire and sheriff’s departments; and personnel from emergency management agencies to try to determine the extent of the new technology-related issues they were experiencing. The firm’s research revealed:
- More than one in five of these agencies (22%) were already implementing a next generation 9-1-1 system.
- Two-thirds (66%) of the others were in the planning stages for NG9-1-1.
When asked if they had experienced problems with cyber security over the past 24 months, 62% indicated that indeed they had. Moreover, these problems had resulted in outages or system downtime for well over half (54%) of the respondents. Among the most common issues were:
- Infiltration of viruses into their computer systems (18%)
- A failure that required the agency to restore its computer system from a backup source (17%)
In other instances, an employee had damaged computer systems or an outsider had tried to hack into the agency’s system—and sometimes succeeded.
Anecdotally, the agencies reported a range of incidents that impacted their ability to deliver emergency assistance to the public. Among the accounts from individual departments were reports of:
- A virus infecting at least two computers because of the activity of an employee on the Internet
- A total radio outage resulting from the loss of a T1 line’s connectivity, producing a chain of events that uncovered a software glitch in the trunk controllers
- A hacker entering the system and changing a hyperlink on the department’s Web site to that of an adult site’s address, despite the presence of firewalls, routers and security software
- A virus and spyware attack on a computer running the computer aided dispatch (CAD) system and numerous law enforcement software applications. This attack was the consequence of an employee using the Internet on that machine in contradiction to policy
- A CAD vendor logging in remotely and transmitting a virus to the system
- A virus on the network that targeted computers without the most recent security patches
- A virus received via e-mail from an unknown sender and another incorporated into a file
- Server software issues that unexpectedly rebooted the entire 9-1-1 system
- Accidental deletion of more than half of a user database by a third party administrator
All of these issues occurred despite the fact that 70% of the respondents indicated that they feel cyber security is an extremely important matter when migrating to NG9-1-1. Their biggest concern (56%) is system downtime, which can become a life-or-death situation for the community. A quarter of the respondents (25%) were most concerned about virus infections and 12% felt uneasy about being hacked.
One interesting finding was that more than 18% of respondents reported that a virus threatened the normal operation of their legacy 9-1-1 architecture. Cyber security needs to not only be addressed as a component of the NG9-1-1 transition, but also needs to be a consideration for closed network systems. 9-1-1 agencies need to begin planning, budgeting and securing funding for cyber security even before they’ve implemented NG9-1-1. Anti-virus software is an initial safeguard that can be implemented early on to help address cyber security for closed network systems.
The 9-1-1 department heads reported installing a number of cyber security safeguards:
- More than 96% have system backups
- 91% use firewalls (hardware or software that bars malicious traffic from networks)
Only 19%, however, employ penetration testing to determine the extent of their system’s vulnerability.
Perhaps of even greater concern is that 89% have not yet begun budgeting for the new NENA NG-SEC security standards (in part because the standards were not ready as of the end of 2009). The result can be a rush to implement systems and networks complying with the new standards but with only a limited budget. Those factors can become a recipe for lax cyber security unless planning the protection of the new technology is integrated into the process from the start.