• Posted Feb. 24, 2020

Study: Responding to Cybersecurity Challenges: Securing Vulnerable U.S. Emergency Alert Systems

• U.S. emergency alert systems (EASs) comprise an important portion of the nation’s critical infrastructure.
• EASs are built on aging technology platforms and suffer from a fragmented interconnected network of public-private-government partnerships.
• Some EASs are vulnerable through a management interface that is available via an Internet-accessible website.
• EASs typically have no vulnerability disclosure policies, which makes reporting problems a difficult endeavor.

Using Shodan, this article evaluates the availability of EAS management websites in six southeastern states. We found 18 EAS management websites that were accessible via the Internet. We searched for published policies that clearly describe how people outside of the organization can report potential vulnerabilities. We found no vulnerability disclosure policies for the 18 systems identified. We offer multiple technical controls to protect EAS management websites.

EASs need clearly written policies and procedures to manage cybersecurity risks. EASs need to update critical infrastructure to ensure the distribution of valid and reliable information to the populations at risk. System resilience provides a line of defense against cybersecurity threats for EASs in the U.S. The process of notifying relevant groups of emergencies is a complex problem that needs to be investigated further.