HxGN RADIOPodcast

Under Attack: Approaches to Cyber Security for Public Safety

Denial of Service attacks, backdoors, black hats, and Bitcoin ransom. In this podcast, we talk to Dan Retzer, senior vice president of Global Product Development for Hexagon’s Safety & Infrastructure division, about cyber threats facing public safety agencies today.

JW: Hi, and thanks for tuning in to Public Safety Now on HxGN Radio. I’m your host, John Whitehead, vice president of sales for U.S. Public Safety here at Hexagon Safety and Infrastructure Division. So today, we’ve got a really cool topic, and I almost feel kind of bad saying “cool topic,” because it’s kind of a scary topic. But cybersecurity attacks, they’re just not exclusive for guys like Sony or Marriott or the Equifaxs of the world, right? I mean, these things can happen to all of us. And especially in public-safety agencies and emergency call centers around the globe, we really need to focus on that. So today, we’ve got Dan Retzer, senior vice president of Global Product Development for Hexagon Safety and Infrastructure Division, and we’re going to just have a conversation here about cybersecurity and some of these cyber threats facing public safety today. So thanks, Dan, for joining us.

DR: Yeah, John. Thanks for having me here. It’s definitely a topic I’m very passionate about and one that I hope that we can give some people some education, some insight on.

JW: Yeah, it’s interesting because in the past, when I think cybersecurity, it’s always been kind of out there, right, on the horizon. It’s not something—who’s going to attack 911? Who’s going to attack public safety? We’re the good guys, right? Unfortunately, the statistics aren’t backing that up. People are actually coming out, and they’re coming after some of our agencies. And it’s today, it’s happening right now. I’ve got statistics that 184 cyber attacks have occurred in the last 24 months to public safety, 42 of those were attacks on 911 centers. I mean, that statistic alone is just a little unsettling, right? And I think that—I mean, we just got to be conscious of the fact that this is here and this is now. So, I’ve got a few questions. Like I said, we’re just going to talk a little bit about that. Some of this is how Hexagon can assist, but I think some of this is also just kind of our thoughts on how this plays within the emergency-services world. I mean, because of those attacks, do you think that’s the reason why cybersecurity now is such a critical piece for public safety? I mean, is it because it’s happening today, or has it always been the case?

DR: Well, let’s kind of take a step back and look at it even broader, right, because it seems like our public agencies in general are just under constant threat. And when you take a look at elections being under attack, and not just what’s happening in the U.S., but all over the world, right? You’ve got bad actors that are trying to compromise the very foundations of our democratic process, right? And what that does is, that starts eroding public trust, in general. So, you take a look at our customers in public safety and public agencies, and you take a look at some recent things and attacks that have happened that have been widely publicized—Atlanta and Baltimore and some of these other things—and what you’re really seeing is, you’re seeing a trend. It’s not just attacking the—we have this image of the hacker or the cyber terrorist who’s trying to secure a lot of money from, like you said, the Sonys or the Equifaxs, and compromised people, but now they’re definitely attacking sort of the very foundations of the public trust. And that’s why this is a huge concern.

JW: Right. Well, I mean, if you think about it, a lot of the terrorist attacks that’s going on around the globe are international. And listen, we’re not going to get into the fake-news thing here, right? Is it coming from Russia? Is it coming from China? I don’t know.

DR:  Doesn’t matter.

JW: It doesn’t matter, right? But the fact of the matter is it’s an international problem. So, think about how much easier could it be for someone to attack us at the core by manipulating the 911 system, right? I need help, and when I call, I can’t get through. It’s not available. And I think that that’s kind of the terrorist activity there, that kind of plays to our fears, right? It’s being able to bring that stuff down. These denial-of-service attacks that they’re doing, and the things that are hitting corporations but now being focused on the 911 centers I think is a scary area.

DR: Oh, it’s frightening. And then, sometimes it’s not even the threats that you see, right? It’s not the denial-of-service attacks or ransomware attacks. Sometimes, it’s just the stuff that’s happening behind the scenes. When you think about how easy it is to get critical information from just your everyday person, right? You’ve got social engineering, where I can call you and say, “Hey, John. Hey, help me out here. I need to figure out what this code is,” or whatever. But it’s even, I think, scarier in some ways when you’re taking a public-safety risk to it. So, I could call in, pretending to be a high-ranking officer or whatever else. I can call into the dispatch center or whatever, and say, “Hey, I can’t get into my system,” or, “I’m locked out of my mobile device, and I need my password right now.” And people are kind of trained to react to people in authority, right? And so I don’t want to be that guy who’s not giving the commander or whatever else the access that they’re asking for. And again—

JW: And not to interrupt you there, but the example is, you’ve got a dispatcher sitting there in a radio room. Someone says, “Hey, I’m talking to the sheriff. He needs him to reset that password.” I mean, you’d do that, right? I mean, it’s the emotional hit that we worry about, right? It’s one thing—I’ve seen where they say the biggest threat to public safety when it comes to cybersecurity is the legacy equipment that we have in place, right? All of this old networking and old servers. And I’ve heard the stories of people doing network checks, and they’re finding all of these things that are attached out there, or they’re allowing a hole in a firewall, if you will. These are all points of access. That’s one area. But the personal attack on it is an interesting dilemma, for sure.

