CAP EAS Alert Originators and Participants Should Take Cybersecurity Steps, FEMA Official Says
Cybersecurity measures are needed from government agencies originating emergency alert system messages in a newer Web format, and from all participants in the EAS system, after last month’s unauthorized access sparked fake warnings, a Federal Emergency Management Agency official said. Manny Centeno from FEMA’s integrated public alert and warning system office showed participants in the agency’s webinar on IPAWS and that new format, Common Alerting Protocol, the FCC’s Feb. 13 “urgent advisory” to EAS participants. That warning on CAP was issued privately by commission staffers to associations that distributed them to EAS participants -- which include all radio and TV stations and multichannel video programming distributors (CD Feb 14 p8) . State and other officials involved in CAP recommended counterparts in other states start testing that format, and said shorter wireless emergency alerts on mobile devices won’t supplant EAS but complement it.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The security best-practices listed in the FCC document are “something you should have taken care of by now,” Centeno said on the webinar. A few TV stations that didn’t customize factory-set passwords on devices that receive CAP messages from FEMA’s IPAWS website were the subject of security breaches, which triggered the warnings of zombies. Centeno’s suggestions, some of which he said also apply to those originating alerts about bad weather and other events, went beyond the FCC’s requirements. Centeno sought what he called a “holistic” approach to security, by training employees on protection measures and also systematically reviewing all information technology systems linked to CAP EAS gear.
"You've got to look at IT security holistically, because any device on that network could become a problem -- it could become an entry point for hackers,” Centeno said. “Do your homework” to better secure devices, he said. A TV station needs to keep in mind that if other departments such as news share the network used by CAP equipment, the entire network needs to be protected against hackers, he said. “Make sure you understand what your network looks like,” he advised CAP alert originators and those that get the warnings and distribute them to viewers and listeners. “Understand its vulnerabilities, patch those vulnerabilities as soon as possible."
"Make sure your facility is as ready as possible to resist, to prevent hacker attacks on your network. We urge you to please make sure you have folks on staff who understand cybersecurity, who are able to handle these types of threats, and are able to react to them appropriately,” Centeno said. For those without such in-house expertise, “get somebody in to regularly evaluate your network,” he continued. “Map your network to better understand how it is structured, physically and logically,” said a slide Centeno showed for EAS originators and information disseminators (http://bit.ly/XR8tUE). “Search for and identify weak links in your network, including EAS devices."
A network vulnerability assessment “across your network” was sought in the security-best practices for originators and disseminators, a slide said. Such “tools are available online and some are free or open source. These tools can help identify ‘open doors’ which hackers may use to compromise your network,” it said. Such “weak links” include servers, workstations and routers, it said. Understand what devices on an originator or disseminators’ network “'break'” a “perimeter defense,” said another slide. “Search for applications that extend through” firewalls, identify all Internet Protocol devices in a network, search for wireless access points that are “unknowingly deployed” and ID “all direct Internet access to and from other devices” were among the suggestions. “Refresh passwords frequently” and don’t use ones that are “'dictionary’ words” and aren’t “strong,” the slide said.
The wireless alert system being developed has limits and a role to play in steering people to local media to learn more information about adverse events, Centeno and state emergency managers and industry officials said. “We love and will continue to develop WEA,” Centeno said. “We think it’s an excellent tool of getting to the public and letting them know something is happening. But in terms of the details,” EAS “is still for us that backbone. We are still limited to 90 characters on cellular phones. That gives us about enough space to say there’s an emergency, tune to media for more information.” A “multifaceted approach to public warning” using different technologies is likely to develop, Centeno predicted. Others agreed.
With no single all-encompassing way to alert the public to emergencies, using more types of technology will reach more people, the state officials said. The more types of technology used, “the more credibility you have with the public, and the more types of” ways they learn about what action to take in an emergency, said Adrienne Abbott of Nevada’s State Emergency Communications Committee (SECC). The state is “just getting into the brave new world of CAP -- we're starting with baby steps by acquiring a strictly software system” to connect with all Nevada counties, she said. CAP in her state could become akin to a backup emergency system, “because we do see Internet failures here, and we are very much aware of that,” Abbott said. She hopes other states “take those baby steps, come on in, the water’s just fine."
The Nebraska Emergency Management Agency, testing a CAP system with FEMA, hopes to voluntarily enlist counties to join it, said NEMA official Alisia La May. “We will push it out to all the locals at their request, because this is not a mandatory program. We will wait for their programs to come in” and apply to NEMA to seek FEMA approval for the counties to join IPAWS, she said. “We are on a really good roll here in Nebraska.” That state’s system encountered “some issues to fix, but that’s why you test,” said Jim Skinner of Nebraska’s SECC. EAS runs 1,000 or more characters, versus 90 on cellphones, he said: That “allows you to have much more detail than you can get on a cellphone.”