Five steps to NG-911 protection

Because next-generation 911 (NG-911) requires moving from a closed analog environment to an interconnected Internet Protocol (IP) network environment, security must increase to a level that protects networks, equipment and data. The steps along the path to secure NG-911 environments are addressed in the National Emergency Number Association (NENA) Next Generation Security (NG-SEC) standard. Although other standards could be used — such as the National Institute of Standards and Technology (NIST) Special Publication 800-53, or the Criminal Justice Information Services (CJIS) Security Policy version 5.0 — NENA’s NG-SEC is stated in terms written specifically for the NG-911 environment.

It is important to note that the CJIS Security Policy is a mandate for systems processing criminal justice information. It also is an excellent resource to secure the remainder of the network.

Whether ultimately choosing to use NENA, NIST, CJIS or another security standard, typically they call for:

• Planning
• Policies
• Training
• Monitoring
• Auditing

Moving from a traditional telephony Centralized Automatic Message Accounting (CAMA) environment to an Emergency Services Internet Network (ESInet) with full IP connectivity is a major change. For example, phone “phreaks” (analog hackers) are replaced with distributed denial-of-service attacks and techno-savvy hackers seeking to gain much more than free long-distance service. Also, there was a time when the exact location of a caller was known because it was the same as their telephone billing address. Today, GPS coordinates are used to locate a growing majority of callers.

What do we need to do today to keep pace with these changes requiring IP connections? Buy new equipment and software, and hope for the best? The first is true but we can do more than hope; we can plan.

The essential elements of the planning stage are described in five steps:

Step 1: Security

Decide the best means to address security in the environment. What are the requirements and mandates? Who is responsible for the overall security? Articulate a security plan that establishes the vision and tone for securing the network. This is a formal document announcing the security framework, and further instructions exist (or will exist) in the form of policies and procedures.

Assess — Know the environment, including all call-taker workstations, servers, printers (check the environment because it might have an IP address), wireless access, radios, service providers, ANI/ALI databases and GIS databases. Inventory everything and everybody who touches the network, whether directly or through another system. List current policies and procedures. Determine what already is in place.

Compliance Roadmap — Now that you know what the environment has, compare it to the requirements of the chosen security standard. Note the requirements that are not in place. The differences represent the gaps. Each of the missing requirements on the gap analysis needs a remediation plan. This may take the form of a compliance roadmap, which is a list of activities that will bring the network into compliance with the chosen standard.

A compliance plan should include a rough order-of-magnitude estimate of the costs associated with activities, as well as a timeline for completion. The timeline demonstrates the opportunity to distribute costs and the workload over five years (more or less as time and funds permit). If the IP network connectivity will be established soon, consider compressing the timeline and choosing the activities that can be accomplished quickly, or those that offer the most security. Mitigation strategies should be put in place to provide a viable plan to correct the remaining gaps and achieve complete security compliance.

Now let’s examine the remaining steps for implementing an NG-911 security standard.

Step 2: Policies

Much thought, planning and enormous amounts of coordination are needed prior to arriving at the point where policies can be written. Policies are used to communicate the expectations and appropriate behavior on the network.

During the planning stage, regulatory, legislative and administrative documents that impact the environment are identified. When authoring policies, it is important to involve entities that have a stake in the network and, specifically, the security of the network. From governing authorities to other agencies on the network, each may provide rules for network connectivity and information sharing. Your agency’s security standards may differ. Always choose the most secure requirements. Do not permit access to the network unless the requestor honors your agency’s security standards while connected to the network.

Procedures are instructions to use when performing a task — e.g., configuring a workstation. Documenting procedures allows tasks to be conducted consistently, avoiding security issues caused by conflicting methodologies. It also is helpful to provide a change-management procedure to coordinate changes to installations, upgrades and other activities that potentially could impact network security.

Step 3: Train

There is a lot of new information for employees to assimilate so provide training to help them understand the security plan, policies and procedures. Training also provides a platform to discuss processes and resolve misunderstandings. Technology is dynamic and creates ever-changing security needs. Annual and periodic training is necessary to keep employees informed of changes to security requirements.

Step 4: Monitor

All of this hard work, planning, coordinating and documenting will be for naught if the network isn’t monitored. Systems that are capable of logging information should do so. A systematic approach for reviewing logs and providing reports should be established. High-impact events, such as a virus on the network, should trigger an alarm that immediately notifies personnel to take action. If services are provided by another entity, require reports and establish notification procedures via contracts and service-level agreements.

Step 5: Audit

Audit the network annually. Compare the environment to the chosen security standard. Remember the gap analysis from Step 1? Again, identify security gaps and execute strategies to remain compliant. Use the information gained from audits to update the plan, policies and procedures, if needed. Continue to monitor the environment to assure that security measures are providing the expected outcome. Security requires persistent commitment.

This article merely touches on the basics. Firewalls, intrusion detection and prevention systems, authorized access (physical and cyber), passwords and encryption are a few of the many other security considerations.

Security compliance is complex. It requires perpetual planning and coordination, but it is a necessity. From agencies that find their personnel information posted on a hacker’s website to networks that are unable to provide service due to a denial-of-service attack, these are real world events that can be prevented — in five steps.

Lori J. Kleckner is a cybersecurity consultant for L.R. Kimball with extensive experience in collaborating with local, state and national governments. The feature originally appeared in Urgent Communications, an American City & County sister publication.