Vital infrastructure:  emergency services

Vital infrastructure: emergency services

Organizations in the emergency services sector are there for the public to provide help when situations get out of hand or are too much to handle. This can be because the problem requires special tools and skills to use them, and the organizations are set up to provide assistance at short notice. We are all familiar with the three main types of organizations that fall in this category:

  • Police departments
  • Fire departments
  • Emergency medical services

But there are other similar organizations that can be put in the same category, for example, bomb squads, SWAT teams, HAZMAT teams, and sea rescue teams. These and similar groups exist both in the public as in the private sector.

One of the prerequisites for these types of first responders is that they react swiftly, accurate, and with coordinated effort. Besides regular drills, this requires a lot of automation and computerized equipment. Which is what makes it all the worse if one of these organizations get hindered by malware.

Ransomware doesn’t care whether it’s locking up a system full of family pictures or one that is filled with police files. And some malware authors have shown that they make use of the urgency to get certain systems back online, and up the ante accordingly.


Police departments and sheriff’s offices alike store a lot of confidential information about victims and suspects. Information that could give threat actors a good angle for a phishing campaign or extortion. Another delicate matter on police records is evidence. Evidence could become inadmissible even if there is only a suspicion that there has been illegal access to the system it was stored on. So these systems should at all times be kept inaccessible from the Internet to ward off information stealers, ransomware, and remote access trojans (RATs).

A Texas police department learned this the hard way went they lost 1TB of critical CCTV data due to a ransomware attack. The chief of police decided not to pay the ransom even though they did not have adequate backups, which led to a total loss of all the data.

In 2017, ransomware infected 70 percent of storage devices that held recorded data from D.C. police surveillance cameras eight days before President Trump’s inauguration, forcing major citywide re-installation efforts.

Another law enforcement agency that found itself hit by a ransomware attack was the Lauderdale County Sheriff’s Department in Meridian, Mississippi, on May 28, 2018. They became a victim to a variant of Dharma/Crysis ransomware and most of their systems were taken down by the attack. For Lauderdale County, an old, forgotten password was exploited by attackers to deliver the ransomware.

Emergency medical services

When you are in urgent need of medical attention or need to be transported to a medical facility in a hurry, you count on emergency medical services to come to the rescue. What the paramedics need most in such cases is trustworthy lines of communication to provide and receive updates about the medical emergency or the traffic conditions. The communications equipment in question can be diverse and include phones, radios, computers, and dispatch systems.

What you don’t want is some unnamed malware to cripple your communications systems. This happened to the St John Ambulance service in New Zealand. Mobile data and paging services were worst affected by the problem, suggesting that some sort of bandwidth-hogging worm overloaded the system. Dispatch staff normally send information on jobs over the ambulance crew via on-board mobile data terminals. Because of the malware, they had to call ambulance stations or the mobile phones of crew members instead.

Fire departments

The same communications dependency is certainly true for fire departments, whether they are a public fire department, or a company fire brigade trained to deal with specific dangers. They need to know all the relevant information about the situation, and they want to know it before they get there so they can anticipate and plan their actions accordingly.

One small slip, however, and an entire fire department can fall victim to a malware attack, which can cripple internal communications and data storage or compromise sensitive information for both department members and everyday citizens.

The Honolulu Fire Department personnel inadvertently downloaded a ransomware computer virus that infected about 20 of their computers in 2016, forcing the department to temporarily shut down all its administrative computers. The department’s emergency response was thankfully not affected because their computer-aided dispatch system and the computers in the firetrucks operate on a separate network.

Emergency services infrastructure

In some countries all the public emergency services use the same overhead infrastructure to communicate with each other and to receive calls. You really want these systems to be robust and redundant, but nevertheless sometimes they fail or get compromised.

Not attributed to malware but to a software bug, the Dutch emergency number—112 which is the Dutch equivalent of 911—was unreachable for hours. As it turned out, the backup system used the exact same software including the bug, which rendered the backup system quite useless in this scenario. The singular services responded quickly by providing the public with alternatives, but retrospectively, the service interruption was held responsible for two deaths.

In 2017, hackers managed to set off emergency sirens throughout the city of Dallas on a very early Saturday morning. Not only does the public lose trust in the system when false alarms occur, the consequences of a coinciding with a real emergency could have been disastrous. The mayor used the hack as a reason to upgrade and better safeguard the city’s technology infrastructure.


What can we take away from the examples we mentioned?

  • Backup systems not only need to be easily deployed, but also need to be truly independent.
  • Even when the budget is tight, these systems need to be prioritized.
  • Separated networks can save your bacon, especially if you can keep them detached from the world wide web.
  • Backup systems are not the only backups you need. Important files need to be backed up as well.

And when it concerns sensitive and important data like evidence or investigation records, extra care is needed.

  • Systems should always be up and running so they are available for queries, but only to those with the proper authority. Backup systems should be adequate and separate.
  • Apply the principle of least privilege, making sure that users, systems, and processes only have access to those resources that are necessary to perform their duties.
  • The systems need a form of guaranteed integrity to ensure that the data entered into a system are untampered with, and it should be possible to track back any changes when they are needed.

A problem that most emergency services have in common is a limited budget and often the lack of a dedicated staff to handle IT security. That money is often spent on other necessary means—all understandable in a sector where human lives are regularly at stake. But recent events in the US have demonstrated all too well that emergency services need to be well orchestrated. There is no lack of dedication from the people doing these jobs, so they should be allowed to work with the best—and safest—equipment. Equipment that we can trust to be secured.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.