Cyber Security: NG-SEC 101 What you need to know and how ... · Overview • Part 1: ... NENA NG9-1-1 Security ... encryption, viruses, patching, auditing, and more) 8. Physical Security

ARCHITECTURE ● ENGINEERING ● COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL

FACILITIES ENGINEERING | GEOSPATIAL | NETWORKS | PUBLIC SAFETY | TRANSPORTATION

Cyber Security:NG-SEC 101What you need to know and how to achieve compliance

Jeremy L. Smith, CISSP



Webinar Frequently Asked Questions• Q&A at the end, please use your chat pod in left corner• Today’s webinar is being recorded and will be sent• PowerPoint slides to also be redistributed• If you didn’t register, email [email protected] to

ensure you receive the slides

mailto:[email protected]



The NG9-1-1 Educational Series

9 key initiativesOverview white paper and

webinar Individual webinars for

each of these topics (some might be grouped)

White papers each initiativeLast until National NENA



Today’s Presenter

Jeremy Smith, Senior Cyber Security Consultant, L.R. Kimball



Overview• Part 1: NG-SEC Overview

– NENA & Cyber Security– Why we need Cyber Security in NG9-1-1?– What is NG-SEC & why do we need security standard?– What does NG-SEC cover?

• Part 2: Achieving Compliance– How does NG-SEC affect me?

• PSAP– PSAP CPEs that are currently not interconnected– PSAP CPEs that are interconnected (e.g. in a host/remote, WAN)

• Vendor• State Agency

– Where/How do I start the compliance process?



Bio• Co-chair the NENA NG9-1-1

Security (NG-SEC) Working Group

• Sr. Cyber Security Consultant for L.R. Kimball– Lead the L.R. Kimball Cyber Security

Consulting team

• Certified Information Systems Security Professional (CISSP)

• Masters of Science in Information Systems Management w/ Emphasis in IT Security; & M.B.A.

• Adjunct University faculty teaching cyber security for grad/under grad students

• Past: – 7 Years with PlantCML

• Cyber Security Professional Services for 911 call centers

• Helped build Managed Services offering

• Lead Solutions Architect for NYPD/FDNY project

– Former Network Administrator, Microsoft Certified Trainer, & Marine



NG9-1-1: Your Target

Cyber Security



Part 1

NG-SEC Overview



Cyber Security - Defined• Protection of information/property from theft, corruption, or

natural disaster, while allowing the information and property to remain accessible and useful to its users. • Collective processes and mechanisms by which valuable

information and services are protected from publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events respectively

• Translation:– Keeping your mission critical infrastructure or systems and the

information stored on them safe and available!

ARCHITECTURE ENGINEERING COMMUNICATIONS TECHNOLOGYAVIATION | CIVIL | CONSTRUCTION SERVICES | DATA SYSTEMS | ENVIRONMENTAL


Why do we need Cyber Security in NG9-1-1?

• Legacy 9-1-1 was typically not connected to other networks• Barriers to attack were high

– Logistics– Easier targets elsewhere

• In NG9-1-1, we are all connected• Barriers to attack dramatically decrease• 9-1-1 is attractive target• Need for cyber security never been greater



NENA & Cyber Security• NENA is actively involved in ensuring that 9-1-1 stays

secure during & after transition to NG9-1-1

• Established a Joint Working Group: “Security for NG9-1-1”

– Responsible for all things security in NG9-1-1

– Co-chaired by Jeremy Smith & Gordon Vanauken

– Broad industry representation (e.g. State, PSAP, Vendor, telco, consultant, etc)

– Officially released standards on 2/6/10• NENA Document 75-001

– Standards are known as NG9-1-1 Security (NG-SEC)



What is NG-SEC?• NG9-1-1 Security, or NG-SEC is the first comprehensive Cyber

Security standard for the Public Safety industry

• Applies to ALL NG9-1-1 entities:– PSAPS– Telcos– Vendors– Content Providers– Everyone!

• Covers a broad range of security areas– (more on this later…)



Why do we need a Cyber Security standard?

