Hackers Target Municipal Emergency Services for Mischief, Money, and More

In February 2013, viewers of KRTV, a CBS affiliate in Montana, experienced a modern-day version of War of the Worlds when hackers breached the Emergency Alert System and broadcast a realistic-looking message warning that the zombie apocalypse was afoot. The EAS tones played, a message bar appeared at the top of the screen, and a computerized voice alerted viewers that the “bodies of the dead are rising from their graves. Follow the messages on screen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous.” A handful of other TV stations in five states experienced similar hacks, which were later traced to firmware vulnerabilities.

While the “zombie hack” caused chuckles among viewers, some of whom assumed it was a viral marketing campaign for The Walking Dead television series, recent hacks targeting public safety infrastructure haven’t been so funny:

• Mere days prior to President Donald Trump’s inauguration, hackers used ransomware to disable 70 percent of the cameras on a police closed-circuit surveillance network in Washington, D.C.
• Also in January, ransomware plunged several local government offices in Ohio “25 years back in time,” including a county police force and 911 center. The telephones and radios at the 911 center remained operable, but dispatchers had no computer access, which lengthened response times.
• In April, someone breached the city of Dallas’ emergency siren system, causing 156 horns around the city to blare for 90 minutes in the dead of night and panicking residents, who flooded 911 centers with thousands of calls. At first, officials suspected a technical malfunction, which gave way to fears that the sirens’ computer system had been compromised. In the end, it turned out the “hackers” had kicked it old school and used radio signals to trigger the sirens.

The U.S. emergency system runs on very old equipment; most of it dates to the 1980s. Since world interconnectivity did not exist, systems were designed for safety, ease of communication, and reliability, not cyber security. Not only was there no such thing as “hacking,” but pranksters and criminals had no way to quickly determine, for example, what radio frequency an emergency siren was actuated with, and there was no publicly available documentation on its default credentials. While a determined “hacker” could have engaged in spycraft to obtain the information, it would have been difficult or impossible for them to get the hardware they needed to produce the tones to pull off the “hack.”

The Internet has changed the game. Finding information, even sensitive information on default login credentials for emergency systems, has become easy; in many cases, manufacturers themselves post instruction manuals online. Meanwhile, inexpensive, pocket-size devices are capable of reproducing what were once thought to be complicated signaling protocols.

Antiquated legacy systems aren’t the only issue. As the Internet of Things proliferates, cities are becoming “smart,” implementing more wireless and connected devices and interconnecting emergency infrastructure. While connecting infrastructure to the Internet can improve safety by allowing officials to remotely monitor and control systems and promote communication, it also opens the door to hacking.

The risk is higher on the local level than on the national scene. More attention is paid to critical infrastructure on a national scale; security protocols for power generation and transfer systems are highly regulated. Cities and counties are not subject to the same regulations, are notoriously underfunded, and may not see the importance in allocating scarce funds to cyber security. If a private-sector company suffers a bad data breach, the CEO may be forced to resign. While it looks bad when a city is publicly compromised, no one is fired or voted out of office. Local officials throw their hands up in the air, call the hackers who did it evil, and spend far more money trying to track them down and punish them than on fixing the actual issue or looking for other, similar vulnerabilities.

What Can Be Done?

Hackers have numerous motivations for targeting emergency infrastructure. Ransomware is used to attack emergency services for the same reason it is used against healthcare facilities: fast, easy money extorted from an entity that absolutely cannot afford to be locked out of its systems. Hackers may also be motivated by political or religious ideologies, seek to cause further disruption as part of a real-world terrorist attack, or even just want to pull a “prank.”

Any system is only as secure as the individuals defending it, and there is no such thing as a system that cannot be breached, given time, intelligence, and resources. However, attacks can be prevented by taking proactive security measures. First, local officials should perform regular system and data backups; always change manufacturer default login credentials before connecting hardware to a system; ensure that operating systems and software are kept up-to-date; and train employees to spot social engineering techniques, such as phishing emails.

Local governments should also follow in the footsteps of private businesses and crowd-source security vulnerability testing. All cities have a hacker community, and if white-hat hackers are given incentives to find vulnerabilities in a city’s infrastructure, they won't be found by malicious actors. A white-hat hacker in New Castle County, Delaware, recently discovered a vulnerability in a public safety mobile app and alerted authorities, who patched the problem.

However, the entirety of a city or county’s cyber security cannot be crowd-sourced. Cities and counties need the help of security professionals, but they may not have the budget to hire them in-house. Outsourcing cyber security to a managed security services provider (MSSP) is a good option for cash-strapped local governments. An MSSP can provide dedicated, around-the-clock security operations support to government entities, staffed by experts with years of experience protecting critical infrastructure, at a cost far lower than hiring security personnel in-house.

Government agencies must also take their vendors security seriously as well, adopting vetting and security protocols that many major corporations have already put in place. These protocols need to be a part of the selection process for any new vendor, and ensuring there are SLAs (service level agreements) in case vulnerabilities are every found or new ones emerge.

The “zombie hack” amused people but caused no disruptions; the D.C. and Ohio ransomware attacks went largely unnoticed by anyone except for law enforcement and emergency responders; and the Dallas siren “hack” kept citizens awake for 90 minutes but caused no long-term damage. The next breach could take down a 911 center’s phones or broadcast “news” of a terrorist attack, causing mass hysteria. Emergency infrastructure security is a matter of public safety, and taxpayers should demand that local officials take it seriously.