ALERT: Cyber Attack

ALERT: Multiple 911 centers, Public Safety agencies, telecom operators, local governments, and medical facilities currently under Cyber Attack

Today, there has been a sharp increase in cyber threat activity, and we are aware of at least 16 active cyber attacks happening at this moment to 911 Centers, Public Safety agencies, telecom operators, local governments, and medical facilities.

Just 2 days ago, on Thursday, January 27th, Bill Ott, our FirstWatch Cyber Security Strategist, presented a webinar to FirstWatch customers on the imminent cyber security threat to public safety and public health agencies due to tensions between Russia and the Ukraine. Bill provided an overview of the situation and practical advice on actions your agency can take to be better positioned for this increased cyber aggression.

This email is to give our partners and friends a heads-up to immediately monitor your IT systems even more closely than you normally would and to share some of the practical information presented on the webinar, in case it helps prevent or mitigate an issue in your agency.

(From the webinar)
Actions that you can take to be better positioned for increased cyber aggression:

As discussed in the briefing on Thursday afternoon, we are seeing Russian sponsored cyber aggression at sustained levels we have never seen before. These groups have been targeting the US federally-identified “critical infrastructures” to include public safety and healthcare operations in the United States and Canada. These attacks have been increasing over the past three years, but what we have seen in the past twelve months is unprecedented and our intelligence indicates this pace is going to continue to accelerate.


  • Document your network and systems in detail, clean up your networks
  • Develop business continuity plans for handling a breach
  • Step up seriousness of cyber-related threat training as an organizational priority

Enhance Security Posture

  • Backup your data – real-time, incremental, offsite, glacial
  • Develop best practices for keeping all hardware patched
  • Implement multifactor authentication, ideally with phone-based or stand-alone tokens
  • Ensure in policy and practice that there are no rogue devices on your network with IP and MAC scanning and 802.1 authentication
  • Don’t leave “hot” network ports open for connection
  • Encrypt data at rest and data in motion, PCs, tablets, phones should all be fully encrypted with auto-wipe after set number of failed logins
  • Geo-block the known bad actors in your firewalls
  • USB devices and ports are not your friend
  • Improve training for personnel regarding social engineering and phishing – take a look at
  • Think “Zero Trust” as an overall concept – operating as if you are already working with a breach

Organizational Vigilance

  • Cyber safety and security must be a concern of everyone in the organization
  • Understand any regulatory compliance items you are required to meet
  • Stay updated on daily and weekly cyber updates issued from official government sources
  • Must dedicate some education budget and time for cyber education and awareness
  • If the organization makes cyber security and hygiene a consistent priority, personnel will too
  • Encourage personnel to point out cyber concerns and weaknesses to help improve overall positioning, get stronger

Monitor – Detect

  • Develop logging systems to capture every action passing in and out of your firewalls and edge routers
  • Capture traffic bouncing off of your firewalls
  • Maintain at least a year of this logging data, it is vital for forensics in tracking down culprits in a breach
  • Establish alarms to notify the player and stakeholders when certain firewall events occur
  • Develop logging systems for user activity within your network for the same reasons as firewall logging
  • On larger networks, consider “honeypot” systems to help identify intruders that leverage access via third-party products
  • Study the logs regularly, know what normal looks like so that abnormal jumps out
  • Always follow up on the odd things


  • Have a planned response to a breach, practice the plan
  • Be certain that everyone knows how to sound the alarm as soon as an anomaly is discovered, most targeted breaches occur at night, on weekends and holidays when more junior staff is usually working, junior staff can be hesitant to sound the alarm
  • Know who you will be notifying such as local and federal law enforcement
  • Two to four times per year, confirm that your plan is workable in the ever-changing environment



By the way, FirstWatch does not provide cyber security software or services, but we always want to help our public safety and public health friends and partners however we can, and this email was sent in that spirit.Thank you! Be safe and secure.

From your friends at FirstWatch, including:

Bill Ott
William (Bill) Ott, PhD, MBA, Cyber Security Strategist
Bill is the Cyber Security Strategist for FirstWatch Solutions. Bill has a four decade background as a paramedic and EMS educator and two decades in the military special operations world, managing secure voice, data, and telemetry communications on terrestrial and satellite systems.

Mike Taigman
Mike Taigman, MA, Improvement Guide
Mike has worked in emergency services since 1974. He has a deep interest in stress management, resilience, and the science of how to make things better. He serves as the Improvement Guide for FirstWatch and teaches improvement science in the graduate programs at UCSF and UMBC. He’s the co-author of Super Charge Your Stress Management in the Age of COVID-19.

Todd Stout
Todd Stout, Founder & President
Todd is recognized nationally for his leadership and innovation, earning him a variety of awards. He has extensive experience in multiple aspects of EMS, including as a clinician, in dispatch, management and public safety communications software. For the last two decades he has focused on helping public safety and health agencies improve operational performance, clinical care and situational awareness.