CIO Influence
CIO Influence News Security

Among Land Mobile Radio System Users, Cybersecurity Must Be a Top Priority

Among Land Mobile Radio System Users, Cybersecurity Must Be a Top Priority

Cybersecurity poses a significant threat to land mobile radio systems, including Project 25 (P25) systems, according to findings released by public-safety consulting and managed services firm Mission Critical Partners (MCP).

The findings stem from numerous recent technology-independent cybersecurity assessments aimed at determining if and how a cyberattacker who gained unauthorized system access — by exploiting inherent cybersecurity vulnerabilities — could impact a P25 land mobile radio (LMR) environment, particularly by disabling or disrupting vital mission-critical communications to prevent a public-safety agency from fulfilling its mission.

“Our findings suggest that public-safety agencies should perform independent, third-party assessments of their land mobile radio environment to identify vulnerabilities as soon as possible,” said Darrin ReillyMCP‘s president and CEO.

CIO INFLUENCE: CIO Influence Interview with Pete Lilley, Vice President and GM at Instaclustr

In the past, LMR systems, whether analog or digital, have been isolated, standalone, self-contained, and not connected to the internet, which generally means that no pathway existed for cyberattackers to infiltrate them.Moreover, P25 systems have certain protections that are baked into the standard, such as encryption, use of multiple frequencies, and a feature called “radio inhibit,” which enables system managers to identify a rogue radio and render it useless.This resulted in a perception that LMR systems, especially P25 systems, are impervious to cyberattacks.

However, MCP‘s assessment results clearly demonstrated that this is untrue.The assessments leveraged a five-phase methodology for penetration testing — passive reconnaissance, active reconnaissance, analysis and vulnerability assessment, exploitation, and reporting. Also leveraged was the MITRE ATT&CK Framework, which was created in 2013 to document cyberattacker tactics based on real-world observations.The framework is the renowned knowledge base for understanding cyberattacker strategies and best practices for mitigating them.

CIO INFLUENCE: JFrog Software Supply Chain Platform Delivers 393% ROI According to Total Economic Impact Study

The assessments affirmed what MCP has learned anecdotally from numerous implementation, monitoring, and maintenance projects.Some of the observations revealed include:

  • Lack of strong physical security and access controls — e.g., strong passwords/passphrasesmultifactor authentication, biometric scanners, and smart tokens that change access codes every few seconds — designed to keep cyberattackers at bay.
  • Lack of cybersecurity training among LMR system users.
  • Lack of strong device policies, especially where an LMR system is interconnected with other public-safety systems in an emergency communications center environment.
  • Failure to track agency and vendor personnel who possess system access, especially access to system-management functions.
  • Reliance on the LMR system vendor for cybersecurity, which goes against the advice offered by the National Institute of Standards and Technology (NIST).[1] NIST instead suggests employing independent assessors or assessment teams, i.e., assessments should not be performed by the radio system vendor or the internal/external system administrator.
  • It also was observed that LMR agencies could not validate how much monitoring was taking place by their LMR system vendor.
  • Equipment shelters often are in remote areas and/or are used by multiple tenants, which makes it far easier to launch cyberattacks.
  • Today’s systems leverage the Internet Protocol, which is intrinsically vulnerable to cyberattacks, and those systems are often shared by other public-safety agencies, creating a dramatically diminished cybersecurity posture.

“Regarding cybersecurity, the most important tactic to follow is ‘don’t trust and instead verify,'” Reilly said. “Follow the advice offered by NIST and leverage an independent third party to become more aware of cybersecurity vulnerabilities and enhance protection of vital LMR systems.”

CIO INFLUENCE: World Password Day: Password advice for CIOs

[To share your insights with us, please write to sghosh@martechseries.com]

Related posts

Eguana Licenses E-GEAR EMS Cloud Platform

CIO Influence News Desk

RDK6 to Deliver Newest Software Enhancements for Video Service Providers and Global Technology Suppliers

PR Newswire

Advisor Group Appoints Clayton Chandler as Chief Security, Privacy and Data Officer

CIO Influence News Desk