DR: Well, and I’m kind of glad you brought up sort of the infrastructure side and the legacy side, as well, because I think one of the other really hidden areas of vulnerability that people may not always be aware of, too, is even vulnerability in the products and the platforms that our systems are built on, right? I think this is a huge vulnerability in the system that some people overlook because they’re thinking about direct attacks into the network, through the firewall, whatever else. But there’s plenty of software out there that’s just kind of laden with vulnerabilities that people may not always know about.

JW: Yep, yep. And then, on top of that, you’ve got all of these things like malware and things that could accidentally be put on, right? Someone brings in a thumb drive from their house, very innocently. “I want to show pictures,” I want to see that type of thing, and I’m sharing that around. You never know what could be brought into your network. I think that that’s an important thing.

DR: Poor hygiene.

JW: Yep, exactly right. Exactly right. So, let’s talk a little bit about our products here, if we will, right? How would you describe our security program here at Hexagon?

DR: Well, so, I always have to kind of be a little bit cautious when I describe it because you never want to sort of hang out bait for anybody, if you will. It’s just kind of a bad practice. But we apply a layered approach, right? We actually kind of start foundationally, believe it or not, with education. We train and certify our development teams around security best practices. Actually, when I’m evaluating candidates from a hiring perspective, I’m always talking to them about what they’ve learned, either if they’re college graduates or if they’re into their profession, what they’ve done, what they’ve learned, how they’ve applied security, just in—not only in the development of software, but kind of in their daily lives, because that shows that you’ve got a security mentality. Things like, “Don’t use the same password on two different sites,” and all this other stuff. Just basic stuff, right? But it’s layered in that regard. We have a heavy focus on automation, where we’re using tools from the industry to basically kind of eliminate the human element, if you will, from overlooking or saying things like, “Oh, well, that’s just a false positive. I’m going to move on,” because there’s no false positives in security, I’m sorry. I mean, that’s just fundamental.

JW: You have to take everything serious.

DR: You have to take everything serious.

JW: Yep. No, I’d agree.

DR: And we kind of—and I hate using this because it is a little bit like a house metaphor, which tends to be overused—but I talk about the foundation being training. We’ve kind of got four walls that we put up around this as well, around governance. So we have a strong policy based around ISO standards to help, really, kind of guide the way that we do things, right, kind of our rules for how we build software. We have a construction wall, so really kind of a very interactive process by which the developers take ownership in the security process, right? So it’s very, very informative to them, and it’s kind of part of what they do. I had mentioned the automation, but verification. So it’s not—here’s what we say we’re going to do, and we do it. And now we’re verifying that we did what we did, and again, leveraging automation to really kind of ensure that what we’re doing and what we’re releasing at the software level is very secure. And then the operations piece, which is kind of tying it all together and ensuring that stakeholders, quite honestly, like your team, you guys kind of know what’s going on in the sales side and the client-relationship side. Our customers are advised and aware. And we’re advising people globally within Hexagon as to, here’s what’s going on, here’s what we’re finding. And it’s a collaborative process, but the operations piece kind of brings it all together.

JW: Nice, nice. So, it’s really a holistic approach here, internally. It’s something that all of your team are really working towards and kind of marching in unison with, it sounds like. That’s nice.

DR: And the thing that you have to understand is that our goal is to make each successive release of our product more secure than the last, right? And so it has to be organic and it has to be evolving because the bad guys are getting smarter, and they’re attacking us in more—in more interesting ways and attacking our customers and, as I mentioned, kind of the public trust. So we always have to be on guard and constantly be incorporating this into our process.

JW: Yeah. And I think that it’s a—yeah, that’s exactly right. We’ve got to be on guard because I think that, as I started off with, I think for the longest time, we kind of felt that it wasn’t our issue.

DR: Yeah. It’s somebody else’s problem.

JW: It’s someone else’s problem, right? “Oh, I really feel bad that Target,” for example, “got nailed. Hope they didn’t get my email in that attack,” right? But this is really our issue, and as an agency or as a vendor, we’re responsible. But also for our customers, those agencies need to also be taking that into consideration.

DR: Absolutely.

JW: So, let me switch gears here a little bit. Tell me how you’d respond when someone comes to you and says, “I don’t have time to upgrade or stay current with my releases. You know what? I got enough going on. I’m in a 911 center. We’re busy.” How do we deal with that?

DR: So, can you afford to not be operational? I mean, again, that’s what it boils down for me. And I think that the evidence points that that is a very real and very tangible danger here, right? So, look, I’m not trying to plant the seeds of fear and kind of drive—it’s really kind of, be realistic about what the risks are. So, what we try to do as a software vendor and a provider of our solutions is we try to advise people kind of what the risks are based upon the age of our solution and everything else. So really, again, the answer is that if you can afford to take risks, right, if you can afford to lose control of your environment and have somebody hijack you, if you can risk having somebody take control of your data, taking control of your operations, then that sounds great. But I don’t believe that we can do that, and I don’t think our customers can, either.

