Facing the cyber security challenge

What challenges do public safety network operators encounter as they move into the mobile broadband ecosystem, and what is being done to address them? Kate O’Flaherty reports

Cyber security is an urgent challenge for public safety network operators as they move into the mobile broadband ecosystem. Indeed, if cyber attacks such as distributed denial of service (DDoS) are able to hit networks and stop them from working, it could be devastating: a slowed response to a critical incident could cost lives.

Many countries around the world are upgrading existing TETRA systems or moving towards mission-critical broadband. This will increase efficiency and capability, but the transition also sees the end of the closed and controllable ecosystems of the past, posing cyber security challenges.

One of the greatest issues is that public safety network operators may not own or control the entire system. “Some assets will be shared or even owned by others,” says Jason Johur, Ericsson’s strategy and market development director for mission critical and private networks, and broadband industry group chairman, TCCA.

At the same time, the cyber attack surface is rapidly expanding in the move to IP networks. “The simpler legacy voice systems were designed without IP data protocols,” says Ken Rehbehn, directing analyst, critical communications at IHS Markit. “The attack surface as a result was a much narrower interface. When we move to heterogenous IP-based networks, there are many paths through which data can travel, so the perimeter needs to be secure.”

There are many different types of cyber assaults that may target public safety networks, but 2019 saw a large number of ransomware attacks, where data is held to ransom by hackers in exchange for a payment.

Late last year, the US city of New Orleans was the target of a ransomware attack which led to officials shutting down the city’s network and declaring a state of emergency. Earlier in the year, systems at a number of Baltimore’s city government departments were taken offline by a ransomware assault utilising the so-called ‘RobinHood’ malware.

Ransomware was also key in the well-known WannaCry attack that hit the NHS in the UK back in 2017.

These attacks are often combined with denial of service – where the network is flooded with traffic to render it useless, says professor Kevin Curran, senior IEEE member and professor of cyber security at Ulster University.

Older systems are more vulnerable to malware such as this because they are no longer automatically updated to patch security holes. Curran points out that a lot of hospitals are still using outdated Windows operating systems such as Windows 7 or even XP, which are no longer supported by Microsoft.

Challenges in cyber security

Public safety network operators are aware of the risks, and adjustments are being made to address challenges in cyber security, but there is still a lot of work to be done. “Legal, operational and organisational changes are needed,” says Tero Pesonen, chair of TCCA’s Critical Communications Broadband Group. But this will take time and requires co-operation between public safety network operators. “European and international operators of public safety digital networks – such as the US, Japan and Australia – need time to discuss security issues arising with the adoption of broadband,” says Dr Barbara Held, head of directorate strategy and central management at the Federal Agency for Public Safety Digital Radio in Germany.

However, she says: “It became clear in international meetings last year that cyber security is of paramount importance in critical communications – it comes before legal and economic issues.” Even so, big changes are needed. Most public safety network operators are used to running their networks using niche technology such as TETRA, says Dr Held. However, the new 3GPP standards will push them into “the mainstream telecommunications world”.

Although 3GPP standards come with security measures included, the previously secured public safety technology will now be open to more avenues of attack, Dr Held says. “Everyone is worried about how we position ourselves against new emerging threats.”

In the new broadband world, public protection and disaster relief (PPDR) operators worldwide have contrasting views on future networks. However, says Dr Held, they also have things in common. For example, many are moving towards a hybrid system: TETRA or P25, and broadband. Yet this also creates security problems, says Dr Held. “We will need to open up and have gateways between systems – and that means danger.”

In the future, it is likely some parts of the network will still be dedicated, and others will be bought in as commercial services by commercial providers, Dr Held says. “But because we are opening up to the world, governance and securityare important.”

On the one hand, there are concerns around privacy, data protection and confidentiality. However, reliability and availability need to be considered, given that these factors are key to the communication of first-responders, says Dr Held. “The big threat is sabotage, and not only by viruses but through the supply chain. From whom do we buy components for the system? How do we make sure that providers who deliver components do not shut down our networks using remote commands?”

Meanwhile, although it is not likely to become an issue for some time, public safety network operators are already voicing concerns about quantum computing. “We know that most keys and algorithms will be obsolete once quantum computing becomes standard,” says Dr Held. “This will lead to changes in security measures when it comes to access.”

At the same time, there are lots of discussions going on about use-cases in public safety and how these will be secured going forward. Pesonen cites the example of drones. “They bring benefits but also risks. To find the balance, we must have the required regulation in place for using these services.”

Another issue is how public safety can use video. For example: “What if others are in the video as well as the suspect?” asks Pesonen. “Regulation significantly impacts how information can be used, and data needs to be secured.”

But many of the challenges are already being addressed. For instance, Pesonen says, cyber security is being tackled by having a dedicated core network for public safety. “Ownership of the core network varies from country to country, but the essence remains the same: separation from the consumer network, enabling an upgrade cycle of its own.” In the US, for example, FirstNet has a public-private partnership with AT&T including a dedicated distributed core infrastructure.

Rehbehn thinks there is value in operating an extra core network for emergency services traffic. “By using an isolated core network, there’s not as much traffic going through the network, so anomalies can be detected. Also, because the dedicated core can be monitored and secured, it reduces avenues for attack.”

5G: a cyber security challenge

Soon-to-launch 5G networks have great potential in public safety, but they also come with risks. They are, by their very nature, completely different from previous cellular networks because the architecture is based on cloud and virtualisation.