• With everyone connected the need for a consistent baseline becomes critical:– How does one agency and/or ESINet ensure that another cannot take it down? – How will each agency know what to do?– Each agency could have different interpretation of what it means to be secure– How would many in the industry go from “no security” to “enough security”– What is enough security?– How will vendors be able to comply without baseline?– Chasing a moving target

Standards provide a consistent baseline to start improving security during and after the transition to NG9-1-1



But NG9-1-1 isn’t here yet…can I wait??

• True, but many entities are currently planning NG9-1-1 deployment, migrations, etc– And some of you are even deploying networks

and other NG9-1-1 foundational elements• The systems that are being bought today will

likely be migrated to NG9-1-1 as opposed to fork lifted

• Entities need to start the planning process now– New Costs, new Operations, new Processes, new

Technology– Security must be built into NG9-1-1 from the outset,

not bolted on later



What does NG-SEC Address?4. Security Policies5. Information Classification & Protection6. General Security (network connectivity, multi-homed devices,

wireless, and more) 7. Safeguarding Information Assets (user ID and authentication,

passwords, system access, certificates, access control, rights and permissions, encryption, viruses, patching, auditing, and more)

8. Physical Security9. Network and Remote Access (includes firewalls, VPNs, etc)10. Change Control and Documentation11. Compliance Audits and Reviews12. Exception Approval and Risk Acceptance Process13. Incident Response Plan *Section titles map to actual

NG‐SEC sections



Some important things to note about NG-SEC

• Designed to provide baseline– Consistent foundation for security standardization

• Will continue to evolve and change as threats change– Isn’t perfect– Workgroup is permanent

• Allows for flexibility to exceed standards to nth degree.



Part 2: Complying with NG-SEC

Where do I begin if I am a:PSAP /Dispatch CenterState AgencyVendor / Maintenance ProviderContent Provider



Compliance – defined • At a high-level, achieving NG-SEC compliance means purposefully

creating, procuring, installing and maintaining NG9-1-1 solutions in a fashion that meets or exceeds the detailed security requirements outlined in the NG-SEC specification through independent and recurring verification.

• More plainly it means, increasing the level of security in your NG9-1-1 solution and having it independently verified against the NG-SEC spec.



The most important thing you can do now…

Begin the planning process!



I am a PSAP…

How does NG-SEC affect me?



Perspective

• Connectivity:– PSAPs that are currently not interconnected

– E.g. standalone, or part of a COG/RPC or some other regional type WAN etc

– PSAPs that are interconnected • E.g. host/remote configuration, or just a WAN for sharing map data, etc

• NG9-1-1 Planning– Actively are planning your NG9-1-1 – Have not started actively planning for NG9-1-1



The Basics (applies to all)

1. Get educated2. Take responsibility for securing your system3. Conduct a gap analysis / readiness assessment

– How far away are you from compliance?– People, Processes, and Technology

4. Start planning / budgeting now– Integrate into NG9-1-1 plans

5. Execute– Buy systems that are capable of being compliant– Make existing systems compliant – Weave security into everything you do



Not connected today…• If you are not yet interconnected…– You have a little more time– Take advantage of the time you have to prepare– But need to focus more on PSAP security and less on the

network– Plan ahead by increasing PSAP security to reduce risk when

network does come



Connected today (e.g. WAN, host/remote)

• If you are part of a WAN (e.g. sharing map data today, or as part of some host/remote config)– You already have introduced risk which will increase as NG9-1-1

evolves– You need to focus on PSAP Security– But also need to ensure your WAN is compliant– Not too late to start actively planning for NG-SEC compliance –

but start immediately



NG9-1-1 Plans• Every aspect of your NG9-1-1 transition should have a

security element– If you are building an ESINet, make NG-SEC compliance a

requirement to connect to it– Procurements should include it as a element – put it in the RFPs

• Seek out new funding– Inform your government entities / leaders– Grants

• Don’t wait until NG9-1-1 gets here or is deployed– Take advantage of the time you have now to develop your

security program



NG-SEC Compliance LifeCycle

Byrnes, C., & Scholtz, T. (2005). Use Information Security Program maturity

Timeline as an Analysis Tool. Gartner.



