CSRIC Approves Recommendations on 911 Routing, Security of WEA, EAS

The FCC’s Communications Security, Reliability, and Interoperability Council (CSRIC) today approved recommendations on best practices for 911 call routing and re-routing, wireless emergency alert (WEA) and Emergency Alert System (EAS) security, and “security by design” of core networks and supply chains, as well as an interim report on addressing needs in the cybersecurity workforce.  At its meeting this afternoon at the FCC’s Washington headquarters, CSRIC approved a report from working group 1 on evolving 911 services, which reviewed “51 existing standards and best practices from prior CSRICs, reports to Congress, PSAPs, NENA, and the FCC that either directly or indirectly impacted call routing and re-routing,” said co-chair Susan Sherwood of Verizon Wireless.  Six of the best practices were “valid and of continued relevance,” she said.  Six others required modifications to make them relevant.

“Then we created 11 new best practices developed to optimize call routing and re-routing,” Ms. Sherwood said.  Several of those address jurisdictional cooperation for such situations as when cell towers cross public safety answering point (PSAP) boundaries or cover more than one PSAP, she said.  Another recommended area of cooperation involves geographic information system (GIS) boundaries in PSAP systems so that they don’t stop immediately at their jurisdictional boundary and instead “cover a little bit of the neighboring jurisdictions where the cell tower coverage would be, so they’d have a better idea when a call came in on whether to route it or reroute it,” she added.

The working group also plans to “study and make recommendations on architectural, technical, operational standards, and security requirements including cybersecurity of location-based routing that uses latitude and longitude information or other location identification methods to determine routing to the appropriate PSAP for 911 calls.”  That report is slated to be ready at CSRIC’s Sept. 14 meeting.

CSRIC also approved a report on WEA security from its working group 2 on emergency alerting platforms.  Farrokh Khatibi of Qualcomm, Inc., co-chair of the working group, said the group had identified several potential risks to WEA, including an insider sending false alerts or blocking real alerts; an outsider sending false alerts or blocking real alerts; malicious code in the supply chain; denial of service attacks; and CMSP infrastructure testing system access.

The group’s recommendation was that the FCC “collaborate with industry, FEMA, DHS, and the alert originators to continue the study of the security aspects of WEA, with a goal of encouraging ATIS to develop a best practices document,” Mr. Khatibi said.  Such an effort will “require extensive work of more than a year, which would extend beyond CSRIC’s current charter,” which expires in March 2017.  The group also recommended that the FCC ask the subsequent CSRIC to continue the work.

CSRIC also approved recommendations on security from its working group 3 on the EAS.  Working group co-chair Kelly Williams of the National Association of Broadcasters said the first recommendation was that the “information about how EAS participants have implemented security best practices should not be a matter of public record and should be held confidential.  The Commission should work with other federal agencies to establish processes for sharing information that is considered by EAS to be sensitive and non-public.”

“That was based on what we found was the biggest barrier to sharing information with the Commission,” Mr. Williams said.  “Fundamentally, companies don’t want their cybersecurity information on a public record.” The second recommendation is that EAS security best practices should be readily available to EAS participants on the Commission’s website and that the FCC should do better outreach, Mr. Williams said. The third recommendation is that the FCC should “give maximum flexibility with respect to the best practices and methods used to implement EAS security, especially where the methods used exceed the techniques established in the best practices,” Mr. Williams said. 

The best practices would be a “baseline,” he added.  “If I do something that’s part of a larger cybersecurity or corporate cybersecurity or corporate resilience program, if it’s not exactly the same and doesn’t match point-by-point the best practices, a [party] shouldn’t be penalized for that.”

Working group 6 on security by design presented recommendations and best practices to enhance the security of hardware and software in the core public communications network and to develop voluntary mechanisms to demonstrate the success of such practices, explained group co-chair Brian Scarpelli of ACT.

“The report is intended to provide best practices associated with technology obtained from third-party vendors, buyers, and/or integrators for use in their core network or supply chain,” Mr. Scarpelli said.  He stressed that the group “leveraged the NIST Cybersecurity Framework in our effort to provide recommendations.”

 The group said it is important for service providers to “establish up front which party will be responsible for managing risks associated with the operation of technology,” Mr. Scarpelli said.  “That answer can vary depending on whether technology is delivered as a physical product or as an encryption-based service.”

The report details “important measures such as encryption authentication” and includes recommendations addressing public/private partnerships and coordination and collaboration among all stakeholders, Mr. Scarpelli said.

Working group 7 has been asked to develop recommendations on steps the FCC can take to improve the security of critical infrastructure through actions to enhance the skills and education of the cybersecurity workforce, explained William Boni of T-Mobile US, Inc.

The group completed an evaluation of the national cybersecurity workforce framework and found that it’s “very relevant to our challenges and very helpful in providing a structured mechanism for communicating and identifying gaps,” Mr. Boni said.  The group submitted an interim report that “both demonstrates the applicability of the National Cybersecurity Workforce Framework to the [communications] sector and identifies specific skills and competencies that are unique to the [communications] sector that should be included in that workforce,” he said.

The working group plans to submit a draft report on best practices and implementation recommendations in December, Mr. Boni said. – Brian Hammond, brian.hammond@wolterskluwer.com

Courtesy TRDaily