Sean Scott
SecuLore’s Chief Technology Officer

Before a single system is touched, an attacker already knows your network. Here’s exactly how.

A cyberattack on a 911 center doesn't start with ransomware. In most cases, it won't even start within your center.  

It starts weeks, even months earlier in an adjacent network, with a quiet, methodical process of mapping your environment and often without detection. 

By the time the attack executes, the attacker already knows where to go, what to hit, and what will cause the most disruption. Before a single system is touched, an attacker answers one question: 

"How does this PSAP actually work?" 

They can answer that question a lot easier than you would like to believe, and this is how.  

Step 1: Passive Reconnaissance — No Network Contact Required

Attackers don’t start inside your PSAP.

They start from the outside—looking for signals, using open-source intelligence (OSINT) tools that require no contact with your network whatsoever. In modern NG911 environments, the transition to IP-based infrastructure creates far more externally visible signals than legacy systems ever did.

This is what they’re looking for first:

  • Internet-facing systems: VPN gateways, remote access portals, public-facing IP ranges tied to your county or agency

  • Vendor fingerprints: CAD system banners, logging recorder interfaces, radio management platforms—often identifiable through tools

What does this mean for your network’s risk?

If it’s connected—even indirectly—it can be discovered.

Step 2: Vendor Ecosystem Mapping — The Real Attack Surface

Before targeting your 911 center, attackers map your ecosystem. This is because they know something most PSAPs overlook. They don’t need to break into 911—they just need to break into something CONNECTED to it.

In a modern PSAP, that ecosystem typically includes:

  • CAD (Computer-Aided Dispatch) provider — the operational nerve center, often connected to county Active Directory

  • LMR (Land Mobile Radio) infrastructure — traditionally isolated, increasingly bridged to IP networks

  • Logging recorders — often accessible across multiple network segments

  • GIS/mapping systems — integrated with CAD for location-based routing; NG911 replaces legacy MSAG databases with live geospatial data

  • County IT / Managed Service Providers — often share credentials and network paths with the PSAP

Each vendor represents a potential lateral pivot point. And because each vendor’s remote access tools, support credentials, and trusted connections are known quantities in the public safety ecosystem, attackers can research them without ever touching your network.

Step 3: Find the Initial Entry Point — Usually Not Where You Expect

Initial access rarely comes directly through call handling systems. Attackers know these are hardened targets. But that does NOT mean you are NOT a target.

Instead, the documented entry vectors for public safety network compromises are consistently:

  • County workstations with lateral network access to PSAP systems

  • Phishing emails targeting dispatchers or county IT staff

  • Compromised or reused credentials

  • Unpatched third-party software (the 2023 MOVEit vulnerability used in attacks against government agencies is a documented example of this pattern)

  • Vendor remote access tools left active after maintenance windows

DOCUMENTED INCIDENT — Suffolk County, NY (2022):

A ransomware attack on Suffolk County required the county to disable computer systems including 911 dispatch and the Department of Motor Vehicles, pushing 911 dispatch operations back to paper-based procedures. Entry came through county IT infrastructure—not the PSAP itself. (Source: New York State Comptroller, “Cyberattacks on New York’s Critical Infrastructure,” 2023)

Step 4: Internal Network Mapping — The Critical Phase

Once inside the network perimeter—often through county IT—the attacker’s goal shifts completely. This is where attackers start thinking like a network engineer. They’re no longer asking “Can I get in?” They’re asking “How does everything connect?” Using standard network scanning tools, they build a map of:

  • Identity systems — Active Directory structure, user roles (dispatch, admin, IT), service accounts

  • Network segments — Is there separation between CAD, radio, logging, and county IT? Or is it a flat network?

  • System dependencies — What talks to CAD? What depends on GIS? What shares credentials with county systems

Simplified View of What Hackers See In Your Network

Step 5: Identify Weak Points — Where Movement Is Easy

Attackers aren’t looking for one big vulnerability. They don’t need to. They’re looking for easy paths between systems. Public safety agencies are well-documented targets precisely because legacy infrastructure, budget constraints, and flat network architecture create exactly the kind of environment attackers prefer.

Ransomware attacks on PSAPs doubled in 2024 according to the Public Safety Threat Alliance, with attacks on public safety radio, CAD, and PSAPs increasing 60% year-over-year. This is not coincidence—it reflects methodical targeting of known architectural patterns.

Step 6: Test Lateral Movement — Quietly, Before Executing

Before executing an attack, sophisticated threat actors test lateral movement paths to confirm access. “Can I move from IT to CAD?” “Can I access dispatch systems?” “Can I reach anything tied to 911 operations?”

If the answer is yes, they don’t rush. Extended dwell time is deliberate. It maps more of the network, identifies backup systems, and maximizes the eventual blast radius. Industry research consistently shows that

Step 7: Execute When It Hurts Most

Only after mapping everything do, then they act. That’s why attacks on 911 centers feel sudden, spread quickly and impact multiple systems at once.

The Baltimore CAD attack in 2019, the Suffolk County ransomware incident in 2022, and the pattern of disruptions documented in SecuLore’s tracking of 184 attacks on public safety agencies over 24 months in this time period all follow this same model: quiet reconnaissance, lateral access through adjacent systems, then simultaneous disruption of interconnected critical functions.

What Attackers See That Most PSAPs Don’t

When an attacker looks at your 911 network, they’re not looking at CAD, radio, or call handling as isolated systems. They’re looking at a map of relationships—and the paths between them.

Most generic cybersecurity strategies, and PSAPs in turn, are designed to protect individual endpoints. Attacks are designed to exploit the connections between them. The disconnect between those two perspectives is where most attacks succeed.

Understanding how attackers map your network is the first step in building defenses that see what they see—before they do

SecuLore’s 24/7 monitoring and attack surface management solutions are purpose-built for PSAP environments—not adapted from enterprise tools. If you want to see what your network looks like from an attacker’s perspective, that’s exactly what we show you.

Further Reading

Why Hackers Love Legacy CAD/GIS Systems

Contents

Other Resources

  • How Hackers Map 911 Networks Before Launching an Attack
  • CJIS 6.0 Compliance Does Not Require More Staff
  • If You Had Seculore This is What We Would Have Caught
  • Why Mainstream Cyber Tools Miss PSAP Attacks
  • 2025 Cybersecurity Year in Review for SLED + 2026 Threat Predictions