This is the second article in a multipart series on how to protect mission-critical communications systems from cyber attacks. The first article discussed how the public-safety world is migrating from self-contained communication systems to IP-enable connected networks.
It also reviewed the results from a survey that we recently conducted to determine the awareness level regarding cybersecurity threats, as well as the impact of various economic factors on the ability of entities to address such threats. Finally, the article examined the increasing number of security breaches being suffered by public-safety and mission-critical communications systems and networks.
Now we will look at a holistic approach to cybersecurity, with an emphasis on developing a foundation for protecting vital communications networks.
Lurking around every corner are opportunities to inflict your critical communications systems with malicious activity. This activity often appears first as a seemingly harmless action, such as an unexpected e-mail or unusual network behavior.
Malicious activity can be introduced from:
- Internet access (anywhere on the network)
- USB ports
- Wireless systems (e.g., WLAN and LMR)
- And may result in:
- Denial-of-service attacks
- Hacking (stealing or altering data)
- Jamming signals
- Leading to potential consequences such as:
- Slowing your ability to provide service
- Halting your ability to communicate
- Personal information made public
- Safety of responders or public endangered
A security plan, supported with policies and procedures, provides a methodology to assess, address and mitigate risks. Without a sound security structure in place, you are open to malicious activity that can invade your network, steal your data and deny service to your users. In an enterprise or business network, these harmful attacks can result in a major inconvenience; in public-safety and mission-critical industries — for example, power utilities and transportation departments — they literally can impact life-or-death situations.
Effective security results from the culmination of a holistic, organized plan. Without a solid methodology, the security effort disintegrates into isolated pockets of disconnected processes. Securing each vulnerable element of your communications network requires a cohesive plan, and a process that fits within your organization’s overall security posture.
In order to develop a plan that aligns with your organization’s systems and priorities, we recommend that you first conduct a vulnerability assessment, which is an affordable way to baseline your systems and processes and identify where cybersecurity gaps exist. Depending on the level of expertise possessed by your organization’s IT staff, they may be able to conduct this assessment. However, you may need to engage a third-party cybersecurity expert — ideally one that is familiar with public-safety and mission-critical networks and systems.
Consistent with our recommendation that security be approached holistically across all the interconnected networks and applications, the preferred approach to the vulnerability assessment would be one that includes all of the elements in an end-to-end network. However, if budget or other priorities dictate, a vulnerability assessment of individual subsystems or elements is better than none at all. As budget permits, or as your system configurations change and grow, you can conduct vulnerability assessments on other system elements, ultimately building a more complete picture.
In planning for a vulnerability assessment, don’t overlook networks (particularly connectivity) that may be under the oversight of others, but provide you with capacity or service on a shared basis. Our survey indicated that 35% of respondents use a shared IP network to connect their radio systems, and another 15% are planning to use other types of shared facilities, such as leased fiber or microwave for.
Sharing a network can introduce additional risks and these situations should be considered in the vulnerability assessment. As with any scenario, as long as the vulnerabilities are identified and the risks are known, a security strategy can be fashioned that addresses these risks.
Once the vulnerability assessment is completed, the results should be documented in a written report that explains the findings and identifies both the vulnerabilities and risks associated with each. These findings then can be reviewed and discussed by your agency, and used to establish goals and a strategy that align with your organization’s overall security priorities, practices and budget.
Based on this understanding of the cybersecurity vulnerabilities of your networks and systems, and having identified priorities for addressing them, you now can develop a security plan that truly meets your agency’s needs.
Such a plan should express the organization’s desired security posture and provide the authority to intervene when a practice is contrary to the plan. It is intended to provide the overarching vision and strategy necessary to realize the goals, objectives and intentions regarding cybersecurity throughout the operating environment.
A security plan is a living document, and as such should be reviewed at least on an annual basis. It exists to ensure that the organization’s vision and strategies in this regard are sound and will remain applicable in an environment that constantly is changing.
The primary purpose of a security plan is to:
- Identify the objectives
- Communicate, promote and increase awareness of security across the organization
- Identify the standards and frameworks applicable by law, regulation and mandate
- Identify the policies necessary to implement and enforce the plan
A security plan also should guide the process of purchasing needed equipment and services. Indeed, all hardware and software, as well as any entities that enter the network, should be aligned with your security plan in order to maintain a safe environment. Moreover, any successful plan expands to include the security risks borne of future additions to the operating environment.
