Crisis Management Centers and Cyber Security

I was asked to contribute to an article about 911 communications centers recently based on my experience with large crisis management centers (think the 2014 Boston Marathon bombing). Below are my responses to the questions:

What are the common vulnerabilities communication centers face?

24-hour crisis managements centers often have shared computers. I would expect that they conduct hand-offs of information systems with each shift change. Additionally, with these shared information systems the users do not have unique accounts and share passwords between operators.  This condition would create attribution issues as well as allow disgruntled employees to create great harm in a critical environment without attribution.

What should 911 communication centers be on the lookout for when it comes to cyber security?

Social Engineering is an industry wide problem. Two of the key methods to employ when using social engineering is to use command (compelling the target to comply through explicit authority or the aura of authority) and empathy (making the target comply by making them feel bad for you).  Typically 911 communications centers are uniquely vulnerable to these methods as they deal with police (command) and victims (empathy).

What are unique vulnerabilities to the emergency communications field?

Information systems support personnel are forced to “over-privilege” users out of fear that someone may need access to information or systems at a critical time. Support personnel may not be willing to accept the risk of reducing privileges to appropriate levels because of the perception of failed support during an intense event.

How can communications centers improve their cyber security?

Communications centers can enforce two-factor authentication with people (verify badge number to the police officer) and with technology (require users to authenticate to information systems with a token).