SoS Musings #49 - 911: We Have a Cybersecurity Emergency

SoS Musings #49 -

911: We Have a Cybersecurity Emergency

The three-digit telephone number "911" is known as the "Universal Emergency Number" for U.S. citizens to request emergency assistance. It is intended to be a nationwide telephone number that citizens can use to receive fast and easy access to a Public Safety Answering Point (PSAP), also known as a Public Safety Access Point, which is a 24-hour facility responsible for receiving 911 calls and dispatching emergency services, or transferring 911 calls to other public or private safety agencies. 911 serves as the public's lifeline for medical, fire, and police services. There are currently more than 6,000 PSAPs or 911 call centers throughout the United States. According to the National Emergency Number Association (NENA), an estimated 240 million calls are made to 911 in the U.S. per year, averaging out to over 600,000 calls per day. However, as emergency systems and networks grow more interconnected, and call centers become more dependent on information technology to conduct daily operations, the risk of disruption or the unavailability of 911 services due to cyberattacks increases.

Multiple incidents have drawn attention to the vulnerability of 911 systems to different types of cyberattacks. Baltimore's 911 dispatch system had to be shut down temporarily due to a ransomware attack. A server running the city's Computer Aided Dispatch (CAD) system was infiltrated in the attack, forcing 911 calls to be temporarily transitioned to manual mode for over 17 hours. This was significant as the system automatically populates 911 callers' locations on maps and dispatches emergency responders closest to the callers more seamlessly than manual dispatching. Further investigation of the incident found that this attack was the result of an inadvertent firewall change and an opened port or channel to the Internet during the troubleshooting of a separate communications issue with the CAD server. More recently, another ransomware attack disrupted 911 dispatching in the New York Capital Region. A CAD system shared by Albany, Saratoga, and Rensselaer counties was compromised in the ransomware attack. The Schuyler County Sheriff's Department in New York was hit with another cyberattack that temporarily crippled its 911 emergency system and its ability to dispatch deputies. In this attack, the hackers gained access to the upstate police agency's communications system by performing brute force attacks, where different password combinations are tried until the correct one is found. A teenage hacker in Arizona's Maricopa County was charged for the launch of a Telephony Denial-of-Service (TDoS) attack that flooded 911 call centers located in 12 different U.S. states, including Arizona, California, and Washington, with fake phone calls via compromised cell phones. The 18-year-old was reported to have been behind the creation and distribution of malware used to infect the iPhones weaponized in the TDoS attack against the emergency call centers. Such incidents call for further exploration of strategies for preventing cyberattacks on 911 systems.

There have been advancements in emergency communications technology, such as Next Generation 911 (NG911), which has brought many benefits to the public, PSAPs, and responders in the field while also increasing the risk of cyberattacks. NG911 is an Internet Protocol (IP)-based 911 system that improves upon the capabilities of traditional 911 networks as it allows the public to share videos, images, texts, and other richer, more detailed data with 911 centers or PSAPs, accommodating how people primarily communicate through mobile and digital devices today. This new technology allows PSAPs to accept and process data from other transmitting devices such as wearable medical devices, building alarm systems, and car computers. NG911 increases the speed of network communication and enables call load sharing among different PSAPs, which is significantly beneficial in the case of mass casualty incident or a natural disaster. In such cases, NG911 makes it possible for calls to be automatically transferred and processed by another available 911 call center when a PSAP becomes overwhelmed by calls. The transmission of valuable information via NG911 to PSAPs will enhance situational awareness and help responders make more informed decisions. Although NG911 provides new benefits, it also presents new attack vectors that cyber threat actors can use to disrupt or disable PSAP operations. There are various cyber risks to NG911 systems, such as Denial-of-Service (DoS) attacks, Man-in-the-Middle (MITM) attacks, TDoS attacks, unauthorized network access, and more. Many U.S. states are now planning for and making a move to NG911, which calls for the development and evaluation of techniques that can help prevent and protect NG911 systems against cyber threats.

A study conducted by researchers at Ben-Gurion University (BGU) brought further attention to the vulnerability of NG911 services to cyberattacks, particularly Distributed Denial-of-Service (DDoS) attacks in which a malicious actor attempts to overwhelm a targeted server, service, or network with more traffic than it can accommodate through the use of bots to cause a denial-of-service to normal traffic. Bots refer to computers and other devices, such as Internet of Things (IoT) devices, infected with malware that allows attackers to control them remotely. The BGU researchers evaluated the impact that DDoS attacks could have on current and NG911 infrastructures in North Carolina. A detailed simulation of North Carolina's 911 infrastructure, along with a general simulation of the entire U.S. emergency call system, was created in order to demonstrate how DDoS attacks could affect 911 call systems. They found that it would only take 6,000 bots to significantly disrupt the availability of a state's 911 services and only 200,000 bots to endanger the entire United States. According to the researchers, it is possible to effectively block 911 calls from 20 percent of North Carolina's landline callers and half of the mobile callers. In the simulation, even if a person called back four or five times, they would still not be able to reach a 911 operator. Many argue that NG911 technology solves the DDoS problem by connecting callers to PSAPs not just locally but around the country. However, the 'despair rate,' known as the rate at which 911 callers give up trying, is still significant with complete resource sharing nationally, with the despair rate being 15 percent with 6,000 bots and 43 percent with 50,000 bots. Since the system would still need to communicate locally to dispatch police, medical, and fire services, the despair rate would more likely be 56 percent with 6,000 bots. Additional research is needed to help security professionals, lawmakers, and respective organizations better understand the severity of this issue in order to increase efforts toward preventing potential attacks on 911 emergency services.

There are efforts to protect emergency communications systems from cyberattacks. For example, the DHS Science and Technology Directorate (S&T) is working with SecuLore Solutions, a cybersecurity company based in Odenton, Maryland, to develop a solution that applies predictive analytics and cyber data in the detection and mitigation of cyberattacks targeting NG911 systems, Internet Protocol-based technologies, and legacy emergency communications systems. SecuLore added a new capability to its existing cybersecurity solutions to provide near-real-time behavioral threat analysis of the traffic hitting an Emergency Communication Center's (ECC) network as well as recommended remediation steps based on behavior and type of malware. This cybersecurity solution is currently under pilot testing with the Emergency Services Department in Palm Beach County, Florida. The Emergency Services Sector Cybersecurity Initiative aims to help the Emergency Services Sector (ESS) increase understanding and improve cyber risk management surrounding emergency services by offering documents on best practices, risk assessments, and more. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the SAFECOM-NCSWIC NG911 Working Group, published a report discussing the NG911 cybersecurity risk landscape and actions for improving NG911 cybersecurity, such as establishing and maintaining relationships to develop and carry out a comprehensive cybersecurity plan by increasing resource sharing among different PSAPs, state agencies, and other respective entities.

As the infrastructure that supports 911 call centers continues to grow in connectivity, the risks of cyberattacks increase. These attacks could lead to slow responses to emergencies, potentially resulting in the loss of life, property, and more for 911 callers. Further collaboration between security researchers, emergency personnel, telecommunications companies, and lawmakers is needed to develop more advanced, effective countermeasures against attacks on 911 systems.