As public safety agencies move towards utilizing cloud-based NG9-1-1 technology for everything from data storage to CAD, Mobile, and RMS, cyber security becomes an even greater concern. Winbourne has reached out to our cyber security partner SecuLore Solutions, LLC to provide information on some of the processes, procedures and “things” agencies should consider in developing a plan of action to implement a cyber security action plan. These recommendations are applicable in defending against cyberattacks in both a traditional and cloud-based environment.
- Identify a Chief Information Security Officer (CISO). One of the first things an agency should do is to identify a Chief Information Security Officer (CISO), an individual whose responsibility is to manage information and network security for the organization. The CISO is the individual for improving and maintain the cybersecurity posture for all the departments within the jurisdiction.
- Create A Written Cyber Response Plan. A written cyber security response plan is key and needs to be tested at least quarterly to ensure recovery from backups. The backups should be Spot-checked for consistency and viability to ensure that saved correctly. Quarterly testing of backups by using a backup PSAP is one of the the most effective ways of accomplishing this task. The plan should include affirmative coverage cyber insurance that would cover costs of 3rd party assistance to aid with recovery. If using a 3rd party cyber-expertise vendor it is best to enure that the vendor is approved by your insurance provider.
- Remove Barriers to Implementation. A primary responsibility for the CISO is to ensure there are no external barriers to the implementation of mitigation techniques due to a variety of factors including local governance that may limit the ECC’s ability to perform one or more of the identified cyber mitigation functions. There a number of components that could affect the agency’s ability to perform some of its mitigation factions that need to be identified and resolved. These components can typically include issues such as governance e.g., County or State level management of the IP infrastructure used by the ECC, or regulations or laws that preclude the agency’s ability to perform the mitigation tasks such as the the Criminal Justice Information Services password rules.
- Implement Continuous Cyber Monitoring And Vulnerability Assessments. This is the single-most comprehensive solution for cyber-defense. These assessments should be in practice before using an IP-based technology for mission critical emergency services. If the agency is already at that stage of evolution and continuous monitoring and vulnerability assessments are not in place, the should be implemented as soon as possible. The vulnerability assessments should occur at a minimum of every 90 days across the whole of the infrastructure. However, if the type of cyber monitoring provides weekly reports and regular external analysis, then vulnerability assessments could instead be done annually.
- Acquire the best firewall Possible. It is generally a best practice to acquire the best firewall possible, use network segmentation and put sensitive information behind additional firewalls; and limit user privileges to only what is needed to accomplish specific job duties. Remote access should be protected by using a secure methodology that is updated to the latest version and meets or exceeds the minimum standard (NIST 800-53) of password creation and storage, and utilizes a multifactor authentication methodology.
- Provide cyber-safe methods for staff members to perform personal tasks that are inherently necessary in the course of a telecommunicator’s work responsibilities. These important incidental mitigation techniques for non-intentional impacts include a wide variety of tools such as 1) providing individual separate USB charging stations or equivalent methods (data blocker dongles) to charge personal phones/tablets, 2) establishing a guest network (either managed or outside of the emergency services network) to accommodate Bring Your Own Device (BYOD) usage, 3) disable the local USB ports (at a user privilege level if possible), etc.
- Create Discrete Backups. Implement a program of three (3) backups on two (2) different forms of media storage (such as cloud, tape, external drive, flash drive) that can be connected on demand. These backups should not be allowed to be connected until needed. At least one of the backups must be stored offsite, and geographically & logically separated from the others.
- Ensure That a Full Backup Is Being Accomplished. Auto-syncing cloud services do not constitute a full backup, even though they are often marketed as such to private individuals and even to large enterprises. These services replicate a copy of data locally and via a cloud service. It is true that these services do protect from one vulnerability, which is the loss of data through loss of a device, such as if the device is destroyed or experiences hardware failure. These services also allow for rapid restoration, because even if an end-user device is destroyed, the data can simply be accessed and re-provisioned onto a replacement device.
- Protect the Agency from Data Compromise. However, these services do not protect from other forms of data compromise. For example, if data is altered maliciously, those alterations will be replicated in the cloud. If data is corrupted, the corruption will be replicated in the cloud. Or if information is simply deleted, whether by accident or by a malicious user, the remote copy will be lost as well; as the cloud service will replicate any local changes, as it is designed to do, which in this case would be to delete the copy of the file on the cloud—deleting the “backup”.
- Implement a Comprehensive Backup System. Accordingly, cloud-syncing services should not be considered a comprehensive form of backup, and do not necessarily satisfy the recommendation above to provision three backups of any critical data.
Winbourne Consulting and its partner SecuLore Solutions can offer assistance with all aspects of cyber security from assessments, to planning to implementation. For additional information contact Winbourne Consulting at firstname.lastname@example.org.
Our thanks to Tom Breen, Cybersecurity Liaison, SecuLore Solutions, LLC for his contribution to this article.