Cyberthreats to PSAPs Are Very Real, FCC Task Force Told

The task force's work is critical, Simpson said. “The nation needs a 911 system that keeps pace with technological advances, particularly as communications networks migrate to next-generation technologies and consumers embrace smartphones and new communications applications,” he said.

Simpson acknowledged that PSAP officials have “finite” budgets and increasing demands from the public for better 911 communications. “One size won’t fit all for PSAPs,” he said. “The ultimate goal” of the task force “is not to provide a good report to the FCC. It’s not to necessarily change the technology and what’s going to happen in the future,” he said. “It’s to motivate decisions” on “am I changing the direction for the PSAP that I’m responsible for?”

Some aspects of 911 communications won’t change, said Steve Souder, TFOPA chairman, a 911 official from Fairfax County, Virginia. “It comes down to one human being, combined with many colleagues in that center and around the nation that are the real troops in the trenches of the 911 world, and we are not going to lose sight of them,” Souder said. A PSAP is more than a building, he said. “There are many moving parts and some of them may not be within the building,” he said. “They might be out in gosh-knows where, including the cloud.”

First on the agenda was a report by Working Group1 -- Optimal Cybersecurity for PSAPs. “This is a complex issue and it requires a lot of thinking outside of the box,” said Chairman Jay English, director-911 services at APCO. “I think we may have redefined the box.” The group still has lots of work to do, he said.

Simpson said the task force should put some emphasis on how PSAPs respond to and recover from attacks. “It’s not if cyber adversaries ever get into a cyber network. They will,” he said. “Working to restore confidence in a network that has been compromised is a hard thing to do.”

“We have to identify [the threat] and then we have to figure out how to mitigate it, treat and once we’ve mitigated the threat as best we can, we have to figure out how to respond to it and recover from it,” English said. “In a nutshell, that’s what we intend to try to provide the bureau and commission.” One appendix of the report will offer several use cases that illustrate for public safety why they should worry about cyberattacks, he said.

Distributed denial-of-service (DDoS) attacks have been used effectively against law enforcement, hospitals and PSAPs, English said. Telephony denial-of-service (TDoS) attacks have been launched successfully “thousands of times,” he said. “Anybody can be an orchestrator of an attack,” he said. “Teenage folks who are perpetrating these attacks are very, very bright and they have a lot of time and they know more about networks than we do.”

When an attack occurs the PSAP knows in a matter of seconds, English said. PSAP servers stop responding and the PSAP name resolution, the ingress routers or session border controller (SBC) devices “degrade and fail,” he said. “The PSAP network basically begins to slow down and in some cases could experience a complete outage of communications.” Efforts to restore the network won’t work “because they can’t get outside. The system has crashed,” he said.

“The idea of the orchestrator is they want to consume enough bandwidth to choke your system,” English said. “If they can spike the CPU, the processing unit of a target device or many target devices, that’s a bonus. But they don’t have to do that to make the attack successful.” It's comparable to having thousands of pizza delivery drivers show up at your door in a matter of minutes, English said. “That’s a DDoS attack,” he said. “I like pizza, but I don’t like it that much.”

The main objective of Working Group 2 -- Optimal PSAP Architectures is to preserve the systems that are already working well, said Chairman David Holl, deputy director-operations at the Pennsylvania Emergency Management Agency. Next-generation 911 has the potential to offer PSAPs more flexibility and reliability in call routing than the legacy network allows, Holl said. “It improves PSAP situational awareness and response” and links PSAPs to state and regional networks, he said. The move to improved 911 won’t necessarily mean PSAP consolidation, he said. “We’re talking about improving sharing of infrastructure and equipment, not necessarily physically,” he said.

But Holl also conceded that the diversity of PSAPs could make NG-911 more expensive to deploy. There are at least 6,000 PSAPs nationwide and most function independently, he said. “They connect but they don’t connect in ways that next-gen 911 will allow them to connect.” Most PSAPs have their own equipment and operate as “silos,” he said.

Working Group 3 -- Optimal Resource Allocation started with the recognition that NG-911 deployment won’t be perfect or consistent across the states, said Chairman Phil Jones, commissioner with the Washington Utilities and Transportation Commission. Funding for 911 has to be “predictable, stable and dedicated only for the purpose as needed,” he said

The FCC and other federal agencies need to provide “an overall vision” and assist with jurisdictional conflicts, and help on problems like cybersecurity, Jones said. About 80 percent of PSAPs have five or fewer call takers, he said. “We know they can’t defend it from a cyber standpoint,” he said. The group will likely look at both best practices and model legislation, he said. It will be critical for the final report that it be shared with state and local officials who are in charge of PSAPs, he said.

“In our group we’ve discussed being more cautious or being more bold with our recommendations and I think we’re going to err on the side of being more bold,” Jones said.