Another point to consider is that cybersecurity is a specialized expertise that falls under the realm of IT. Some PSAPs don't employ an IT security expert with the experience to build a secure Emergency Service IP Network (ESInet); for these 9-1-1 centers, engaging with a third-party consultant would be a wise move.
The National Emergency Number Association (NENA) has been leading the charge toward a national, interoperable NG9-1-1 network for more than a decade. NENA drives the development and standardization of NG9-1-1, and it takes security very seriously. In fact the organization created NG-SEC (Security for Next Generation 9-1-1) to specifically address NG9-1-1 security. To get an idea of just how extensive its recommended security measures are, take a look at the NENA Security Audit Checklist. The 396-item list is nearly 100 pages long and is regularly updated to address new and future security issues. It's also probably the best and most thorough document to review if an organization is considering moving emergency response systems to NG9-1-1.
NG-SEC breaks the checklist down into 14 sections that address every possible security concern. Significant focus is given to authentication and password processes, which address the problem of human security compromise. The 59 steps ensure that password protection policies are established, enforced, logged, and regularly reviewed and updated. Other mandates include:
An essential component of data protection in the NG9-1-1 environment is keeping its networks totally separate from other IP networks. "NG9-1-1 IP-enabled networks should not completely mirror the peer-to-peer connectivity that the Internet provides," writes NENA, but "operate over IP with clearly defined redundancy and resiliency." This extends to wireless networks within a building: NG-SEC requires that Wi-Fi LANs be dedicated to the NG9-1-1 system and separate from other networks.
As any telecom engineer will attest, the lab and the wild are two very different environments. Following a checklist is important, but testing a system after it's built is even more important. Following an established framework for a security-readiness assessment is essential and includes vulnerability testing, VoIP-initiated denial-of-service attack modeling and system testing for penetrability and compromise by various other hacks. Again, if a PSAP doesn't have IT security expertise in-house, the services of a third-party NG9-1-1 security consultant are highly recommended.
Preparing operators for the future of emergency response is a level of security in and of itself, as the reliability of the system doesn't end in the ESInet but in the operator's chair. Operators at PSAPs will have much more information at their fingertips, and contact might be in the form of a text message rather than a phone call. Beyond NG9-1-1 platforms from companies like Motorola and Synergem, the NG9-1-1 evolution will require training. Most solution providers can supply it, but NENA's Education Program is probably the best bet: it provides more than two dozen industry-best offerings that span the width and breadth of 9-1-1 technology and PSAP operations topics.
Whenever public interest, private business and global connectivity intersect, solutions that seem simple at first glance become complex. Next-generation emergency services are especially complex because the security and reliability of the system are the definition of "mission critical." Creating an interoperable network that functions the same way in Andover, Massachusetts, as it does in Chico, California, is not an easy task, but it's under way. No matter who the providers, partners and PSAPs are in each unique situation, security must be a foundational pillar of the NG9-1-1 solution.