Following the rollout of a dedicated first responder network in the U.S., municipalities are choosing providers and building out their arsenal of network gateways and connected devices. As you weigh your options and choose devices that fit your needs, be aware of the potential pitfalls—especially security risks—that face you on the market.
To avoid unneeded exposure to risk, ask your solutions provider or device manufacturer these questions to evaluate their readiness to support first responder usage:
1. What are the device’s key components?
Key components are the elements that define the device and ensure its proper function. Most devices have at least one primary component that’s easy to recognize—for example, the sensor, lens, and image processor on a body cam. In a piece of connected clothing, it might be the sensor that records the wearer’s vital signs.
Another element that’s essential to every connected device is the data card or embedded cellular module. Some Internet of Things (IoT) devices use removable data cards, which work the same way a USB drive does—just plug it in and go.
These modules can easily connect to existing hardware and deliver high data speeds, ranking them as higher category LTE devices and making them ideal for public safety routers and gateways.
Most mobile and wearable devices use embedded modules because their connections are solid and immovable, resilient to vibration, heat, corrosion, and dust. Embedded modules are also smaller than standard data cards, making them a better fit for end-devices.
2. Where and how are those components sourced?
Once you’ve identified the device’s main components, ask your service provider about their sourcing practices and requirements.
The exploding IoT market contains a huge range of products, widely varying in quality and security. Generally, products from new, untried companies should be viewed with caution.
Some established companies are also viewed with suspicion, such as Chinese telecom giant Huawei, which has come under scrutiny from U.S. and Australian authorities for suspected security risks associated with its products. New Zealand recently joined the other nations in blocking Huawei’s products from its new 5G mobile data network, which will handle IoT devices. U.S. officials also caution against ZTE’s mobile devices, saying they pose a security risk.
Because IoT technology is developing more quickly than private and government security measures can keep up with, cyber threats remain a serious problem that first responders must acknowledge and guard against.
The risks of using key components from questionable sources are tremendous.
Unsecured IoT devices are vulnerable to ransomware attacks and data breaches, and the results could be “catastrophic,” according to 97 percent of risk professionals surveyed in SFG’s Second Annual Study on the Internet of Things (IoT): A New Era of Third Party Risk.
3. Is data handled securely?
Even if a device’s key components are sourced from reputable companies, there is still a risk of data breaches if security is not a priority. Talk with your provider about the systems they have in place around security of data.
Here are a few specific questions to ask:
- How do you ensure there is an audit-able trail of data?
First responders must keep precise records of their decisions, patient symptoms, medication dosages, and much more. Make sure your solutions provider can walk you through the process of how (and where) that data is stored.
- Will data be encrypted prior to transmission?
Encryption uses complex ciphers to turn readable information into code, which must be deciphered using a specific key. A few of the most common types of encryption are RSA, TripleDES, Data Encryption Standard (DES), and Advanced Encryption Standard (AES), used by the U.S. government. Ask your solutions provider to explain the device’s encryption capabilities and make sure you understand how to manage encryption and other security settings.
- How frequently—and where—is the data backed up?
Many first responder devices maintain an ongoing cellular connection to the cloud, ensuring that collected data is backed up constantly. But what happens when you’re in a remote area and service is interrupted? Ask your provider to explain how data storage and recovery works in your particular device. If the device is a low-power sensor without a continuous cellular connection, make sure data backups are happening regularly.
- Are the device’s (and gateway’s) settings secure?
When you purchase a wireless gateway or IoT end-device, it often comes pre-loaded with a default password and an open interface for ease of setup. Manufacturers expect users to change passwords and settings to suit their needs, and first responders must learn to make needed changes to avoid endangering their mission critical data.
- How do I change the password, and how often should I do so?
Password protection, like encryption, is a vital element of any data security plan. While changing your password might be a bothersome task, it’s a needed one: according to the 2017 Verizon Data Breach Investigations Report, hacked passwords account for 81 percent of data breaches. Talk to your solutions provider about password configuration, and be sure to ask for guidelines on password strength and how often to change it.
4. Are there firmware bugs that could allow unauthorized users to access data?
Firmware bugs are notoriously prominent in IoT end-devices, making users vulnerable to security breaches and system failures. Denial of service (DoS) bugs represent 42 percent of firmware problems, according to a study by Bitdefender. DoS can render your device temporarily or permanently inoperable—not an option in emergency situations, when every second counts.
Security researchers are working to create new tools that can test for IoT device vulnerabilities, with the goal of identifying and securing problematic devices before a data breach happens.
Until a reliable detector emerges, it’s best to talk with your provider about the dangers of firmware bugs in IoT devices and research the track records of each key component.
5. How long have the component manufacturers (and the provider) been in the market?
The IoT market is crowded with competitors, large and small. While longtime technology giants are deeply involved in the field, so are startups and small businesses around the world. Device developers often create their own protocols for IoT operations, making it difficult for those trying to create clear, across-the-board security standards that could protect gateways and end-devices from cyber attacks.
While you wait for clear standards to emerge, you can protect your first responder devices by looking closely at the companies that manufacture their inner components.
Ask your solutions provider how long they and their component manufacturers have been in the market. Have they encountered any security or other problems with those manufacturers? Could there be sourcing problems if a trade war between your country and the manufacturer’s country emerges and shipments are restricted?
Solutions providers should have a plan in place to cope with loss of key components from a primary manufacturing facility.
First responder are in the business of saving lives. Data transmitted by these responders is often a matter of life and death.
To mitigate potential risks, gain a working knowledge of device’s security features and ask your solutions provider to demonstrate a commitment to quality, security, and responsiveness.