wireless communications security

8/3/2019 Wireless Communications Security

1/12

WirelessCommunicationsSecurityAwareness Guide


2/12


3/12

Hacker BreaksInto EmergencyCommunications

System in MarylandNovember 30, 2005

A computer hacker brokeinto the Prince GeorgesCounty emergencycommunications systemand transmitted a alseemergency request.Fortunately, a fre chierecognized it as a alsealarm. Still, responders atStation 9 frehouse werevery concerned that thebreach could have sentfrefghters on an errantcall, preventing someoneelse rom receiving theemergency help reallyneeded.


4/12

these responders vulnerable and increase the risksto the lives and property o the citizens they areworking to protect.

What Is Communications System Security?

Communications system security is the process odeveloping and executing specifc plans, policies,and procedures to secure emergency response

communications systems rom possible risks andmalicious actions. Evaluating and implementingsecurity plans, policies, and procedures is neededto mitigate risks to these critical communicationssystems. These security risks involve intentionalor unintentional actions taken against a systemthat could result in the modifcation, disclosure,or destruction o sensitive or private inormation.

These actions can degrade or ully disable systemoperations. Communications systems securitygenerally includes our componentsphysicalsecurity, network security, communicationssecurity, and administrative security. The design,operation, and maintenance o emergency responsecommunications systems, including private radionetworks, should address each o these components.

Physical security includes the protection o allacilities where communications system componentsare housed. This may include the communicationscenter, remote tower sites, and maintenance acilities,as well as the communications equipment itsel.Equipment must be secured at all times, including:

while it is in use

while it is being transported or maintenance

while it is being maintained

Network security involves the protection othe systems hardware, sotware, and associatedinteraces. Common network security requirementsinclude maintaining user accounts, controllingpasswords and system access, and perormingroutine system audits. Firewalls, anti-virus sotware,


5/12

and intrusion detection programs also play animportant role in maintaining network security.

Communications security relates to measures taken toensure the confdentiality and integrity o inormationtransmitted over the airwaves. This includes the use oencryption, the management and reprogramming oencryption keys, and the saeguarding o key codes,key loaders, and related sotware.

Administrative security involves the use oprocedural controls to ensure the confdentiality,integrity, and availability o communicationssystems. An administrative security programwould include security plans, procedures, anddocumentation, ongoing security awarenesstraining, and personnel security.

What Is The Problem?

Emergency response agencies are acing a growingnumber o occasions when some orm o protectedcommunications is necessary. For example, routineactions, such as transmitting a criminal historyto an ofcer in the feld or coordinating anundercover operation, are generally not sae romsophisticated criminals attempting to interceptimportant inormation traveling over the air. In

addition, emergency response agencies are acingan ever-increasing number o malicious acts,such as coordinated terrorist attacks on physicalcommunications inrastructure and remote attacksto computer-based systems.

Another area o concern stems rom the act thatmany emergency response agencies are upgrading

or replacing their private radio networks. Thesesystems are evolving rom stand-alone, analog,voice-only systems to more sophisticated networks.These new networks rely on digital, computer-based technology and support the transmission ovoice, data, and video. They also have underlyingarchitectures that enable data sharing andinterconnection between dierent systems. The

Interference over PoliceCommunicationsSystem in Wisconsin

March 2004

A ormer University oWisconsinMadisongraduate student was

arrested ater MadisonEmergency Radio Systemtechnicians traced thelocation o a transmissioninterering with MadisonPolice Department (MPD)radio requencies to hisapartment. Prosecutorsbelieve that the transmissionwas retaliation against theMPD or convicting thesuspect o speeding earlierthat day. The MPD alsocomplained o an incessanttone transmission that hadinterered with its portableradios two weeks earlier.Police department radiotechnicians later traced thattransmission back to thesame suspects apartment.


6/12

newer technology systems introduce network-related security vulnerabilities on top o theconsiderable set o traditional systems threats.

The devastation caused by the September ,00 terrorist attacks and by natural disasters,such as Hurricane Katrina, has raised severaladditional concerns about emergency responsecommunications. The need or interoperability has

become an increased priority. As new and upgradedsystems are developed to meet this need, more pointso interconnection to other types o communicationsor remote data networks occur, introducing a newhost o security risks. Interoperability solutionsthemselves, including mobile devices, or on-sceneaudio switches, can negate traditional securitymethods and present new problems to the saety o

an emergency responder network.

