Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Vulnerabilities

FCC, FEMA warns communications providers of emergency alert system vulnerability

August 10, 2022
FCC, FEMA warns communications providers of emergency alert system vulnerability

The U.S. Federal Communications Commission (FCC) has urged communications providers participating in the emergency alert system to take appropriate measures to safeguard and protect their equipment. In addition, the communications agency warned against risks impacting devices publicly accessible from the Internet. 

The FCC warning comes days after the Federal Emergency Management Agency (FEMA) issued a similar warning after it became aware of specific vulnerabilities in emergency alert system encoder/decoder devices. At the time, FEMA said that the security gaps, if not updated to the most recent software versions, could allow an actor to issue emergency alert system warnings over the host infrastructure.

“EAS Participants must ensure that their EAS equipment’s monitoring and transmitting functions are available whenever the stations and systems are operating,” the FCC said in its public notice. “PSHSB has previously warned EAS Participants about this vulnerability and encouraged them to secure their EAS equipment by installing current security patches and using firewalls. The Bureau again urges all EAS Participants, regardless of the make and model of their EAS equipment, to upgrade their equipment software and firmware to the most recent versions recommended by the manufacturer and secure their equipment behind a properly configured firewall as soon as possible,” it added. 

As the FCC’s primary expert on public safety and homeland security matters, the Public Safety and Homeland Security Bureau (PSHSB) promotes the public’s access to reliable 911, emergency alerting, and first responder communications. It does this by developing and implementing policies consistent with the FCC’s statutory authority to ensure that first responders and the American public have access to communications. It also collaborates with federal government partners responsible for protecting communications infrastructure.

The Bureau urges emergency alert system participants to improve their cyber hygiene by installing software security patches issued by the manufacturer as soon as they become available, changing default passwords, and continually monitoring emergency alert system equipment and software. It also suggested reviewing audit logs to detect and report incidents of unauthorized access and also assessing the list of recommended best practices to address potential data security vulnerabilities issued by the Communications Security, Reliability, and Interoperability Council in 2014.

The FCC reminded emergency alert system participants that by law, they are “responsible for ensuring that EAS Encoders, EAS Decoders, Attention Signal generating and receiving equipment, and Intermediate Devices used as part of the EAS . . . are installed so that the monitoring and transmitting functions are available during the times the stations and systems are in operation.” The agency’s rules establish that failure to receive or transmit emergency alert system messages during national tests or actual emergencies because of an equipment failure may subject the emergency alert system participant to enforcement.

FEMA said in its advisory that the exploit was ‘successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.’

In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks, according to FEMA.

The FEMA calls upon emergency alert system participants to ensure that the devices and supporting systems are updated with the most recent software versions and security patches and protected by a firewall. Additionally, participants must monitor these devices and supporting equipment while regularly reviewing audit logs and looking for unauthorized access.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights