Emergency Alerting – A Case Study

Two days ago, much of the northeast was subject to a powerful storm front, which brought high winds, torrential rains, lightning, and several yet to be confirmed tornadoes.  Corresponding with these threats, areas saw a variety of National Weather Service warnings and watches.  Needless to say, when this emergency alert came up on my phone in the midst of these storms, I assumed the shelter in place order was weather related.  Well, you know what they say about assuming things… and of course I should have known better.

While the area of the alert didn’t impact me, Whitestown is just a couple of towns over, so after a few minutes I figured I should do a bit of research to see if whatever prompted the alert might eventually impact my area.  Unfortunately, ‘pressing for more’, as the alert message indicates, gave no further information.  News media in my area is notoriously slow and uninformative for a period of time, something that held true with this event as well.  Approximately 20 minutes later, a local news outlet Tweeted a message about law enforcement activity in that area related to an armed suspect.

Public information and warning is a big deal.  When we don’t communicate clearly and concisely with the public, we can suffer unintended consequences. While I’m not aware of any severe unintended consequences from the lack of any additional information from this emergency alert, officials must understand that the public (and other public safety professionals) want additional information.  They may also need it so they can make better decisions.

This particular example certainly should have included some brief context as to why the alert was issued.  Given the standing tornado watch which was in place at the time, I’m sure there were plenty of others who assumed this was for a tornado or other storm activity.  Such an occurrence would give me cause to gather my family in the basement for safety, rather than locking my doors, closing my blinds, and ensure that no family members left the house.  Shelter in place can mean a lot of things to different people and adding context could have assisted with ensuring better public safety.  There was also no follow up to this alert lifting the shelter in place message.  (Note: the ‘No longer in effect’ tag is my own, as an effort to be responsible with the image)

While I applaud the use of public alerting tools, issues such as this are seen far too often.  Jurisdictions should have public information and warning components to their emergency operations plans, with specific procedures outlined for not only how to activate an alert, but the proper messaging which should be included to maximize message effectiveness.  Sure, you do it, but do you do it well?

What do you do to ensure effectiveness of your messaging?

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Hackers Endanger Public Safety With Pranks

VMS Vulnerabilities Can Have Serious Consequences (Image from Slate.com)

VMS Vulnerabilities Can Have Serious Consequences (Image from Slate.com)

Over the past few years we’ve seen some prominent occurrences of hackers gaining access to public safety systems where they make changes which, while a bit humorous at first blush, are serious examples of the vulnerability of our systems.

This article describes a vulnerability in variable message signs (VMS), which can be programmed remotely to notify drivers of hazards or give other pertinent information.  In another occurrence, in February of 2013, hackers gained access to the Emergency Alert System, broadcasting messages about a zombie attack.

The favor these pranks do for us is to identify vulnerabilities in our systems.  Both articles mention that some vulnerabilities were exploited simply because the default passwords on these systems were never changed.  Agencies that maintain any kind of public messaging system (and yes, this should also include websites and social media accounts), should adhere to the guidance we all normally hear about passwords – create strong passwords including combinations of numbers, letters, and symbols (when possible), avoid patterns or predictable passwords, and change passwords regularly.  As a matter of information security, these passwords should only be known by a select few.

Why are these occurrences serious?  Obviously (to most of us) they are taken in jest, but these are public safety systems which should only be accessed by public safety professionals.  The information and instructions provided over these systems need to come from reliable sources to ensure that the public takes the messages seriously and follows the instructions given.  We should be thankful these instances were pranks, as someone with malicious intent could have provided information which could have endangered the public.

All levels of government and any other organizations which maintain public alerting systems, including colleges and universities and even highway construction firms need to make a thorough examination of their systems, identify potential vulnerabilities, and take steps to ensure they are protected.

What other systems offer vulnerabilities to hacking?


© 2014 Timothy Riecker