Is Candy Bar Security Giving our Nation’s PSAPs a False Sense of Protection?

By Paresh Patel, CISO, Carbyne

candy bar security

Seventy one percent of hackers say they can breach the perimeter of a target within 10 hours[1] according to experts attending Black Hat, Bsides, and DEFCON – some of the world’s foremost authorities on cybersecurity. This challenge is especially troubling for traditional organizations who still espouse legacy on-premise systems over modern cloud-native systems. These legacy on-premise systems suffer from Candy Bar Security, relying on a crunchy hard exterior to protect a chewy soft interior. Our heroes under the headset – 911 dispatchers – deserve better.


There are numerous challenges Public Safety Answering Points (PSAPs) face on a regular basis, including:

  • Disruption – Cyber Attacks may shut down public access to 9-1-1, leading to public confusion and disrupting the dispatch of First Responders.
  • Ransom – As the networks, data and services are vital to public safety, PSAPs are more likely to pay a Bitcoin ransom in order to restore service.
  • Lack of Defenses – PSAPs and municipalities, may not have a strong cyber defense system – especially when compared to other targets.
  • Collateral Damage – PSAPs can fall victim to Lateral Movement Attacks, where cyberattackers move deeper into a compromised network after gaining initial access.


According to the US Department of Homeland Security[2], Vulnerabilities in 9-1-1 include the following:

  • Old systems that are out of date or past their lifecycle that are lacking in modern security measures, which is another reason why we have roughly 2,200 cybersecurity incidents per day[3].
  • Shared systems and databases alongside other entities that have not employed security measures. For instance the majority of organizations have over 1,000 files that are accessible by all employees.
  • Lack of diverse routing for communications or redundancy for electric power decreases resilience. Redundancy is crucial, since the hourly cost of server downtime can amount to over $300K[4].
  • Lack of security policies resulting in ad-hoc or non-existent security practices enable insiders to accidentally or intentionally disrupt operations. As a result of these lax security policies, 98% of cybercriminals rely on social engineering to accomplish their exploits[5].

Candy Bar Security tends to exaggerate the above vulnerabilities, and is especially concerning for our nation’s heroes for whom our worst day is their every day. Some of the ways Candy Bar Security pervades PSAPs include:

  • Single Factor Authentication – When just a login and password are sufficient to gain access to sensitive systems, without the requirement for more secure Multi-Factor Authentication – where additional factors such as a one-time passcode are required to properly authenticate.
  • Unpatched Servers and Applications – The acute staffing shortages across PSAPs resulting in a vacancy rate in excess of 30%[6]. As a result, technology maintenance and patches often need to be delayed, sometimes indefinitely.
  • Weak or Default Passwords – Less than 2.1% of PSAPs customize shifts to their employee’s needs[7], and as a result in order to expedite shift changes, PSAPs are forced to employ weak or default passwords across their systems.
  • Outdated and Antiquated Operating Systems – Thousands of organizations are three times as likely to fall victim to a publicly disclosed breach because they run more than 50% of of their computers on outdated operating system versions[8].
  • Lack of Network Segmentation – Network Segmentation, an aspect of Zero Trust Architecture, reduces an attacker’s ability to execute a Lateral Movement Attack by 44%[9]. Unfortunately the majority of PSAPs suffering with staffing challenges lack the resources to properly implement Network Segmentation.


As a result of the aforementioned Candy Bar Security shortcomings afflicting our nation’s PSAPs, they are also exposed to a unique threat surface by virtue of their call-handling mandate. This threat is codified by the term Telephony Denial of Service (TDoS) attack, and manifests itself via the following attack methodologies:

  • Dialing – An attacker coordinates large volumes of emergency calls to the PSAP only to hang up as soon as the PSAP answers each call. By law, PSAPs are required to answer incoming emergency calls, follow up with hangup calls, and file detailed reports following each call. This results in a tremendous additional workload on already limited PSAP staff, and in turn denies legitimate calls for service.
  • Conferencing – Here an attacker places nuisance calls to one PSAP and conferences them together with another PSAP. This results in valuable time wasted, again denying legitimate calls for service.
  • Verbal Threats – This approach involves an attacker repeatedly calling a PSAP and launching into a verbal altercation with call-takers, disrupting their already disrupted mental state, making the call-takers less focused and effective for legitimate calls for service.


PSAPs who have fallen victim to ransomware and other cyber attacks or who know of neighboring centers who have been attacked, are keen to avoid falling prey to these challenges in future. One of the key approaches security experts recommend is to leverage modern frameworks like Zero Trust or Perimeter-less Security. This framework is akin to installing metal detectors at your home, but not just at the front door – you install them at every door to every room of your house – to every bedroom, bathroom, kitchen, and more – hence the name Perimeter-less Security. This approach makes it exponentially harder for adversaries to compromise your systems, since they have to prove their identity every step of the way. No more magic kingdom once they breach your perimeter.


Although the above cyber-threats facing our nation’s PSAPs are grave, we can recommend the following specific cybersecurity best practices to minimize their attack surface, mitigating the risk of a severe cyber-incident.

  • Setup a modern cloud-native call handling system with advanced features like automatic abandoned call text-back, call deflection, and more to mitigate TDoS attacks.
  • Enroll in a DDoS protection service that detects abnormal internet and intranet traffic flows and redirects traffic away from sensitive PSAP network components.
  • Create a disaster recovery plan to ensure successful and efficient communication, mitigation, and recovery in the event of an attack.
  • Install and maintain antivirus software.
  • Install a firewall and configure it to restrict traffic coming into and leaving PSAP computers.
  • Evaluate security settings and follow good security practices in order to minimize the access other people have to sensitive PSAP information.

To learn more about how to resolve Candy Bar Security challenges within your PSAP, schedule your free consultation with a Carbyne expert today!

[1] SC Network Security Article HERE.

[2] US Dept of Homeland Security Report, Page 5 HERE

[3] Source: CompTIA Article HERE

[4] Source: Garland Technology Article HERE

[5] Source: CompTIA Article HERE

[6] Source: Article HERE

[7] Source: APCO Report, Page 22, Paragraph 1 HERE

[8] Source: BitSight News Release HERE

[9] Source: PurpleSec Article HERE

Scroll to Top