Some helpful tips• Focus on the Journey– Security is a journey, not a destination

• Compliance is a key element, but not the only one (e.g. monitoring, governance, etc)

– Define the vision• Know where you are (gap analysis / readiness assessment)• Know where you want to go (security plan / roadmap)

• Some security is better than no security– Do what you can handle/afford– Better than doing nothing– Break it into manageable chunks



I am a State Agency…

How does NG-SEC affect me?



State Agencies• Some things to consider:– Establish state-level governance and policies– Ensure any state-run equipment is compliant– Include it in pilot programs to see how agencies will handle it?– NG-SEC compliance a requirement for inclusion on state

contract?– Statewide Audit program?– Only fund centers who are NG-SEC compliant?– State-funded penetration/vulnerability assessments?



Vendor, Maint Provider or Content ProviderHow does NG-SEC affect them?



How does NG-SEC affect Vendors, Maint providers?

• Build systems that are NG-SEC compliant• Prove NG-SEC compliance by undergoing independent

auditing• Help customers

• Includes Telcos / Maint Providers!– Sell NG-SEC solutions– Provide NG-SEC compliant maint.



How does NG-SEC affect Content Providers?

• The applications and networks used to provide the content must be NG-SEC compliant• Content delivered must be NG-SEC compliant (as

applicable)• Must be willing to prove their compliance status



Other groups this may affect• Federal?– FEMA– DHS– DoD– Other?

• State-level DHSEM?• Healthcare?• International information sharing?– Cross border?

• Any entity involved in NG9-1-1 in any capacity…



Summary



Takeaways1. NG-SEC is here!2. Start with a Readiness Assessment

– “Gap analysis”3. Then build the roadmap…

– Start planning process now4. Hold vendors accountable while taking responsibility to

ensure you are compliant



NG9-1-1: Your Target



Questions?

Contact me: [email protected]

mailto:[email protected]



NG-SEC Coverage Areas

Optional / Time Permitting



What does NG-SEC Address?4. Security Policies5. Information Classification & Protection6. General Security (network connectivity, multi-homed devices,

wireless, and more) 7. Safeguarding Information Assets (user ID and authentication,

passwords, system access, certificates, access control, rights and permissions, encryption, viruses, patching, auditing, and more)

8. Physical Security9. Network and Remote Access (includes firewalls, VPNs, etc)10. Change Control and Documentation11. Compliance Audits and Reviews12. Exception Approval and Risk Acceptance Process13. Incident Response Plan

*Section titles map to actual NG‐SEC sections



Security Personnel & Policies• Entities required have security policies:

– Sr. Management Statement of Policy• Identifies who is formally responsible for security within the agency (Sr.

Manager – e.g. 911 Director, Police/Fire Chief, Executive, etc)• Identifies supporting security personnel like: Security Administrators,

Contractors/Consultants, Managed Services Providers, etc– Applicable Functional Policies

• Acceptable Use / Computer Usage Policy• Authentication / Password Policies• Physical Security Policy• Hiring Policy• Remote Access Policies• Technology Selection Policies,• System Hardening/Configuration Policies• Data Classification Policy



Information Classification & Protection

• Information classification is the framework for evaluating and protecting information and assets that contain information• Information is categorized based on the sensitivity,

applicable policies and/or legal and statutory requirements.• Classifying Data:

– Public [Examples: RFP, Phone Number)– Sensitive (Internal Use Only) [Examples: Internal

Policies, Internal Communications]– Sensitive (Restricted) [Examples: Salary information,

Internal audit info, incident reports, firewall rules]– Sensitive (Most Sensitive) [Examples: SSN, DL#,

Passwords, Biometric data]



General Security

• Network security forms a cornerstone of the overall security posture for any NG9-1-1 Entity. • Improperly secured network can present many problems to an

NG9-1-1 Entity such as providing an avenue for intrusion, loss of service including an inability to accept 911 calls, or a conduit for propagation of malicious code.• Entities need to implement or conduct:

– Network Inventory– Control network ingress/egress points with firewall– Avoid use of Dual-Homed devices– Secure wireless connections– Security training for employees and security personnel– Incorporate security into all activities (e.g. project plan charters, new

projects, purchases, etc. Build it into the DNA of the organization!)