Although advanced communications systems areproviding signifcant benefts to the emergencyresponse community, they remain subject totraditional security threats and are also moresusceptible to new security vulnerabilities. Someagencies are amiliar with traditional threats, such asmonitoring o unencrypted trafc, radio requencyjamming, physical attacks, and impersonation.Unortunately, they generally do not have strategies,or the fnancial resources, to address them.Moreover, agencies are largely unamiliar with newcomputer-based threats to their communicationssystems. Specifc training to raise security awarenesso these new threats and to identiy necessary risk-mitigation strategies is not widely available.

The evolution toward automated, computer-controlled communications systems heightensthreats rom system hackers. As new services andaccess to data become available, ofcials need toconsider the additional vulnerabilities to systems.Depending on the systems eatures, hackers mayinfltrate the system by introducing a virus, disabling

Multiple Burglaries inVirginia

July 2003

Four Staord Countyteenagers operated ahighly organizedcommercial burglary ring,committing more than 7break-ins within the year.

The teenagers pre-plannedeach burglary and evadedcapture by using policescanners to listen in on thepolice communicationsand positions. They werefnally caught ater thepolice received inormationnaming the suspects.


7/12

the system, or obtaining confdential inormation.Unsecured systems allow hackers to gain accessthrough a variety o illicit methods such as dialingtelephone numbers in search o modem tonesto access a network and randomly guessing userpasswords. At the same time, emergency responseagencies are not adequately incorporating securitydesigns into their systems because o unding limitsand a lack o resource allocations.

What Has Been Done?

In the past, the Federal law enorcementcommunity has relied primarily on encryptionor the security o its voice communications.Some state agencies have also relied on encryptionor voice communications security. Encryption

technology is mature, and the vendor communitygenerally provides encryption eatures in itsproduct oerings. In November 00, the NationalInstitute o Standards and Technology (NIST)accepted and authorized the Federal InormationProcessing Standard (FIPS) 97 or the AdvancedEncryption Standard (AES). This provides a morerobust encryption algorithm. However, encryption

addresses only one aspect o communicationssystems security and does not necessarily mitigatenew, computer-based threats.

In 996, the security o certain networkedsystems became a more prominent national issue.The systems o concern included those typicallyidentifed as the core inrastructure or the Nation.In particular, President Clinton identifed certainnational inrastructures as so important to theUnited States that an interruption in their servicewould severely aect the security o the country.Through Presidential Decision Directive (PDD)6, Clinton created a policy stressing the needto protect these inrastructures rom physical,electronic, radio requency, and computer attacks.

The BushAdministrationsPolicy on Critical

Infrastructure:Homeland SecurityPresidential Directive(HSPD-7)

December 2003

This directive establishes anational policy or Federaldepartments and agenciesto identiy and developprocesses and technologiesto protect all critical

inrastructure and keyresources o governmentand economic sectors . . .While it is not possibleto protect or eliminatethe vulnerability o allcritical inrastructure andkey resources throughoutthe country, strategicimprovements in securitycan make it more difcultor attacks to succeed and

can lessen the impact oattacks that may occur. Inaddition to strategic securityenhancements, tacticalsecurity improvements canbe rapidly implemented todeter, mitigate, or neutralizepotential attacks to the samesuspects apartment.


8/12

Emergency services, including police, fre response,and EMS, were identifed as critical inrastructures.

Following the terrorist attacks o September , 00,President George W. Bush revisited the importance othe Nations critical inrastructure by issuing HomelandSecurity Presidential Directive 7. This directive, whichsupersedes PDD 6, strengthens the national policy orsecuring the countrys critical inrastructure.

In addition, the Department o Homeland Securitycontinues to raise the communitys awareness onmany security issues and threats acing emergencyresponse communications systems.

What Needs To Be Done?

Although there has been renewed ocus on securityissues in recent years, the majority o emergencyresponse communications systems in the UnitedStates do not have any orm o security assuranceprocess. Leaders rom all levels o government, aswell as emergency response ofcials, need to elevatesecurity awareness and allocate resources withinprocedures and guidelines. Equipment providers andsystems integrators must in turn incorporate thesestipulations into their product and service oerings.Emergency response agencies must include securityspecifcations as a part o their requests or proposalswhen pursuing a new system implementation.

As technology evolves, greater integration is neededbetween the communication and inormationtechnology unctions. With technologies such

as Voice over Internet Protocol (VoIP), a betterunderstanding o the inormation technology usedcan shed light on the various security issues thatneed to be addressed.

