STATE COLLEGE, Pa. — Cybersecurity poses a significant threat to land mobile radio (LMR) systems, including Project 25 (P25) systems, according to findings released by Mission Critical Partners (MCP).

The findings stem from numerous recent technology-independent cybersecurity assessments aimed at determining if and how a cyberattacker who gained unauthorized system access — by exploiting inherent cybersecurity vulnerabilities — could impact a P25 LMR environment, particularly by disabling or disrupting vital mission critical communications to prevent a public safety agency from fulfilling its mission. 

“Our findings suggest that public safety agencies should perform independent, third-party assessments of their land mobile radio environment to identify vulnerabilities as soon as possible,” said Darrin Reilly, MCP’s president and CEO. 

In the past, LMR systems, whether analog or digital, have been isolated, standalone, self-contained, and not connected to the internet, which generally means that no pathway existed for cyberattackers to infiltrate them. Moreover, P25 systems have certain protections that are baked into the standard, such as encryption, use of multiple frequencies, and a feature called “radio inhibit,” which enables system managers to identify a rogue radio and render it useless. This resulted in a perception that LMR systems, especially P25 systems, are impervious to cyberattacks. 

However, MCP’s assessment results clearly demonstrated this is untrue. The assessments leveraged a five-phase methodology for penetration testing — passive reconnaissance, active reconnaissance, analysis and vulnerability assessment, exploitation, and reporting. Also leveraged was the MITRE ATT&CK Framework, which was created in 2013 to document cyberattack tactics based on real-world observations. The framework is the renowned knowledge base for understanding cyberattack strategies and best practices for mitigating them. 

The assessments affirmed what MCP has learned anecdotally from numerous implementation, monitoring, and maintenance projects. Some of the observations revealed include:

  • Lack of strong physical security and access controls — e.g., strong passwords/passphrases, multifactor authentication, biometric scanners, and smart tokens that change access codes every few seconds — designed to keep attackers at bay.
  • Lack of cybersecurity training among LMR system users.
  • Lack of strong device policies, especially where an LMR system is interconnected with other public safety systems in an emergency communications center environment.
  • Failure to track agency and vendor personnel who possess system access, especially access to system management functions.
  • Reliance on the LMR system vendor for cybersecurity, which goes against the advice offered by the National Institute of Standards and Technology (NIST). NIST instead suggests employing independent assessors or assessment teams, i.e., assessments should not be performed by the radio system vendor or the internal/external system administrator.
  • It also was observed that LMR agencies could not validate how much monitoring was taking place by their LMR system vendor.
  • Equipment shelters often are in remote areas and/or are used by multiple tenants, which makes it far easier to launch cyberattacks.
  • Today’s systems leverage the Internet Protocol, which is intrinsically vulnerable to cyberattacks, and those systems are often shared by other public safety agencies, creating a dramatically diminished cybersecurity posture.

“Regarding cybersecurity, the most important tactic to follow is ‘don’t trust and, instead, verify,’” Reilly said. “Follow the advice offered by NIST and leverage an independent third party to become more aware of cybersecurity vulnerabilities and enhance protection of vital LMR systems.”