What Fire Departments Can Do to Combat Ransomware

Oct. 13, 2017
Public safety is an attractive hacking target, but fire departments can help thwart it in simple ways.

With so many concerns on the minds of our nation's firefighters -- training, tactics and protocols; not to mention putting their lives on the line -- it's understandable if something as simple as being cautious with an email is overlooked during a stressful day.

One small slip, however, and an entire fire department can fall victim to a hacking attack which can cripple internal communications and data storage or compromise sensitive information for both department members and everyday citizens.

It may not seem as important as running hose during a four-alarm fire or extricating a badly injured person from a wrecked vehicle -- and to those being saved in those tense moments, it certainly isn't -- but a few simple steps can help better protect a department even if it's operating on a limited budget and without a dedicated staffer handling information technology (IT) security.

Cybersecurity expert Lauren Burnell recently spoke with Firehouse.com about ransom software (ransomware) and some best practices for firefighters and their departments to help prevent it. Burnell is Chief Information Security Officer and Director of Engineering for PCM-G -- which provides IT solutions to federal, state and local agencies -- and has also worked in cyberspace operations as a U.S. Navy officer and with the National Security Agency (NSA).

"People have heard about (ransomware) in the news," Burnell said. "It's certainly the most profitable type of malware (malicious software) in history."

Put simply, ransomware invades a system and encrypts files so the hackers can demand payment -- typically in a cryptocurrency such as bitcoin -- for the decryption key to regain access to those files.

Public safety systems attacked

Such attacks have made plenty of national headlines this year, including the breach at Equifax and the worldwide WannaCry cyberattack that encrypted personal computer data in over 100 countries. While these large-scale attacks had little to do with public safety, breaches have occurred at several agencies in recent years:

  • In January 2014, data security for several fire departments in King County, WA, was breached
  • In June 2014, the Durham, NH, Police Department's computers and files were compromised.
  • In April 2015, the Salisbury, MA, Fire Department was the victim of a cyberattack.
  • In November 2015, the Strafford County, NH, Regional Dispatch Center was hit by ransomware.
  • In September 2016, the Honolulu Fire Department was infected with a ransomware virus.
  • In January, storage devices containing data from D.C. Metro Police surveillance cameras were infected.
  • In April, emergency sirens blaring across the Dallas area were blamed on hackers.
  • In July, the fire and police departments in Murfreesboro, TN, were both infected in the WannaCry attacks.

This is just a sampling of attacks which managed to gain some level of access, but that doesn't speak to how many attempts may have been made in that timeframe. The issue has become so serious that agencies as varied as the Federal Bureau of Investigation, the Department of Homeland Security and the Internal Revenue Service have issued warnings about it.

"I encourage those who think, 'It would never happen to me' to take this threat seriously, and not just of ransomware, but embracing an overall cybersecurity posture and state of mind when they're operating on a network," Burnell said.

Fortunately, there haven't been any major incidents in which dispatch or mission critical systems were impacted and a loss of life occurred, but even though these attacks are undertaken mostly for financial gain - cybercrimes net hundreds of billions of dollars a year -- the ability a hacker has to cause physical harm should never be discounted.

Existing data storage can give a firefighter the layout of a structure en route to a fire or let a paramedic know if a medical condition exists at the location where they've been dispatched. If this data becomes inaccessible, precious seconds or minutes can be added to a response and cause an incident that could have otherwise been avoided.

"We've seen massive, widespread attacks and the impact that ransomware can have to deny organizations the critical IT infrastructure and applications and information they need to make their missions successful," Burnell said.

Four stages of infection 

Burnell outlined the four stages of a ransomware infection as:

  1. Vector - How the infection gains access
  2. Command & Control - The source is alerted and takes over
  3. Encryption - The files become inaccessible
  4. Ransom Threat - Pay up or the data will be deleted.

Stage 1 is where best practices for firefighters come into play because the most common entry vector for ransomware is careless use of the web and email. That was what happened in several cases in the bullet points listed above. Burnell says user awareness and education are key to avoiding Stage 3. At that point, she says, "you're out of luck."

"The greatest threat to any network is the uninformed or careless user. Because at the end of the day, someone is taking an action that's allowing something to get inside. You're clicking something you shouldn't. You're opening a file you shouldn't. You're going to a URL you shouldn't."

Big city departments with large budgets likely have staff to handle IT infrastructure and security, but smaller and volunteer departments should also be aware of their level of security. And all firefighters in general should show a measure of caution when it comes to email and internet use on their networks. Consequences such as HIPAA law could come into play when sensitive information stored in a department system is compromised.

If an attack is successful and the threat of deletion is made as opposed to dissemination, Burnell says having a constant system in place to back up files can be a huge asset.

"Good user awareness can really help and do a lot to prevent that initial infection and be a really great first line of defense for those that don't have the budget or very robust security controls.

"Whether or not you're a cybersecurity professional, you are responsible for your use on the network and for the security of the network, so just thinking smarter about our web and email use can really be a great barrier against ransomware," said Burnell, who added that even a rank amateur can access pre-written ransomware code on the internet and cause damage.

Best practices 

Burnell also points out that IT security staff can sometimes fall short of best practices, referring to a brief checklist from the Center for Internet Security.

  • Count - Know what's connected to your network (desktops, laptops, routers, mobile devices).
  • Configure - Improper configurations can open the door to an attack.
  • Control - Control who has access to making changes to the network. 
  • Patching - Make sure your network has the most up-to-date software.
  • Repeat - Check your network system and then check it again.

"If we effectively took those five steps," Burnell said, "I think at least 80 percent of cybersecurity attacks would be defended against."

As fire departments continue pushing more and more into the digital age with the use of handheld devices, tablets and mobile applications, the need for better and more agile cybersecurity will be paramount. Given the lucrative allure for hackers trying to invade these systems, it's an issue the fire service literally cannot afford to ignore.

"Ransomware is a billion-dollar industry, so we shouldn't expect it to go away anytime soon," Burnell said.

Voice Your Opinion!

To join the conversation, and become an exclusive member of Firehouse, create an account today!