6


9/12

Why Does It Matter?The security o our Nations emergency responsecommunications inrastructure is an issue thataects us all. Emergency responders must havesecure communications to enable them to protectthemselves and the lives o citizens. Additionally, theNations communications systems must be protectedrom destructive attacks and intrusions that may leadto wide-ranging disasters. Measures must be takento ensure the security o these systems so emergencyresponse agencies can switly and efciently carryout their critical activities.

7


10/12


11/12

For Additional Information

Digital Land Mobile Radio Security Problem Statement

This problem statement highlights emergingsecurity issues with changes in public saety radiocommunications systems. This narrative addresses thevital need or security rom an inrastructure protectionperspective, explains the cause o new security threats andvulnerabilities, and highlights the security challenges that

ace the emergency response community.

Digital Land Mobile Radio System Security Guidelines

Recommendations

This document describes recommended radio systemsecurity guidelines, including industry best securitypractices. These guidelines can be applied to the design,implementation, and operation o digital land mobileradio systems.

Security Issues ReportImpediments and Issues on Using

Encryption on Public Safety Radio Systems

This report identifes and explains issues and challengeswith the development, deployment, and decisions onthe use o encryption technologies within the local andstate emergency response community. This examinationpresents actual inormation and dispels commonmisinormation about the use o encryption technologies,

potential legal ramifcations, and operationalconsiderations.

Homeland Security Presidential Directive (HSPD) 7

This directive establishes a national policy or Federaldepartments and agencies to protect United States criticalinrastructure and key resources. For more detailedinormation on HSPD 7, visit: http://www.whitehouse.gov/news/releases/00//007-.html.

To view these and other publications, and or moreinormation on emergency response communications,please visit: http://www.saecomprogram.gov.

The SAFECOM program absorbed the Public Safety Wireless Network and its

initiatives in 2004. The Ofce for Interoperability and Compatibilitys com-

munications portfolio is currently comprised of the research, development,

testing, evaluation, and standards aspects of the SAFECOM and Disaster

Management programs.

9


12/12

OFFICE FOR INTEROPERABILITY AND COMPATIBILITY

Defning the ProblemEmergency responderspolice ofcers, fre personnel, emergency medical services

need to share vital voice and data inormation across disciplines and jurisdictions to

successully respond to day-to-day incidents and large-scale emergencies. Unortunately,

or decades, inadequate and unreliable communications have compromised their ability

to perorm mission-critical duties. Responders oten have difculty communicating when

adjacent agencies are assigned to dierent radio bands, use incompatible proprietary

systems and inrastructure, and lack adequate standard operating procedures and eective

multi-jurisdictional, multi-disciplinary governance structures.

OIC BackgroundThe Department o Homeland Security (DHS) established the Ofce or Interoperability

and Compatibility (OIC) in 00 to strengthen and integrate interoperability and com-

patibility eorts in order to improve local, tribal, state, and Federal emergency response

and preparedness. Managed by the Science and Technology Directorate, OIC is assisting

in the coordination o interoperability eorts across DHS. OIC programs and initiatives

address critical interoperability and compatibility issues. Priority areas include communi-

cations, equipment, and training.

OIC ProgramsOIC programs address both voice and data interoperability. OIC is creating the capacity

or increased levels o interoperability by developing tools, best practices, and method-ologies that emergency response agencies can put into eect immediately. OIC is also

improving incident response and recovery by developing tools and messaging standards

that help emergency responders manage incidents and exchange inormation in real time.

Practitioner-Driven ApproachOIC is committed to working in partnership with local, tribal, state, and Federal ofcials

in order to serve critical emergency response needs. OICs programs are unique in that

they advocate a bottom-up approach. The programs practitioner-driven governance

structures gain rom the valuable input o the emergency response community and rom

local, tribal, state, and Federal policy makers and leaders.

Long-Term GoalsStrengthen and integrate homeland security activities related to research and develop-

ment, testing and evaluation, standards, technical assistance, training, and grant und-

ing that pertain to interoperability.

Provide a single resource or inormation about and assistance with interoperability

and compatibility issues.

Reduce unnecessary duplication in emergency response programs and unneeded

spending on interoperability issues.

Identiy and promote interoperability and compatibility best practices in the emer-gency response arena.

wireless communications security

Documents