The development of technology in recent years has brought along a surge of ways to enter the system or network from the outside. This increases the vulnerability of systems being hacked for access to personnel records, patient records/billing, response data, purchasing/supply chain information, in-station or in-vehicle Wi-Fi, and much more.
There are countless ways that a cyberattack can happen, with results varying from minor to life-threatening. If a public safety network gets hacked, there can be effects anywhere from lost or stolen data to losing paychecks to hindering 9-1-1 response times to a shutdown of city services.
Breaking down terminology
The most common types of cyberattacks that could occur to a firehouse or public safety agency are:
- Malware: This is where a hacker or attacker creates a code with the purpose of harming a computer, network or server. This is the most common type of attack, and it umbrellas over many different types of attacks such as the next one on this list.
- Ransomware: A type of malware, ransomware is where an attacker encrypts a victim’s data, and typically offers a decryption key in exchange for a payout.
- IoT Devices: As explained by Emergency Reporting in Industry Insights: The Basics of Cyber Security for Fire Departments, “An IoT (internet of things) device is any device that can transfer data over a network without requiring human-to-human or human-to-computer contact. These devices can be targeted by cyberattacks and if not properly protected, could leak sensitive medical information, or even put lives at risk.”
- Phishing: This is a strategy that can get even the least suspecting person. An email, social media outreach, or text message will be sent to the potential victim, sometimes posing as someone internally, asking them to click a link to fill out personal information. From there, either that information can be stolen, or a malicious file can be uploaded to the device.
Breaking down the complications and complexities of cyberattacks even further, John Kosik explained that there are four stages of infection. The first step is the vector, this is how the infection gains access. The second step is command and control, where the source is alerted and takes over. Next is encryption, rendering the files inaccessible. Finally, is the ransom threat, where the payout is demanded otherwise the data will be deleted.
An additional struggle that comes with cybersecurity in fire departments is that when a department’s IT department gets set up, the public safety personnel/users aren’t as computer savvy as the IT department, bringing forth potential user error issues. This is common in municipalities and smaller counties. Learning the mitigation strategies below can counteract the lack of knowledge.
For those departments that have larger IT departments, it is imperative to stay on the same page with them. Arlington, VA, Fire Chief David Povlitz has been in the thick of looking for technological solutions to reduce community risk and improve responder safety for many years and emphasizes that it’s a team operation. He believes this isn’t something that can be taken into your own hands.
“We also want to make sure we stay in bounds of our IT departments. This is very important at the speed of technology,” Povlitz said. “We can’t build a secondary or shadow IT department within our departments. We must stay coordinated. They protect us and sometimes it takes a little bit longer to do it right.”
Evolving threats
Technology now is ever-changing. The development will never stop, and that is recognized by experts within the cybersecurity industry. Lynn Mattice, president of the National Economic Security Alliance, has been in the cybersecurity world since the 1980s and understands the ebbs and flows of technology.
“It isn't something that's static at all. It changes on a regular basis because new technologies and new risks are constantly evolving,” Mattice said. “You can't just do something once and it’s over with. There are always new threat vectors starting all the time, so there’s the constant need to stay current on all the issues that are taking place out there.”
A big development in the first responder world is FirstNet, the system that allows all first responders to communicate on a secured, private network meant just for them. This helps mitigate any potential cyber threat attempting to get into public networks. However, it does create issues in that if FirstNet gets hacked or compromised, it potentially jeopardizes the idea as a whole.
Cyberattacks tend to sneak up on the victim. In the everyday world, it can be a simple email to a first responder that looks like a good job opportunity but instead is masking a virus waiting to be put on the responder’s phone. It can be one click of a link that allows a hacker to gain access to your personal information.
On a bigger scale, that is just one common way a simple click or entering of just a tad of information can ruin someone’s life. Furthermore, a cyberattack on a firehouse can result in lives being lost and the lives of the firefighters being put in massive danger if their technology isn’t working properly. Not to mention the amount of sensitive information on a public safety service network. All types of information can be compromised, from medical records to payroll information to personal information such as home addresses and bank information.
Recent cyberattacks
Cyberattacks and ransomware attacks can tend to go under the radar when it comes to public news because there is nothing to truly capture physically about the crime. According to Security Magazine, in the first five days of 2024, there were 11 confirmed attacks that have affected PSAP and CAD systems.
Some examples of recent cyberattacks with different impacts and levels are:
- In September of 2022, hackers were able to gain remote access to a South Carolina Fire Department’s assistant chief’s work email, and from there were able to grab payroll information. The $8,000 of stolen paychecks were traced back to Nigeria, California and Florida.
- In May of 2023, a group called Royal conducted a ransomware attack on the city of Dallas public services. This resulted in slowed response times to 9-1-1 calls, forcing police and fire to conduct task manually while communicating over radio to dispatch first responders creating mistakes and miscommunication. The attack also impacted services in 3-1-1, municipal courts and Dallas Water Utilities.
