ADVERTISEMENT
Alert: Potential Russian Cyberattacks Could Target Public Safety Networks
On March 21, 2022, President Biden issued a stark warning that Russia is in the planning phases of a significant barrage of cyberattacks against the United States.
"This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience," the presidential statement reads in part.
"Unlike past conflicts, our intelligence in the Russia-Ukraine situation is very good, and has been made public from the beginning," according to a statement from FirstWatch, a technology company that uses improvement science to support public safety and healthcare organizations. "We issued a FirstWatch Cyber Alert Warning on January 29, 2022. Just like with COVID it’s easy to let our guard down or ignore these warnings. But according to Anne Neuberger, the White House’s Deputy National Security Adviser for Cyber and Emerging Technology, this warning is, 'Based on evolving threat intelligence, the Russian government is exploring options for potential cyberattacks on critical infrastructure in the United States.'”
Two of the official 16 federally identified "critical infrastructures" that have immediate applicability to emergency services are communications and public safety, according to FirstWatch. Communications involve wired and wireless telephony, the internet, microwave systems, satellite communications, radio systems, and the peripheral networks and hardware that make it all work.
"We know that interference with 9-1-1 systems by disabling their phone trunk lines and their radio systems is a prime target of Russian state-sponsored actors," the FirstWatch statement reads. "Many of our colleagues will be in the direct crosshairs of impending attacks."
FirstWatch reports that network attacks against its primary firewalls have increased from 75 per second to over 1,500 per second and stayed at that level for the past three months. In the past ten days the firm has seen an increase from 1,000 per second to 1,500 per second. Other companies, government agencies, and universities are seeing the same numbers, and nearly all of this traffic is being generated by Russian actors and spread from Russia and from ISPs that they have taken over in other countries, FirstWatch states.
"By all accounts from our intelligence sources, we are in for a very turbulent spring."
What You Can Do
FirstWatch recommends the following actions to better position yourself against increased cyber aggression targeting public safety infrastructures.
Preparation
- Document your network and systems in detail; clean up your networks
- Develop business continuity plans for handling a breach
- Step up the seriousness of cyber-related threat training as an organizational priority
Enhance Security Posture
- Back up your data—real-time, incremental, off-site, glacial
- Develop best practices for keeping all hardware patched
- Implement multifactor authentication, ideally with phone-based or standalone tokens
- Ensure in policy and practice that there are no rogue devices on your network with IP and MAC scanning and 802.1 authentication
- Don’t leave “hot” network ports open for connection
- Encrypt data at rest and data in motion; PCs, tablets, phones should all be fully encrypted with auto-wipe after a set number of failed logins
- Geo-block the known bad actors in your firewalls
- USB devices and ports are not your friend
- Improve training for personnel regarding social engineering and phishing—reference www.knowbe4.com
- Think “zero trust” as an overall concept—operating as if you are already working with a breach
Organizational Vigilance
- Cyber safety and security must be a concern of everyone in the organization
- Understand any regulatory compliance items you are required to meet
- Stay updated on daily and weekly cyber updates issued from official government sources
- Dedicate education budget and time for cyber education and awareness
- Make cyber security and hygiene a consistent priority, so personnel will too
- Encourage personnel to point out cyber concerns and weaknesses to help improve overall positioning; get stronger
Monitor and Detect
- Develop logging systems to capture every action passing in and out of your firewalls and edge routers
- Capture traffic bouncing off of your firewalls
- Maintain at least a year of this logging data; it is vital for forensics in tracking down culprits in a breach
- Establish alarms to notify the player and stakeholders when certain firewall events occur
- Develop logging systems for user activity within your network for the same reasons as firewall logging
- On larger networks, consider “honeypot” systems to help identify intruders that leverage access via third-party products
- Study the logs regularly; know what normal looks like so that abnormal jumps out
- Always follow up on the odd things
Response
- Have a planned response to a breach; practice the plan
- Be certain that everyone knows how to "sound the alarm" as soon as an anomaly is discovered; most targeted breaches occur at night and on weekends and holidays when more junior staff is usually working—junior staff can be hesitant to sound the alarm
- Know who you will be notifying, such as local and federal law enforcement
- Two to four times per year, confirm that your plan is workable in the ever-changing environment
Resources
https://www.cisa.gov/stopransomware
https://www.fbi.gov/investigate/cyber
https://attack.mitre.org/versions/v9/techniques/enterprise/