In 5G, the network architecture is going to be “completely different”, Dr Held points out. “It won’t be one network; it will be a conglomerate of many with new actors in the field. At least in Germany and Europe, the main architectural and organisational decisions have not been made in implementation of 5G: it’s more theoretical and industry-driven at the moment.”

But another benefit, and risk, of 5G is the potential number of Internet of Things (IoT) devices it will be able to enable in the field. 5G will result in more IoT access points, sensors, and data coming into networks, says TJ Kennedy, cofounder of the Public Safety Network. “When you add more nodes, there are additional ways attackers can access data and networks.” Therefore, he says: “It becomes important that we maintain software patches and make sure security flaws in software are taken seriously. This is critical with additional points of access.”

At the same time, as public safety starts to embrace V2X communication – where devices are “talking” to each other – to conduct operations, end-point security is key, says Todd Kelly, chief security officer at Cradlepoint. “FirstNet in the US is enforcing routes of trust in the devices. It’s important to have trust chains we can rely on, not just at times of communication, but consistently.” For example, he says: “When phones start up, there will be routes to show ‘I can trust this phone’ or operating system.”

Another 5G feature is the ability to ‘slice’ the network for different use-cases or quality of service. Professor Curran suggests the network slicing capabilities that come with 5G could be useful in public safety. “Network slicing allows you to define who uses it, and public safety could benefit from promises of better quality of service and resilience.”

Dr Held says public safety operators are looking into the 5G slicing option: “Would it make sense to implement dedicated 5G slices for PPDR? The public operators are interested in the idea of managing their own slice.”

However, given that slices are cloud-based, she asks: “How can we guarantee that those virtual slices fit our ideas of security and reliability? You must trust the provider of the slice or it’s going to be difficult.”

Security solutions

It is clear that these multiple cyber security risks are concerning public safety network operators. However, help and advice is available. For example, the Public Safety Technology Alliance (PSTA) has issued some guidance.

“As we move to mobile broadband for public safety, it’s important that organisations have the right posture in place,” says Kennedy. He says it is crucial that agencies are embracing the best practices outlined by the PSTA.

He cites the example of device management. “We are dealing with wearable devices as well as smartphones and tablets. Therefore, every agency should have a mobile device management (MDM) solution in place. Also have a whitelist and blacklist policy and make sure safeguards are in place as people are let go and devices are lost.”

At the same time, device procurement needs to be led by people who understand security, says Rehbehn. “Other issues are keeping the software up to date. How many revisions back are you supporting of the operating system?”

Ceri Charlton, associate director at cyber security consultancy Bridewell Consulting, also advocates practices such as patch management. “Ensure there is a mechanism through which things can be updated. When procuring kit, make sure patching is something that’s included. Ask whether the support agreement includes getting patches, and do you do it yourself, or do they? To me, the core of running a service is making sure it remains patched.”

Meanwhile, Kennedy says cloud access needs to be managed in the correct way. “We no longer recommend on-premises equipment, so we have to ensure that agencies can secure data – which could be leveraging a cloud provider. You need service-level agreements (SLAs) in place and [to be] monitoring that cloud-deployed data.”

Network security and network hardening are “paramount”, says Johur. “Systems are required that monitor the network for changes in configuration, unexpected modes of operation, and any anomalies in information flows. Collecting logs, auditing system operations, recording authorised access or changes, and any unauthorised access attempts, are all quintessential security measures. The operator must also have a continuous understanding of the status of their network and its operations. This includes keeping track of all software components, including use of any third-party software, and understanding if any vulnerabilities exist that urgently need patching.”

At the same time, consider the risk posed by what many cyber-security professionals call your “weakest link”: people. Kennedy says: “The number-one risk for cyber security is human; most cyber attacks leverage this. It’s about using good passwords to begin with and other best practices that will help protect against, for example, ransomware attacks.”

Things are starting to change, but more knowledge is key to gain trust in the new technologies, says Dr Held, who believes in the concept of ‘zero trust’. “You cannot build walls around your network elements because then your network becomes useless: it stops communication instead of facilitating it. We should look at how we can develop functionalities and services that are secure by themselves independently from the actual network environment. We will have to rely on technologies such as end-to-end encryption: it won’t be 100 per cent safe, but you need to try to get to 99.99 per cent.”

Dr Held thinks Europeans should develop joint solutions for Europe and other interested parts of the world. “Individual countries don’t have the technological power, but with the experience Europeans have, we can jointly produce successful security architectures and solutions. In data protection, we already play a leading role. This does not necessarily mean regulating, but it needs political will for co-operation.”

What the future holds

Work is under way, so what does the future hold for public safety networks, and their security? So far, says Pesonen, one general trend is convergence. “People talk about public safety and smart cities as separate; I prefer to speak about ‘safe society’ with the two happening at the same time.”

For example, he says, autonomous vehicles will have an impact on traffic police. “The rate of traffic accidents is likely to decline and perhaps speeding will vanish altogether. There’s also a big question about how society functions will change and what impact it will have on public safety operations overall – and what the threats will be.”

Pesonen advocates pushing for commonality as much as possible. “If every country has significantly different regulations and laws, it will be difficult and expensive for solutions to be compliant with all of those – and it is taxpayer money to pay for those variants.”

Therefore, says Pesonen: “We should encourage cooperation. Standardisation in 3GPP is ongoing so this is the perfect and most cost-efficient time to influence. The more we work together, the more common solutions we can define, the better quality and lower cost the solutions are.”

As cyber attacks continue to grow in number and sophistication, public safety networks will always be a target. Rehbehn says: “I will never be surprised at how clever bad people are when there is incentive to attack a system. Vigilance is required; attention to security has to be more than just a campaign slogan.”