Latest attacks underscore need for cybersecurity in next-generation critical communications
With all of this in mind, it is of little wonder that officials want heightened cybersecurity associated with critical networks such as 911, FirstNet and the electric power grid. Members of Congress were outspoken about FirstNet’s need for top-notch security, and cybersecurity was the focal point of one of three FCC working groups that is compiling a report about the migration to NG911. And former ABC journalist Ted Koppel has written a book about the possibility of a cyberattack on the U.S. power grid creating lengthy widespread outage that creates chaos.
While the need and desire for cybersecurity is clear, what is less clear is how to achieve the goal. Given the rash of data breaches announced publicly during the past few years, it is difficult to determine if any entity has an approach that really works.
No one says, “Our system is secure”—and understandably so. As cyberattacks become increasingly sophisticated, it is harder than ever for any entity to be confident. Furthermore, such a statement only would put make that system a prime target for hackers worldwide.
Instead, those in the cybersecurity industry use phrases like “risk mitigation” and strategies to limit the damage that a successful cyberattack would cause, so things like Koppel’s catastrophic power-grid vision do not occur.
During a recent webinar, utility officials expressed doubt that the kind of long-term, geographically expansive power outage that Koppel describes in his book could happen. But they acknowledged that cyber threats are very real.
Meanwhile, the interconnected nature of sensors and other devices that are designed to help monitor the health of the grid—particularly for remote users that may be third-party contractors, not direct employees of a utility—represent the age-old “tradeoff” between security and efficiency; the more you get of one, the less you get of the other.
A similar dilemma faces public safety, particularly as it enters an era of IP-based communications associated with the development of FirstNet and next-generation 911. There is no doubt that these systems need to be very secure, because they will be used to transmit highly sensitive criminal and personal information that could damage many lives if leveraged inappropriately.
In the case of FirstNet, if the system is as secure as possible—with a restricted number of subscriber units and lots of lengthy authentication passwords to access the network—it may be too slow and cumbersome for an officer to use in the field, where decisions often have to be made quickly to be effective. Limited access also means limited interoperability, which would be the antithesis of FirstNet’s mission.
In other words, FirstNet—and next-generation 911—need to have a cybersecurity solution that provides both state-of-the-art security and the greatest ease of use possible. It doesn’t sound like an easy task.
Meanwhile, for all of the technology-based cybersecurity solutions that are available, there is a human element that must be considered. In the case of the Los Angeles hospital, reports indicate that someone with access to the hospital system clicked on a link in a phishing e-mail, allowing the hacker to break into the computer network.
Yes, people should be trained to delete the occasional e-mail from Prince So-and-so from Country XYZ with millions of dollars to offer, but that should not be the real problem. Here’s the scenario that has concerned me for some time and is not so clear-cut: