SoS Musings - 911: Cybersecurity Emergency

By grigby1 

The risk of disruption or the unavailability of 911 services due to cyberattacks increases as emergency systems and networks become more interconnected and call centers become more reliant on Information Technology (IT) for operations. The three-digit telephone number "911" has been designated as the "Universal Emergency Number," allowing citizens within the US to request emergency assistance. The purpose of this telephone number is to provide the public with rapid and convenient access to a Public Safety Answering Point (PSAP), which runs 24/7, dispatching emergency services or passing 911 calls on to public or private safety agencies. It serves as the public's lifeline for police, fire, and medical services. There are over 6,000 PSAPs or 911 call centers in the US, with an estimated 240 million calls being made to 911 yearly. An analysis, compiled by the US Department of Homeland Security (DHS), highlighted that emergency services are an attractive target for cybercriminals. The research warns that cybercriminals could target the Emergency Service Sector (ESS) to impact medical and law enforcement services as well as endanger public safety.

Multiple incidents have highlighted the vulnerability of 911 systems to various types of cyberattacks. A ransomware attack compromised a server running Baltimore's computer-assisted 911 dispatch system, forcing city officials to resort to manual operations to handle emergency calls for more than 17 hours. This was a significant incident because the system automatically populates maps with 911 callers' locations and dispatches emergency responders closest to the callers more seamlessly than manual dispatching. The Schuyler County Sheriff's Department in New York faced a brute-force attack that led to the temporary crippling of its 911 emergency system and its ability to dispatch deputies to address emergency calls. A hacker launched a Telephony Denial-of-Service (TDoS) attack that flooded 911 call centers in 12 US states with fake phone calls. The widespread attack involved a network of iPhones infected by malware created and shared by the hacker. Infected smartphones repeatedly called the nearest emergency call center. More recently, a cyberattack disrupted 911 emergency services in California, which was attributed to the "DragonForce" ransomware gang.

There are various cyber risks to Next Generation 911 (NG911) systems, such as Denial-of-Service (DoS) attacks, Man-in-the-Middle (MITM) attacks, TDoS attacks, unauthorized network access, and more. NG911 systems, which operate on an Internet Protocol (IP) platform, facilitate the interconnection among different public and private networks, including wireless networks, the Internet, and traditional phone networks. The capabilities of traditional 911 networks are improved by NG911 systems, enabling compatibility with a broader range of communication platforms that provide dispatchers and emergency responders with a higher level of situational awareness, and establishing a level of resilience that was previously unattainable. NG911 allows PSAPs to receive and process a variety of information from the public and responders, such as voice calls, images, video, and text. However, this technological advancement in relation to 911 systems raises the risk of cyberattacks as NG911 enhancements introduce new vectors for attacks capable of disrupting or disabling essential operations.

In 2023, the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) announced the release of the "Considerations for Cyber Disruptions in an Evolving 911 Environment" document. Across the US, Emergency Communications Centers (ECCs) are transitioning from older, legacy systems to NG911. CISA also recognizes that NG911's enhanced connectivity introduces new vectors for threats that can disrupt ECC operations. For example, ECCs may experience cyber incidents due to malicious actors or a faulty software update to a Managed Service Provider's (MSP) network. Therefore, ECCs should ensure that their Continuity of Operations (COOP) plans define processes and procedures for responding to cyber incidents. The document was developed by CISA, SAFECOM, and the National Council of Statewide Interoperability Coordinators (NCSWIC) to help ECCs create or update their COOP plans to better respond to cyber incidents as they transition to NG911. The document discusses the threat vectors for NG911 systems and provides recommendations for updating COOP plans.

The National Science Foundation (NSF) also awarded a $1.2 million grant to a team led by Michigan State University (MSU) researchers in support of bolstering the security of cellular 911 calls. Customers benefit from improved coverage and faster service as the nation's cellular networks and technological infrastructure continue to develop. However, these advancements also present new opportunities for cybercriminals to exploit security vulnerabilities. Researchers from the College of Engineering at MSU have been concerned with the security of cellular 911 calls. This grant allows Guan-Hua "Scott" Tu and Li Xiao, MSU professors of computer science and engineering, to continue expanding their work on securing cellular 911 calls. At the 28th Annual International Conference on Mobile Computing and Networking (MobiCom) in October 2022, Tu and Xiao's team presented work titled "Uncovering Insecure Designs of Cellular Emergency Services (911)," which highlighted vulnerabilities in US systems that allow anyone to easily connect to emergency services from a mobile phone. The team found that these vulnerabilities could lead to various issues, including enabling attackers to hijack cell services, send spam to customers, and prevent callers from reaching 911 operators.

Cyberattacks increase as 911 call center infrastructure becomes more connected. These attacks could slow emergency responses, which could result in the loss of life. Security researchers, emergency personnel, telecommunications companies, and lawmakers must work together to develop better 911 system defenses against cyber threats. 

To see previous articles, please visit the Science of Security Musings Archive.