Over the years I’ve witnessed the cybersecurity threat landscape evolve dramatically. Nowhere is this evolution more critical than in the realm of public safety. Our emergency services, dispatch centers, and radio networks are the bedrock of community well-being, and increasingly, they are under siege. While the overall number of cyberattacks on public safety entities saw a slight decrease in 2024, the intensity and impact on mission-critical systems dramatically escalated by 60%. This isn’t just about data; it’s about lives.
The most pervasive and debilitating threat we face today is Ransomware. It is, by far, the most common attack type leading to system unavailability for vital public safety operations. In 2024 alone, Computer-Aided Dispatch (CAD) systems experienced a 100% increase in disruptions, leading to an average of 15 days of downtime. Public safety radio systems have not been immune, suffering four ransomware incidents in 2024 with an average downtime of seven days. These aren’t abstract figures; they translate directly into emergency responders resorting to “pen and paper”, slowing down critical response when every second counts.
The Adversary’s Playbook: How They Get In
Ransomware Threat actors are predominantly financially motivated opportunistic cybercriminals, who are constantly probing for weaknesses. They are adept at exploiting any perceived security flaw to maximize their chances of financial gain. Based on our observations, their initial access methods primarily revolve around:
- Credential Abuse: This is the most common gateway for, employed by approximately 40% of all public safety attackers. This tactic involves using stolen, compromised, or maliciously created valid accounts, brute-forcing login attempts, or even purchasing previously compromised credentials from dark web forums. We recently saw this firsthand when a brute force attack targeted an Emergency call center VPN in January 2025, attempting to gain access using former and current employee accounts.
- Vulnerability Exploitation: Adversaries frequently target public-facing systems and remote services to establish an initial foothold. While less than 1% of disclosed vulnerabilities in 2023 were actively exploited, those that were often led to remote code execution (RCE), with many being exploited as zero-days. The average time for organizations to patch high-risk vulnerabilities on public-facing systems is over 57 days, providing a wide window of opportunity for attackers.
- Phishing & Social Engineering: Email-based phishing remains a potent initial access vector, accounting for 14% of total detections in 2025. These phishing attempts often deliver malware like SocGholish, which was overwhelmingly the most common malware impacting the public safety sector in 2024, representing 92% of malware detections. It’s typically spread via malicious or compromised websites through deceptive “fake browser updates”.
Beyond the Breach: Deepening the Attack
Once inside, threat actors employ a sophisticated toolkit to expand their access and achieve their objectives:
- Reconnaissance and Lateral Movement: Adversaries actively scan networks using tools like Masscan and Nmap to discover vulnerable internet-facing devices and open ports . They then leverage tools such as Cobalt Strike or PsExec to move laterally across the compromised network.
- Persistence and Privilege Escalation: Tools like Mimikatz are deployed to harvest credentials post-compromise, enabling privilege escalation. Attackers commonly install Cobalt Strike Beacons or Remote Monitoring and Management (RMM) agents like AnyDesk to maintain persistent access.
- Disruption and Data Exfiltration: Ransomware groups employ tools like WinSCP for code execution and PowerShell for malware execution and information gathering. They often disable security tools, clear logs, and delete system backups to hinder recovery and maximize impact. There has also been an observed uptake of AI-powered tools being incorporated to streamline data exfiltration, making file prioritization more efficient and accelerating sensitive information theft, giving defenders even less time to respond.
Beyond the Financial: The Hacktivist Agenda
While financial gain is the primary driver, ideologically motivated hacktivist groups, such as NoName057, consistently launch Distributed Denial-of-Service (DDoS) attacks. These are generally lower impact, aiming for temporary website disruption, but they can still degrade services. There’s also an emerging trend of hacktivists attempting to leverage ransomware for disruption and monetary support, even with their relative lack of technical sophistication.
Furthermore, public safety entities hold highly sensitive data – personally identifiable information (PII) on suspects, victims, staff, and more – which is subject to strict compliance laws like CJIS. Data breaches and subsequent leaks can lead to severe consequences such as doxxing, identity theft, and even “swatting”. In 2024, the PSTA observed 28 credible offers on cybercrime forums advertising data harvested from public safety networks.
Fortifying Our Digital Frontline: A Call to Action
The threats are real, evolving, and specifically targeting the critical infrastructure of public safety. However, this is not a battle we are powerless to win. A multi-layered security approach is absolutely critical. Based on my experience and the insights from the sources, I urge all public safety organizations to prioritize the following:
- Enforce Multi-Factor Authentication (MFA): This is paramount for all remote access, especially for privileged administrative accounts that control mission-critical systems. It’s a fundamental barrier against credential abuse.
- Patch Known Vulnerabilities Diligently: Prioritize patching known exploited vulnerabilities in internet-facing systems, particularly those that allow for remote code execution. The window of opportunity for attackers is significant if patches are delayed.
- Limit Mission-Critical Connections to the Open Internet: Restrict direct exposure of mission-critical assets to the public internet unless absolutely necessary. When exceptions are required, implement robust compensating controls like MFA and mandatory access via proxies.
- Implement Robust Backup Procedures: Regularly back up all systems essential for operations, storing them separately from source systems and testing them periodically. This is your last line of defense against data loss from ransomware.
- Leverage Managed Detection and Response (MDR) Solutions: Continuous monitoring of user and network activity for anomalous behavior is vital. MDR services can significantly improve detection and response times to unauthorized attempts, allowing defenders to identify and isolate threats in their early stages.
- Invest in Security Awareness Training: Educate employees to recognize common signs of phishing attempts, which are a prevalent initial access vector. Human vigilance remains a critical component of defense.
- Develop and Rehearse Incident Response Plans and Table Top Exercises/Wargames: Critical decisions made during a cyberattack must be rehearsed with the entire agency. This ensures a rapid and organized response, preventing a cyber incident from escalating into a full-blown disaster.
The threat to public safety networks is dynamic and persistent. But with proactive measures, diligent monitoring, and a commitment to continuous improvement, we can strengthen our defenses and ensure our first responders always have the secure communications they need to protect our communities. Contact us to find out how our cybersecurity solutions can secure your organisation today.
