The First Responder Network Authority – known as FirstNet – was initially funded in 2012 with $7 billion from the National Telecommunications and Information Administration (NTIA), and will be the first nationwide high-speed broadband wireless network “providing a single interoperable platform for law enforcement, firefighters, paramedics and other public safety officials offered in every state, county, locality and tribal area.”
Currently, more than 21 states have signed up for the FirstNet nationwide broadband network, which would enable all first responders to communicate over an emergency-response system established with specially reserved bandwidth across every inch of the 50 states. If a state chooses to opt out of using FirstNet, they must prove to be interoperable with FirstNet in times of emergency.
Outside of the boom in wearable camera technology, generally, first responder tech is not a traditional market for security systems integrators. That said, FirstNet should be vitally important to traditional systems integrators, because – like HSPD-12 and FIPS201 and other government standards that have preceded FirstNet – the first responder platform will likely set the standard for wireless cybersecurity network best practices.
From a wireless network and cybersecurity perspective, FirstNet will set the pace on how systems integrators will continue to evolve well past the realm of servers, workstations and network infrastructure to a ubiquitous anytime, anyplace and any environment culture.
But before we can make that leap, let’s first take a look at the evolution of FirstNet, and how it will shape wireless security standards.
Birth of a Network
In the wake of 9/11, FirstNet was envisioned as the as a way for police and firefighters to communicate wirelessly with other jurisdictions and task force operations, with a focus on providing real-time situational awareness and information sharing.
Currently, there are nearly 10,000 different and incompatible “land mobile radio networks” in the U.S. that first responders use for their jobs. This patchwork of different systems impairs first responders’ ability to effectively communicate with each other during emergencies.
The early justification for FirstNet may have begun with issues related to bandwidth, which is essential for availability and performance of voice, video and sensor data.
First responders claimed they needed their own network because in true calamities – evidenced during Hurricanes Katrina and Sandy – consumer bandwidth was overwhelmed, causing calls to be blocked or dropped.
Thus, FirstNet – an independent authority within the U.S. Department of Commerce – created an initial set of goals to be accomplished for the network, including:
- Provide a more reliable and interoperable network based on global standards;
- Connect and help protect responders in rural America;
- Enhance situational awareness in emergencies;
- Offer priority and pre-emption capabilities;
- Deliver readily available capacity during large events; and
- Create an innovative ecosystem of apps and devices.
Fast forward five years, and now cybersecurity, hacking and denial of service have become top priorities for FirstNet – including mandated privacy and security controls of personally identifiable information – to provide coordinated medical and public safety responses in the event of an emergency.
The standards and best practices that will be implemented by AT&T, Motorola and other subcontractors are well positioned to set the pace for standards implementation within the systems integrator community, especially in the realm of mobile devices, Internet of things (IoT), and wireless privacy and security.
Focus on Wireless Security Standards
Currently, the risks to IoT devices are just now coming to light. New threat models and attack vectors occur every day – not only do we have supply chain issues related to manufacturing (especially in China), but also the fact that mobile devices contain much greater technology than ever.
A common criticism of FirstNet is that first responders cannot use commercial off the shelf devices and tools at a lower cost – due to the fact that those devices are inherently insecure by nature. Mobile devices used by first responders must focus on enforcing the following:
- Who is able to have access to the specific hardware and software used in FirstNet, (including voice, video, and web);
- Management of the core network interfaces (tower and backhaul); and
- Monitoring and detecting security violations on the network.
These policies address the requirements for storing data on the device – often containing personally identifiable information (PII) – the period that the data can be maintained before it is deleted, and addressing the risk if a hacker or unauthorized individual gains access to the device.
FirstNet requires app developers and device manufacturers to follow best practices geared toward the first responders; and most importantly, to be compliant with “Guidelines for Managing the Security of Mobile Devices in the Enterprise” from National Institute of Technology Special Publication NIST 800-124.
A challenge for first responders is that it is often difficult to manage the security of IoT and network devices when they are outside the general location of cell towers and IT infrastructure. FirstNet-approved devices will have the same security protocols as centralized devices that can support strong authentication and storage encryption.