JW: Yeah, I agree. And I don’t think anybody wants to be on the front page of any paper.

DR: That’s a very true point. But, look, here’s the deal. I understand that these are large-scale, complicated software systems, okay? And again, if you can’t upgrade, if you will, or stay current on the product releases, at the very least you need to make sure that your network infrastructure, that your firewalls, and everything else, that you’re taking the right approaches there. And look at the platforms, as well. Microsoft is constantly releasing patches on their operating systems, and Sysco’s constantly issuing patches to their firmware. We constantly issue patches to our software, as well. So, I would advise people to just weigh the risks, weigh the overall effort of creating that upgrade or approaching that upgrade, and see is that something that you can truly afford.

JW: Yeah, I would agree. If you do some searching around out on the Internet, right, there’s a cheap cybersecurity engineer. His name is Vern Mosley, and he’s got a great quote. He said that the public safety should take a lesson from the airline industry. So, if a pilot’s up in the air, and the airplane’s up flying, well, when an issue happens, that pilot can’t say, “Well, let’s just go land it and fix the problem.” They have to deal with it live. They have to deal with it while flying. And public safety and agencies like that need to do a similar thing. They need to have their live environment. I can’t bring 911. I can’t close 911 while I prepare or do security drills, right? I have to be able to take that forward. And I think to your point, even if it’s baby steps, even if it’s just making sure that your network, do they have all the right firmware, do they have all of the information, is all of your OP systems up to date, those are the things that they can do just, while in flight, keeping that airplane going. Do you have any advice or ideas if they’re looking to harden that system, if they’re looking to update those systems? Do we have any other advice that they might be able to do?

DR: Well, I mean, the first thing I always do is just ask questions, right? It kind of goes back to an earlier point in my career when I had thought I had a great software product. And then we hired a white-hat hacker to come in, and my team and everybody else that was on my team, we thought we were bulletproof. This person came in and found 18 different ways to get into the system. It was like, wow. And again, it was, well, let’s ask questions. So, what can we do to be better? What can we do to our product? And I think I would advise people, always ask your vendors, always ask your partners, always ask your providers in this whole ecosystem around your public-safety operations what they’re doing to help you. You can take a defense-in-depth approach to it, so kind of what’s your exposure, what’s your risk, what’s your layers of security in between all the different pieces? And then, the people that you rely on—again, your vendors, your providers, your partners—what are they doing to help you in this journey? What are they doing to help keep you safe? I mean, that’s the biggest thing, is always ask questions. And don’t be—I hate to say it this way, too—but don’t be afraid to look like you’re lost, right, because, this is a big, scary, complicated type of conversation, and it’s constantly evolving. And even those of us that are in the industry and have been dealing with this for a very long time, we’re still having to ask questions and really kind of rely on people with various levels of expertise because at the end of the day, it’s such a big problem that one person or one department or one agency, you’re not going to be able to deal with it all yourself. The threats to our infrastructure and to our public-trust systems is so wide and so varied, and really shifting and changing so frequently, that it really does take all of us working in partnership—vendors, practitioners, CIOs, CTOs—all of us working together to make sure that we’re manning the wall.

JW: Yeah, and I’d add to that that I think that agencies sometimes, they’re in their own ecosystem, and they’re in their own environment. And I think they feel like, “Wow, I’m out here all by myself. I have to figure all this stuff out.” And I think to your point right there, don’t be afraid—

DW: You’re not alone.

JW: You’re not alone. You’re not inventing this wheel, if you will. Someone else has gone down that road. And we can lean towards, whether it’s the vendor community, but also some of the industries, right? The APCOs, the NENAs, there’s a lot of information out there, and there’s a lot of assistance. And to your point, don’t be afraid to ask the question. I think that that’s a key part. All right, so I know we’re coming up here to the end of our time here. So, if there was one word that you could describe our approach to application security here at Hexagon, what would that be?

DW: One word.

JW: Just one word, right? It’s easy.

DW: You know, I’m going to have to go back and emphasize the automation aspect. And I have to say— I’ve said layered, I’ve said all these other things, but I think the key differentiator for us is really, automation, right, because at the end of the day, people are people, and you’ve got to trust in the technology and the intelligence that goes in. Again, it’s all these groups that are contributing to defining the different types of attacks. And you just got to—we’re talking about very, very complicated code; very, very complicated systems. You have to rely on the automation to be able to kind of point it out so that you can deal with it and make a valued decision.

JW: Very cool. Well, with that, I’m going to say that’s the final word on it. As I said at the beginning, this is a cool topic, and when I say cool, I mean a scary topic, right? So, it’s very interesting. So, big thank you to our guest, Dan Retzer, today. For more information about today’s topic, please visit www.hexagonsafetyinfrastructure.com. And to listen to some of our upcoming episodes or learn more, visit hxgnspotlight.com. And thanks for tuning in.