top of page

A Small Attack With Big Consequences: A Vignette

The potential for a cyber attack on a 9-1-1 dispatch system poses significant risks, not only to the immediate function of emergency response but also to the broader state-level infrastructure. The following scenario illustrates how a seemingly isolated cyber attack on a city's 9-1-1 dispatcher's system can cascade into a state-wide data compromise, emphasizing the need for robust cybersecurity measures at all levels of government. This scenario is intentionally generalized but represents a realistic way in which such events could unfold.


Phase 1: Initial Compromise

  1. Phishing Attack: A 9-1-1 dispatcher receives an email that appears to be from a trusted source, such as a city IT department, instructing them to click on a link to update their software. The dispatcher clicks on the link, which downloads malware onto their system.

  2. Malware Installation: The malware installs itself on the dispatcher’s computer, giving the hacker remote access. The hacker begins to explore the network, identifying other connected systems and gathering information about the network's architecture.

Phase 2: Lateral Movement and Escalation

  1. Privilege Escalation: The hacker exploits a vulnerability in the dispatcher's system to gain administrative privileges. This allows them to access more sensitive areas of the network.

  2. Network Mapping: With administrative access, the hacker maps out the emergency services network, identifying connections to other critical systems and data repositories, including servers that store sensitive 9-1-1 call data.

  3. Lateral Movement: Using the compromised dispatcher's credentials, the hacker moves laterally through the network, accessing other dispatch systems and potentially reaching the network backbone that connects to state-level systems.

Phase 3: Compromise of State-Level Data

  1. Data Exfiltration Preparation: The hacker identifies a weak link in the connection between the city’s 9-1-1 dispatch system and the state-level 9-1-1 data repositories. They deploy additional malware to create a backdoor into the state-level system.

  2. Accessing State-Level Systems: Using the backdoor, the hacker gains access to state-level servers that store aggregated 9-1-1 data, including sensitive information such as caller identities, locations, and incident details.

  3. Data Exfiltration: The hacker begins to exfiltrate sensitive 9-1-1 data from the state-level servers. This data could be used for malicious purposes, such as identity theft, blackmail, or selling on the dark web.

Phase 4: Detection and Response

  1. Detection: Security teams at the state level notice unusual network activity and begin an investigation. They trace the activity back to the compromised city 9-1-1 dispatch system.

  2. Incident Response: Both city and state IT departments initiate a coordinated response. The compromised systems are isolated, and the malware is removed. An investigation is launched to assess the full extent of the breach and to enhance security measures to prevent future incidents.


The above illustrates just one way in which things could unfold. There is potential for an event like this to be better or worse depending on architecture and security practices. The interconnected nature of modern infrastructure means that a breach in one area can have far-reaching consequences. By implementing robust security protocols, conducting regular security audits, and fostering a culture of cybersecurity awareness, we can better protect our vital systems from such attacks.

16 views0 comments


bottom of page