Safeguarding Information Assets• Identification & Authentication

– All devices require ID/Auth– New users should be created with

a policy (e.g. written request, traceability, minimum access granted, etc

– Lock users out after failed logon attempts

– No autologon– Passwords:

• Password is required• Must be complex• 8 characters• Min age: 3 / Max age: 60• Password History: 10

• Rights/Permissions– Least Privilege– Rename default accounts

• Encryption – when applicable• Antivirus software is mandatory• Systems must be patched with

security updates• Systems must be hardened• Redundancy whenever possible

and for critical systems• Audit logs• DR/BC plans created



Physical Security

• All NG9-1-1 Entity information resources shall be kept physically secured and protected from theft, misappropriation, misuse, unauthorized access and damage• Locked doors• Challenge folks who don’t belong• ID badges shall be used on entrance to building• Mobile devices shall be protected (e.g. laptop in

hotel)• Fire plans, fire suppression systems, UPS,

generator, HVAC• Equipment locked in server rooms/wire closets



Network and Remote Access

• Firewalls established at boundary points• Stateful firewalls are minimum (application

layer recommended)• VPNs used for remote access• Intrusion Detection / Prevention Systems

(IDS/IPS) should be considered• Network diversity should be strongly

considered with NG9-1-1



Change Control and Documentation

• Changes to the architecture, design or engineering of the NG9-1-1 networks shall include a formalized pre-cutover and post-cutover security review

• Formal change control process shall be followed and appropriate documentation shall be produced and retained



Compliance Audits and Reviews

• Agencies that deploy NG9-1-1 networks and develop security policies for them are required to conduct periodic audits or reviews to ensure that both the NG9-1-1 networks and the systems that are connecting to it comply with NG-SEC– Audits can be conducted internally or externally. – Internal audits are used to "self-check" an organization's compliance with security standards and/or

policies. – Entities performing internal audits or “self-checks” may use external, 3rd party resources if

necessary– External audit leverages a non-biased 3rd Party to independently perform the audit

• Internal Audits shall be conducted at a minimum of annually.• External audits shall be conducted at a minimum of once every 3 years.• Security audits shall utilize various methods to assess the security of networks

and processes, applications, services and platforms including automated tools, checklists, documentation review, penetration testing and interviews



Exception Approval and Risk Acceptance Process

• There may be occasions when it is not possible to comply due to technical constraints, cost restrictions, or other reasons

• When such occasions arise, the resultant security risk shall be identified, documented and managed– Risk justification: Provides a business case for waiver or exception of the security requirement– Risk identification: Aims to thoroughly and unambiguously define the risk, the scope of what is at risk,

and how the risk was identified.– Risk assessment: Uses three risk factors to assess: the potential severity of the risk, the impact of the

risk, and the likelihood of the risk actually happening. These factors assist in deciding the mitigation of the risk, and in determining the frequency of review for the risk.

– Risk analysis: Evaluates the feasibility and costs of different mitigation strategies relative to the potential cost impact.

– Risk acceptance and approval: Only when risk cannot be totally removed or reduced to an acceptable level then it has to be accepted as is and get approval from NG9-1-1 Risk Acceptance Approver and include an Exception Approval/Risk Acceptance Form (EA/RAF).



Incident Response Plan

• An Incident Response Plan shall be implemented

• An Incident Response Plan is:– formal, written plan detailing how an

organization will respond to a computer security incident. Examples of security incidents include virus outbreaks, hacking attempts, critical service outages, denials of service, and more

Documents

Cyber Security: NG-SEC 101 What you need to know and how ... · Overview • Part 1: ... NENA NG9-1-1 Security ... encryption, viruses, patching, auditing, and more) 8. Physical Security