Among land mobile radio system users, cybersecurity must be a top priority
Recent Mission Critical Partners' assessments reveal that inherent vulnerabilities exist in Project 25 systems that easily could be exploited by cyberattackers
STATE COLLEGE, Pa. — Cybersecurity poses a significant threat to land mobile radio systems, including Project 25 (P25) systems, according to findings released by public-safety consulting and managed services firm Mission Critical Partners (MCP).
The findings stem from numerous recent technology-independent cybersecurity assessments aimed at determining if and how a cyberattacker who gained unauthorized system access — by exploiting inherent cybersecurity vulnerabilities — could impact a P25 land mobile radio (LMR) environment, particularly by disabling or disrupting vital mission-critical communications to prevent a public-safety agency from fulfilling its mission.
"Our findings suggest that public-safety agencies should perform independent, third-party assessments of their land mobile radio environment to identify vulnerabilities as soon as possible," said Darrin Reilly, MCP's president and CEO.
In the past, LMR systems, whether analog or digital, have been isolated, standalone, self-contained, and not connected to the internet, which generally means that no pathway existed for cyberattackers to infiltrate them. Moreover, P25 systems have certain protections that are baked into the standard, such as encryption, use of multiple frequencies, and a feature called "radio inhibit," which enables system managers to identify a rogue radio and render it useless. This resulted in a perception that LMR systems, especially P25 systems, are impervious to cyberattacks.
However, MCP's assessment results clearly demonstrated that this is untrue. The assessments leveraged a five-phase methodology for penetration testing — passive reconnaissance, active reconnaissance, analysis and vulnerability assessment, exploitation, and reporting. Also leveraged was the MITRE ATT&CK Framework, which was created in 2013 to document cyberattacker tactics based on real-world observations. The framework is the renowned knowledge base for understanding cyberattacker strategies and best practices for mitigating them.
The assessments affirmed what MCP has learned anecdotally from numerous implementation, monitoring, and maintenance projects. Some of the observations revealed include:
- Lack of strong physical security and access controls — e.g., strong passwords/passphrases, multifactor authentication, biometric scanners, and smart tokens that change access codes every few seconds — designed to keep cyberattackers at bay.
- Lack of cybersecurity training among LMR system users.
- Lack of strong device policies, especially where an LMR system is interconnected with other public-safety systems in an emergency communications center environment.
- Failure to track agency and vendor personnel who possess system access, especially access to system-management functions.
- Reliance on the LMR system vendor for cybersecurity, which goes against the advice offered by the National Institute of Standards and Technology (NIST). NIST instead suggests employing independent assessors or assessment teams, i.e., assessments should not be performed by the radio system vendor or the internal/external system administrator.
- It also was observed that LMR agencies could not validate how much monitoring was taking place by their LMR system vendor.
- Equipment shelters often are in remote areas and/or are used by multiple tenants, which makes it far easier to launch cyberattacks.
- Today's systems leverage the Internet Protocol, which is intrinsically vulnerable to cyberattacks, and those systems are often shared by other public-safety agencies, creating a dramatically diminished cybersecurity posture.
"Regarding cybersecurity, the most important tactic to follow is 'don't trust and instead verify,'" Reilly said. "Follow the advice offered by NIST and leverage an independent third party to become more aware of cybersecurity vulnerabilities and enhance protection of vital LMR systems."
About Mission Critical Partners (MCP)
Mission Critical Partners (MCP) is a leading provider of data-integration, consulting, network, and cybersecurity solutions specializing in transforming mission-critical communications networks into integrated ecosystems that improve outcomes in the public safety, justice, healthcare, transportation, and utility markets. Our comprehensive experience and vendor-agnostic approach helps us develop modernized solutions for our clients to maximize value and create optimal efficiency while mitigating risk. Additional information and career opportunities are available at www.MissionCriticalPartners.com