In the end, this will set new standards and requirements for systems integrators to prepare for an always-on and always-ready technology products such as backup and hot-swappable power supplies, and solar-powered IoT devices.
FirstNet has done its part to establish technical specifications surrounding the recommended security and privacy controls for mobile devices and IoT devices. The major question and concern is how to protect the data that these devices generate.
The Wireless Cybersecurity Angle
One of the most important and difficult challenges faced by FirstNet is user and device authentication. Currently, the use of biometrics and fingerprint scanners for authentication of users works well in commercial applications; however, emergency services require ease of use under some of the most demanding environmental conditions for user authentication – using something you know (PIN), and something you have (the First Responder Access Credential, or FRAC).
Another challenge is restricting permissions assigned to each user to include installation, synchronization, and verifying the communications groups and resources where users send and receive information.
For authentication of devices, let’s start with the supply chain. Hundreds of IP cameras are vulnerable to even the simplest types of exploits that are leveraged by hackers to launch things like distributed denial of service attacks. Most of these issues are the result of weak and default passwords, which are the nemesis of most data breaches. Thus, wireless access points, land mobile radios, and fixed-point data exchanges between these systems must be encrypted to protect against sniffing, service denial, spoofing, masquerading and brute force attacks – keeping unauthorized users off the network.
Advanced wireless security required by FirstNet means technologies would require Extensible Authentication Protocol (EAP) as the means to secure a wireless LAN, coupled with Transport Layer Security (TLS), which extends the use of secure sockets layer (SSL). This certificate-based authentication method is resilient to device and IoT attacks.
Although not specific to wireless security standards, one of the best implementations of certificate-based TLS authentication is the use of Credentialed High Assurance Video Encryption (CHAVE) – a technology developed by SecureXperts, Bosch and Genetec that requires the use of smart cards and digital certificates to authenticate IP-based cameras over secure encrypted network connections. This authentication method is beneficial because it relies on federally trusted certificates over IP networks, which have a high degree of vetting and proofing of the people and devices that are connected to the network. Additionally, the data remains secure during transmission and while archived in local, cloud-hosted or wireless networks.
Another benefit of this technology is that it asserts its own evidence that it has not been manipulated or altered. A digital hash of the image can be easily compared to an image or live video to prove its authenticity. The hardware and digital certificates stored on the device meet NIST Federal Information Processing Standards for Encryption at FIPS 140-2 level 3 – which is the strongest security available today for an IP camera.
The Impact on Systems Integrators
Systems integrators must learn and adopt new strategies for delivering and cyber-protecting real-time information over integrated fixed and wireless networks in the field – whether this information is transmitted directly to first responders and emergency operations centers or if it is being sent to a private command center for a client.
Embracing FirstNet wireless security standards will help systems integrators to adopt the new tools required for administration of these devices, as well as performing updates and other management and maintenance tasks in an efficient and cost-effective manner. These standards include the use of advanced network health monitoring tools and wireless diagnostic equipment, as well as mobile device security training, and the use and management of federated identities and groups using smart cards to replace legacy username/password systems.
Systems integrators would be well served to also hire and train skilled professionals within their organization on logical IT and cybersecurity. This will enable them to offer services such as:
- User rights management;
- VPN establishment and management;
- Remote monitoring;
- Connectivity back to centralized authorization services; and
- Cyber threat intelligence services that constantly check for malicious software and ensure that a customer’s devices are not used for unauthorized purposes.
FirstNet may be the first of its kind in dedicated networks, but there is finally an adoption trend of technology reaching this proportion that will serve as a leading model and set the pace for the future of national security, first responders and the security systems integrator community at large.
Darnell Washington is the President and CEO of SecureXperts (www.securexperts.com), an IT and physical security systems integrator based in Port Canaveral, Fla. To learn more about Credentialed High Assurance Video Encryption (CHAVE)-enabled products, visit www.securityinfowatch.com/12190027.
