Cyber Security and the PSAP

The following is a list of questions and answers provided by a panel made up of members of the Sacramento Regional Fire/EMS Communications Center employees. They presented this information to our members at the monthly chapter meeting held March 13, 2014.

    Q: Do you fully isolate the P25 radio network from other data networks?

      A: The radio network is a closed, private network but it does connect to our CAD system to provide radio identification data.  Although the radio network is not considered fully isolated, the connection between the radio network and CAD system is protected.
    Q: Once compromised from Internet viruses or hacks, how do you maintain radio system operation?

      A: Since the radio systems are on their own private network and not connected to the Internet, they are not susceptible to viruses or hacks from the outside; however, the attack can come from internal source, such as a device on the internal network that is simultaneously connected to the network and the Internet.  It is important to note that if our radio network were to be compromised, we would put into operation a backup plan.  Our radio backup plan has conventional mutual aid 800 MHz repeaters throughout the county to use in the event of a radio system failure.  From a fire standpoint, we also maintain a VHF dispatch frequency for redundancy and interoperability with our neighbors as well.
    Q: Do you have the capacity to operate radio transmitters without IP/Internet?  If not, why not?

      A: Radio transmitters can operate without Internet because they utilize radio frequency channels to transmit audio.   Our private radio network is redundant so if one link goes down, they can continue to operate because of the dual links (data paths) going to each site.  There is radio traffic that is transmitted using IP but again, these are closed private networks that are isolated from the Internet.
    Q: I have always believed in and used at least two AV applications.  They do not play together as they once did.  Your opinion on AV redundancy?  Have you found a way to run them together successfully?

      A: We have never run two AV (antivirus) applications on the same machine and this is not recommended.  If you want redundancy, you can have antivirus protection running over your firewall and locally on your computers/servers.  If you are running virtual desktop infrastructure (VDI), you can run antivirus on the VDI instance and a global antivirus on the hypervisor.  If you are using the aforementioned VDI solution with an AV and Anti-Bot firewall, you have tertiary protection.  In addition, make sure your AV application is running and updating frequently with the latest DAT files.  You should also make sure your OS is up to date with the latest security patches and updates.
    Q: Do any of your “Bolt-on” vendor applications require Internet access and/or do you allow it?

      A: You can restrict these “bolt on” programs to specific ports/protocols/IP addresses/application controls via a firewall or IPS if they must use the Internet.
    Q: Have you implemented personnel profiling to control network application access?

      A: We have not implemented control at this level, but there is software available to employ user granularity on your network gateways.
    Q: What types of threats are most prevalent in regards Dispatch center?  Are they specific or generic?

      A: Most of the threats below are the most prevalent in general, and are actually part of this question…so we will address them individually.

      • Trojans?
        Trojans are typically programs that can be detected by antivirus software which is pretty much industry standard these days.  However, if a Trojan does make it into your computer it can be devastating as these are typically very malicious in nature destroying data, corrupting files, using your email for SPAM, spreading other viruses and malicious software to other computer systems, and can even deactivate your antivirus software.  Although antivirus software can often remove Trojans, some have to be removed manually by deleting the active file(s).
      • Denial of Service?
        The prevalence of DoS attack is low.  As a reactive approach, these attacks can be stopped by firewalls, router/switches that are configured correctly to divert unwanted traffic.  As a proactive approach, you may incorporate a subscription for DoS service or a dedicated DoS appliance.
      • Service Interruption?
        Moderate in prevalence, this type of attack can be caused by SPAM, worms, or a combination of both.  These attack computer and network resources that can lead to service issues.
      • Data Corruption?
        Any malicious virus, worm, or Trojan can cause data corruption or even worse data loss.  The best prevention is to keep computers updated with patches, and make sure any antivirus software is running the latest DAT files and engines to detect/prevent these types of attacks.
      • Data Extraction/Breach?
        This type of attack can be from BOTNETs which are basically software robots which reside on a computer inside your network and send out information to the Internet where that data is collected.  This is a very prevalent threat and requires the detection of the outbound traffic from either the computer or network.  Security software, such as Anti-Bot, is the best protection against these threats if you are not able to monitor this outbound Internet traffic.
      • Keystroke Logging?
        These are typically designed to steal passwords for banking, or other sensitive data.  These are very hard to detect without having appropriate security software/hardware that can track data leaving the network such as firewalls, having antispyware on your systems, and making sure by monitoring what applications should be running on servers and computers.

Thank you to the members of the Sacramento Regional Fire/EMS Communications Center for presenting this very difficult and important topic.