Meanwhile, security policies provide direction to employees, supervisors, vendors and other entities that interact with the operating environment. Such policies should be consistent with the unique operational requirements, i.e., laws, regulations and mandates, as established in the security plan. In addition, policies provide specific direction concerning the proper authorization and authentication for accessing the network. They also address the physical aspects of the environment, specifically their impacts on cybersecurity.
Basic policy parameters to consider are:
- Acceptable use
- Access control
- Network security
- Physical security
- Data classification
- Change management
- Security training and awareness
- Security review and audit
To ensure that your security plan and policies are being applied appropriately across all functions, security procedures are put in place that provide specific direction regarding accepted practices within the operating environment.
Specifically, such procedures provide step-by-step actions for implementing policies and further explain the look and feel of the operating environment. This may be accomplished by detailing the sequence of actions or by defining specific instructions for completing tasks. This series of steps is to be followed each time a task is performed, which ensures that the operating environment remains consistent, outcomes are pre-determined and mishaps quickly are identified.
Typical procedures include:
- Baseline configurations
- Performing maintenance
- Applying system changes
- Granting access to systems and facilities
- Composing passwords
Procedures provide the knowledge of exactly what to, and how the task should be performed. When everybody is following the same procedure, the environment remains uniform. This makes troubleshooting and error-correction much easier, because unusual activity or information that does not meet the standard requirements is much more noticeable.
Of course all of this is for naught if the defined policies simply sit on the shelf and the associated procedures aren’t followed. Your security plan, policies and procedures must be proactive in order to produce the expected results. To ensure compliance, it is necessary to train employees so that they understand what is expected of them. It also is necessary to monitor the actions within the operating environment in order to determine whether the behavior of employees, systems, services and other entities that may interact with the operating environment are secure.
Each employee accessing or using various elements or applications of your critical communications network should receive security training upon being hired. A new employee should understand the security practices in the organization and become well versed in what is acceptable, what is not acceptable and actions to take when a situation appears to conflict with the security posture of the organization.
To reinforce initial training, additional training should be conducted annually. This is a good opportunity to discuss changes to security processes and reinforce the overall environmental flow. It also is advisable to conduct short training sessions as needed to provide awareness of current or emerging threats, and guidance on how to recognize and mitigate them in an appropriate manner.
Next, in order to validate that the organization’s plan, policies and procedures are providing the expected outcome, the environment must be monitored. Monitoring requires myriad actions, including automated and manual review of logs, physical inspections and reporting. The first steps are to:
- Enable logging
- Routinely review logs
- Retain logs to establish trends, identify malicious activity and investigate events
- Report the state of the environment
- Proactively mitigate threats as they occur
A scheduled routine should be established to monitor and respond to events and anomalies. Irregularities may indicate malicious activity, deviations from policy and procedures, or simply flaws in logging mechanisms. Other best practices include the following:
Anti-virus protection: The software used to conduct business should be kept free of viruses and other malicious programs. Our survey indicates that 65% of the respondents employ anti-virus software as a safeguard. If you are among the 15% who do not utilize anti-virus or the 20% who are not certain it is recommended that you install and maintain the latest version of anti-virus software on every device capable of supporting the application.
Third-party hardware and services: Your organization should obtain contractual assurance that all devices and applications maintained by third-parties, such as routers and databases, are monitored and maintained in the same fashion as organization-owned equipment.
Incident response plan: One should be developed to provide appropriate response, procedures and guidelines when suspicious events occur.
So far, our series has touched on the need to address cybersecurity and to create a holistic approach to understanding your vulnerabilities and establishing the key elements of a security plan. Our final article will examine the common pitfalls and misunderstandings regarding the security of today’s mission-critical communications environment. n
Ed.: The authors invite you to ask specific questions about cybersecurity as it relates to public-safety and mission-critical networks. The questions will be addressed in the final article of the series. E-mail your questions to Lori.Kleckner@LRKimball.com.
J. Kevin McGeary is a senior consultant in L.R. Kimball’s radio and wireless group with more than 35 years experience in public-safety communications.
Lori J. Kleckner, PMP, CISSP is a cybersecurity consultant for L.R. Kimball with extensive experience in collaborating with agencies at the local, state and national levels.