With the rise in cybercrime against public safety agencies, it is more important than ever to learn how to protect your mission-critical systems against attacks. The Public Safety Threat Alliance (PSTA) provides members with many resources, including intelligence reports and webinars, on cyber threats and how to respond to them. In the third quarter, the PSTA hosted two webinars that offered insights on current trends and threat actor motives. Cyber Threats to Public Safety: Trends & Observations and Spotlight on Public Safety Cybersecurity: A Law Enforcement and Local Government Perspective are now available to watch on-demand, and this blog shares important highlights from each.
The Current Threat Landscape
Both webinars shared observations about the current cyber threat landscape. This year has seen the largest increase in successful cyber attacks against public safety, with a 35 percent increase over all of 2022 by the end of October 2023. A contributor to this rise is the fact that public safety networks have many different risk areas, and the data within is extremely sensitive. These risk areas are also connected to each other, making it more opportune for threat actors as they can move through the systems once they gain access.
With the increase in threats, there is a need for an increased focus on system monitoring. However, many public safety agencies don’t have the staff to monitor consistently, meaning that threats are not reviewed in a timely manner.
The highlights from the Cyber Threats to Public Safety webinar discuss how adding Managed Detection and Response (MDR) to your agency’s security plan can help prevent or lessen the impact of cyber attacks. The Spotlight on Public Safety Cybersecurity webinar shared insights from three different public safety professionals on what they’re doing to improve their organization’s cybersecurity.
Cyber Threats to Public Safety
Joseph Acosta and Kiwi Kiwimagi, from Motorola Solutions ActiveEye MDR team, discussed how MDR can keep systems safer from cyber threats. As mentioned previously, many agencies lack the resources to consistently monitor and respond to threats. An MDR service shifts this responsibility to a security operations center (SOC) that is specifically trained to monitor, identify, and mitigate these threats. Acosta and Kiwimagi explained how this happens by presenting three different cyber threat scenarios.
Scenario One: Exploitation of Fortigate SSL – VPN
When exploiting certain systems, attackers will do research beforehand, such as reading job descriptions to discover what software and hardware an organization is using. In this case, a job description required candidates to have knowledge of Fortigate, so the threat actor knew to look for vulnerabilities they could exploit that were specific to that technology. Once the threat actor understands their options, they can use those to infiltrate the system, create a new account and scan internal systems.
ActiveEye’s MDR security operations center specifically watches for scanning like this, so they were able to identify and stop the attack before any damage was done. If the attackers weren’t stopped, they would continue to infiltrate deeper into the environment, gaining escalated privileges, performing credential theft, and/or allowing them to deploy malicious payloads. Best practices for mitigating these types of attacks are to apply patches, employ monitoring and limit admin access.
Scenario Two: Ransomware
Ransomware is the most common threat to public safety, especially for organizations that don’t deploy MDR. The initial access typically happens through phishing emails, often sent at targeted times to minimize the chance of detection (i.e., 4 PM on the Friday before a holiday weekend). Once they have gained access to the system, they will use internal tools to access other areas through a method known as “living off the land.” Attackers will also create domain accounts and look for the biggest “blast radius” they can target.
Another common attribute of ransomware attackers is that they love “repeat customers” and consistently try to hit the same targets more than once to take advantage of the weaknesses they’ve found in previous attacks. Along with continuous monitoring, another important way to help defend against these attacks is to engage all agency employees in improving security through strong policies and regular training.
Scenario Three: Malware from a USB
Believe it or not, malware delivered via USB sticks remains a threat to public safety networks. The initial access happens when an employee plugs in a compromised USB unknowingly. The malware then creates a reboot loop, which effectively creates a denial of service that can have a serious impact on public safety networks.
If it is equipped to do so, some malware will even spread to other computers on the system, bringing down entire call handling and emergency response systems. While continuous monitoring is one of the best ways to catch these types of threats, creating and enforcing security policies can prevent them.
Spotlight on Public Safety Cybersecurity
In this webinar, Jay Kaine from the PSTA was joined by PSTA members who shared advice on what they’re doing to improve the cybersecurity of their agencies.
The panelists discussed how they see new and old threats, how mission-critical systems are being impacted, what processes and policies can help mitigate risk and the importance of being prepared for cyber attacks.
Resources for Vulnerable Agencies
Panel insights included how small agencies have a small attack surface and large agencies have a lot of tools and resources, making medium-sized agencies the most vulnerable. While they have a large attack surface, they are often understaffed and, as such, tend to implement tech quickly. It is crucial that agencies include cybersecurity in the conversations from the get-go; it should not be an afterthought.
Another key point was the need for agency staff to not only be aware of cyber response plans but to also test their effectiveness through cyber exercises. The panelists emphasized the importance of working collaboratively with other public safety organizations and joining information-sharing groups, like the PSTA, to understand what other agencies are doing.
How to Get a Budget for Cybersecurity
All three panelists shared that the best way to get a budget is to “speak the language of executives.” They are the ones who control where the money goes, so you need to be able to explain the importance of your organization’s cybersecurity. You don’t want to “cry wolf” or “sell fear” to get them on board, but rather become a trusted resource and source of knowledge. You can do this by showing them what is happening elsewhere and how having a budget for cybersecurity can prevent the same thing from happening to you.
Summary
The takeaway from both of these webinars is that the need for cybersecurity is only increasing. There are many ways that you can protect your agency against cyber attacks. A few important ones, as discussed by all the webinar presenters, are:
- Employing continuous monitoring
- Applying patches and security updates
- Creating and enforcing security policies and procedures
- Creating a cyber response plan and practicing it
- Staying informed by joining organizations like the PSTA
The public safety panelists also advise that there is a lot of noise in the cybersecurity threat landscape. It can be intimidating, so doing research and relying on trusted resources is extremely important.
About the Public Safety Threat Alliance
The Public Safety Threat Alliance (PSTA) is an information sharing and analysis organization (ISAO) established by Motorola Solutions and is recognized by the Cybersecurity and Infrastructure Security Agency (CISA). The PSTA regularly publishes research, such as the 2022 Cyber Threats report, shared with members. It also hosts regular webinars featuring our cybersecurity analysts and other experts. The PSTA provides threat intelligence for member public sector organizations at no cost.
Join the PSTA today to be aware of future webinars.
