Conclusions
The advanced persistent threat on the Sheriff’s Office and NG-911 center may have been fictitious, but the vulnerabilities are very real. In retrospect, if the Sheriff’s Office and surrounding agencies had IOC tools in place and had shared security information, likelihood of a successful attack nearly would have disappeared. Especially for agencies as large as the Sheriff’s Office, sharing security information would have proven even more effective than just guarding the gates. The compromised agency computers that went so long without being identified just shows the steps that attackers are taking to remain undetected.
The scenario also demonstrates the need for operational and security teams to work collaboratively. What an environment needs protected only can be decided after a clear understanding of the critical areas of operation has been gained. Overlooking GIS as a critical area and giving control of it without oversight was probably the decision that caused the most damage. Once the calls started to flood the CAD system and 911 calls began to queue, there was no chance of recovery. Even if both the CAD and 911 systems had cleared the spurious calls, the legitimate calls from the area surrounding the Diamond Exchange still would have gone unanswered or immediately been closed.
The key takeaway is that NG-911 should not only be about “instant interagency cooperation and information sharing” of law enforcement data in order to protect the citizenry. It also must entail a true collaborative effort to share security threat information in order to protect these vital systems.
Mario Lopez is a senior systems technologist for Motorola Solutions.