By Blaize Levitan, FD Hacks
The City of Riverside, OH Fire Department was hit twice in Spring 2018 with cyberattacks that wiped out department data. Pawtucket, RI Fire Department computers were hacked in June 2019, interfering with dispatch and potentially compromising data. Smaller government entities, often less protected and just as valuable, are increasingly becoming targets of cyber attacks. That means fire departments must think about cyber security. We provide the critical government services of life safety and property protection. Fire departments are also treasure troves of information, including pre-plans, target hazard analysis, infrastructure maps, billing and health records, and detailed address information. The scum of the dark web are constantly trying to build detailed profiles on every one of us, and data from our fire department records may provide them with valuable missing pieces of information. Foreign adversaries and terrorist organizations have an interest in our response protocols and procedures.
While individuals spend a lifetime learning this field, here are the basic elements to know to better protect your fire department today.
Understanding Threat Types and Risk Assessment
We face many threats, but the two biggest cyber exposures for fire departments, based on recent incidents, appear to be phishing scams and ransomware attacks. Phishing scammers use email or text messages to trick you into giving them your personal information. They may try to steal passwords, account numbers, or Social Security numbers. According to the FTC, phishing emails and text messages may appear to be from a company or person you know or trust. Often, scammers create messages similar to those from a bank, a credit card company, a social networking site, or an online payment website or app. In addition, when targeting your fire department, they may send emails that appear to come from mutual aid companies, non-profit organizations, or the federal government. Always, “Stop. Think. Click.”
According to the antivirus company Norton, “the concept behind ransomware, a form of malicious software, is quite simple: Lock and encrypt a victim’s computer data, then demand a ransom to restore access.” Often, a victim must pay the cybercriminal within a set amount of time or risk losing access forever. Paying the ransom doesn’t ensure access will be restored. Email is one of the main methods ransomware is delivered.
There are many other threats out there, including targeted data breaches. To understand your exposure, you need to assess your risk. Look at all the types of information your fire department possesses and how that information is stored. Understanding what’s within your fire department confines enables you to make more effective decisions about protecting data. For example, in addition to information common to most fire departments, your response district may include a nuclear power plant. Suddenly, your fire department may be a potential entry point into accessing critical information about that unique hazard.
Basic Precautions for Your Fire Department
There are some basic cyber precautions and best practices that every firefighter should know that will offer protection from most vulnerabilities. These are often low effort/cost tactics with big impact. There are many detailed resources available to learn about cyber security, including the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the IAFC Protecting Against Cyber Attacks, A Guide for Public Safety Leaders. Here are some tips to get you started:
Use complex passwords and don’t use the same exact password for multiple accounts. Never use passwords like “123456” “station46” or “fire department.” Include a combination of symbols (!, @, ?, #), numbers, and letters (both upper and lowercase).
Always verify who actually sent the email. Check the actual email address, not the name signed in the email. If you’re not sure, contact the sender directly to verify they’re making a legitimate request. Don’t reply to a suspicious email because it will validate your email address.
Verify that website links embedded in emails are being directed to the correct website by placing the cursor over the link (do not click on the link). Hovering over the link will show you the real website in a pop-up window or, if using a web browser, it will be in the lower left hand corner. See example.
Don’t email critical information, including passwords, Social Security numbers, bank accounts, patient records, or highly confidential information.
Use separate email accounts for personal and fire department business. If your fire department doesn’t offer email accounts to firefighters, just create a free one with Gmail.
Backup computers on an external hard drive. Keep a few external hard drives and back up your computers on a regular basis. Consider using cloud services to store information or files.
Update your computer, phone, and mobile apps. Vulnerable applications and operating systems are the target of most ransomware attacks.
Establish A Policy or SOG on Cyber Security
Yes, it is another policy, but your fire department really should have a SOG on cyber security. The policy should cover the basic expectations for firefighters, as well as some best practices on cyber security. In addition, it should cover, at a high level, what your department will do if a data breach or cyber attack has been discovered. A SOG on this will only help firefighters by serving as a one-stop-shop to learn about cyber risks and safety precautions.
These will definitely need tailoring to your department, but here are some templates to get you started:
FD HACKS readers: if you have a sample policy/SOG relating to cybersecurity for your fire department and you’re willing to share, please email it to us at firstname.lastname@example.org.
Train Firefighters on Cyber Security
You could have the most advanced firewall in the world, but if firefighters set weak passwords (like password or station46) or click on a spam link in an email, then it is worthless. Our training calendars are tight, but it is worth it to take one session and cover cybersecurity basics. DHS actually recommendations organizations have mandatory annual cyber security training for all employees. If you have a policy/SOG, use that to formulate your drill plan. Be sure to target password security, email safety, and protecting critical information you know many firefighters have access to. There are many handouts and informational flyers you take advantage of. Here are some good ones to get you started:
Target Solutions has a course on Computer Use and Security
Vendors and Contractors
A less obvious vulnerability to be aware of is among fire department vendors and third party service providers. Most fire departments partner with software firms for a range of services, including record keeping, training, mapping, and tracking fire inspections. We’re also using mobile apps for tracking responding firefighters. There is a good chance that you’re fire department website is hosted by a third party vendor. There’s nothing inherently wrong with this, but be aware that many digital vendors indemnify themselves or omit key information about cyber security in agreements or terms of service. They may even place most of that burden directly on your fire department. In 2017, the Department of Homeland Security analyzed and found flaws in 32 of 33 first responder apps. Know what contracts you’re signing and be sure to ask about cyber security during the procurement process. If you already have an agreement with a vendor, reach out and ask what they do to protect your information.
Contact your town or city IT department for assistance. Just as IT professionals aren’t experts in fire extinguishment (as shown in this hilarious scene from The IT Crowd), we’re not experts in cybersecurity and digital service contracting. Ask if they have any guidelines on cyber security when partnering with third parties or software service providers. We need many of these partners to help bring the fire service into the 21st century, but be clear about your expectations and have well established roles and responsibilities with digital partners.
Think Broader - Information Security
If you’re not already doing so, think of the bigger picture - information security. Digital information is just a piece of it. Whether it is print, verbal, or digital, all information should be secured and managed. Consider including information security as a responsibility for one of your officers. If your fire department has a tech savvy firefighter, ask if they will take the lead. Explore creating an official position for them. Does this function need to be performed by a firefighter? Great firefighters may not be great IT or information security professionals. If your fire department is volunteer, advertise for this volunteer position, like the Cos Cob Volunteer Fire Department. If your department is career, explore hiring a civilian to provide information security responsibilities. Whatever approach you take, think of the big picture and take actions to ensure that all information is accounted for and protected, whether it be on a computer in the Lieutenant’s Office or stored in cardboard boxes at a storage facility.
Final Thoughts on Fire Department Cyber Security
With everything we have going on at the firehouse, cyber security is one of the last things we want to dedicate valuable brain power too. But it’s 2019 and the risks facing our fire departments on this front are getting more severe. Taking basic precautions can reduce or eliminate many vulnerabilities. Pre-planning roles and responsibilities in advance of a cyber incident will be just as beneficial as it is for a fire response.
What do you think? Does your fire department do anything for cyber security? Let us know in the comments or contact us! Please - if you have a sample policy or recommended resource, share it with us if you are willing. The more we work together on this, the better.
Have a FD HACK you’d like to share? Submit it to us today! Also, if you found this informative, it would really help us out if you share this post with anyone you think could benefit (email, social media, text message)!
Disclaimer: This is for general informational purposes only and should not be considered legal advice or as professional recommendations. Always consider your own department policies and procedures. Cyber threats are constantly changing.