After 156 emergency sirens were hacked late Friday night, sounding the alarms for several hours, the city would be best to do a “top-to-bottom” detailed review of all its emergency systems and infrastructure controls, says a Richardson cybersecurity expert.
“Threat actors are never happy with a single outcome,” said Jeff Schilling, the chief security officer for Armor, which is not tied to the investigation of the Dallas hack. “They want to move across systems.”
On Tuesday, Schilling wrote a blog post in which he states that the “concern is that this could lead to ‘ransomware’ scenarios where a city could be frozen out of its critical systems unless extortion is paid.” To be safe, Schilling said, it would be in the city’s best interest to check any system that is tied to a data center or has connected capabilities. This includes everything from the 911 calling system to police and fire communication management systems to water towers.
Schilling has spent seven years in cybersecurity, serving as the director of the U.S. Army’s Global Network Operations and Security Center under the Army’s Cyber Command. While in the military he was charged with cybersecurity operations for more than 1 million computer systems that supported military units in more than 2,500 locations around the world. So when he saw the city of Dallas get hacked last week, he had his own theories about how it all happened and what should be next.
“The way things work is similar to a pager,” he said, adding that the sirens are connected by a radio frequency from one or multiple towers. “Each of the individual towers have a code and they’re activated when they receive an individual radio prompt. I have a theory that whoever pulled this off has to have pretty intimate knowledge of how it works and the vulnerabilities.”
The hack in Dallas, which is still under investigation, should be a glaring reminder to the importance of encrypting signals. And that’s not just for the city of Dallas but any municipality or company that sends out signals to large groups of people Schilling said. Cities and businesses also should consider annual penetration testing, in which they can expose both cyber and physical vulnerabilities.
From a broader perspective, these risks further create the need for statewide or even national cybersecurity standards and guidelines. These standards would help provide the safety measures for the design of infrastructure systems in the future.
Whatever Dallas, other cities, and businesses do, they all should consider cybersecurity a part of their budget so that they understand the risk and address it every year, Schilling said.
“They don’t know what they don’t know in cybersecurity,” Schilling said. “Having some type of methodical risk assessment would be the way to make informed budget decisions.”