- In September of 2023, a cyberattack resulted in St. Louis public safety computer servers to shut down. It didn’t impact 9-1-1 services; however, the county had to book and release people from jail by paper, and it shut down computers to look up court cases and issue charges.
- In November of 2023, a cyberattack in Long Beach, CA, forced the city to go offline for 15 days. Data was found to be stolen, but the source still has not been found. While this attack didn’t prove to be life-threatening, it shows the ambiguity behind these cyberattacks.
Best practices
The best practices according to Mattice and many other experts are simple yet overlooked things that can heighten your odds of protection against malware and hackers. As Joe Vince illustrated in his article for Firehouse.com, it’s about being aware of the weaknesses within the system and patching those holes.
Working on a Virtual Private Network (VPN): A VPN creates a connection from your computer to a remote server owned by a VPN provider, which encrypts your personal data and masks your IP address. A suggestion from Mattice is going to virtual desktops and using a strong VPN to help secure the facility.
Using strong passwords and changing them regularly: Curating unique passwords that aren’t easily guessed, along with changing them regularly significantly decreases the chance of someone getting a hold of a password that could create catastrophic impact.
Setting aside a computer that isn’t connected to the system: Making sure that the fire department has a separate computer that isn’t connected to their system dedicated to internet access. This allows for people within the department to freely use the computer for recreational use, preventing any malware from conflicting sites.
Multi-Factor Authentication (MFA): This has become nearly commonplace in the world today. Using another application (that is mainly free) that requires a confirmation away from the device to confirm identity. This prevents fraudulent logins to a sensitive network.
Software updates: Ensuring systems are always completely up to date, because it allows for breaches in old software that may be updated in the new version. The recommendation here is to turn on automatic updates, and to regularly check that systems are as up to date as possible.
Employee training: The majority of successful cyberattacks start with a phishing email. You must train your crew how to spot these attacks and focus on periodic retraining.
Proactive measures: Public safety agencies need to be able to see the problem before the problem occurs. Implementing risk assessments and staying informed on recent threats can help identify holes in the system. Staying ahead of the curve is always a good idea and can help prevent a major shutdown.
Cyber threat intelligence sharing: You don’t know, what you don’t know. Being able to communicate within departments to share experiences and research to help everyone along the path of protection and prevention is crucial more than ever in such a dynamic world. This can include sharing ideas of prevention, signs to look out for, learning from previous cyberattacks, and more.
These practices are things that don’t consume a ton of time. If the groundwork can be set, then the detriment and threats are minimized and even prevented.
“Cyber hygiene is probably the most important piece of all of it,” Mattice said. “That is making sure that they don’t allow equipment to come in that’s still operating under manufacturers’ passwords. Same thing on their buildings, their HVAC systems, and things like that, because the threat vector can get in through just about any open avenue that they can find. They [hackers] are constantly testing what's available for options for them to break into systems.”
Furthermore, Chief Povlitz not only highlights the importance of keeping passwords secure, but making sure there is a plan set in place to mitigate the effects of a cyberattack. Taking an approach of preparedness is crucial in both prevention and deflection or bounce back of cyberattacks.
“Approach it with a sense of cautious curiosity,” Povlitz said. “It’s not something we should fear, but it’s something we must learn, we must understand. Just like we would bring in a new tool or a new emergency service technique, we would want to research it. We would like to test it and practice it before we deploy it on the street before we put it in that emergency service arena. It’s the same thing with technology.”
The AI debate
None of this even scratches the surface of a still very unknown resource that can be tilted on two sides of the spectrum in artificial intelligence (AI). AI has been in talks of being able to take the world to a whole other level for good, and that it can create more efficient processes and take care of things in a timely manner. AI came on to the scene just a few years ago, so the unknown within that is incomprehensible.
“There are major risks that can take place, all the way down to whether a fire truck can operate or not,” Mattice said. “They all have computers on them. They can be attacked and prevented from being able to go to a fire and prevent the ambulances from being able to go to medical issues. From a terrorist standpoint, or anarchist standpoint, it has huge, huge risk factors associated with it.”
However, the other side of the coin is a still a major factor. Take schools, for example. There are arguments that the use of AI is technically cheating because it isn’t one’s own work. But then, there’s the idea that AI helps students figure out the material easier and that since it is a tool at their disposal, the student is being resourceful.
Expand that idea even further into the public safety world. AI has the chance to help firefighters focus more on saving lives than paperwork, per say. On the other hand, if AI is utilized for the opposite reasons and ends up in the wrong person’s grasp, then it can create murkier waters than ever.
“It's going to be a competing issue; you're going to have the bad actors who are going to utilize it to their advantage to outthink all the controls and protections that are in place,” Mattice said. “One of the biggest problems is when you’re dealing with fire departments, who often operate small municipal computer systems. They do not have sophisticated actors running those systems.”
Cybersecurity is an issue that will never truly be solved, but there are strategies that can be implemented to help reduce the risk of an attack and potentially save lives.
