Cybersecurity in control rooms

Control rooms sit at the heart of critical public safety operations; with their role of taking emergency calls, collecting vital information and dispatching the right response, they are the nerve centres of the emergency services. Their call handling technology continues to evolve, leveraging interconnected communication systems, data-sharing platforms and advanced software solutions. While such innovations enable more efficient workflows and decision-making for both dispatchers and frontline officers by centralising sources of intelligence for easy access, it is precisely these integrations which also increase the attack surface and present new opportunities for bad actors to disrupt critical communications.

Why is cybersecurity important for control rooms?

For control rooms, the consequences of poor cybersecurity can be more disastrous than in almost any other element of the public safety ecosystem. Time is of the essence when handling, and attending, emergency calls – any interference with critical systems may force operators to revert to outdated pen and paper methods, which could slow down their emergency response and increase the potential for errors. In a worst-case scenario, emergency services may be left unable to answer emergency calls entirely – putting lives at risk. Additionally, if callers are unable to access key services when they are needed most urgently, it may permanently damage their trust in the emergency services as a whole.

Crucially, attacks which start in control rooms may not necessarily end there. Control room software – such as Computer-Aided Dispatch (CAD) systems and Integrated Communication Control Systems (ICCS) – are often connected to other systems, including radio networks. If a control room is attacked, bad actors can move laterally through the system to compromise broader public safety networks with devastating effect.

And these concerns are not hypothetical: research shows that in 2025 to date, cyberattacks on European control rooms occur every 3.3 days, on average. While global cyberattacks impacting public safety fell in 2024, disruptions to key mission-critical systems like land mobile radio, computer aided dispatch, and emergency call handling rose dramatically. Dispatch systems underwent an 89% spike in cyber disruptions alone, driven by opportunistic attacks on enterprise networks but also an assessed preference and capability from threat actors to disable mission-critical technology to receive extortion payments.

What are some common cyberattacks on control rooms?

Cybercriminals are growing ever-more sophisticated in their attacks, and control rooms are particularly vulnerable due to their previously-mentioned connections to other systems. In the US, 75% of cyber attacks against dispatch networks in 2024 actually started outside of the networks themselves.

The most common kind of cyber attack on European control rooms is distributed-denial-of-service (DDoS) disruptions – globally, 75% of these attacks are centered on European public safety, in which criminals try to make a website or network resource unavailable by flooding it with malicious traffic. For control rooms specifically, a telephony-denial-of-service (TDoS) is more common, in which malicious actors will access large numbers of physical phones to generate fake calls and overwhelm the system. More sophisticated attackers will even randomise the phone numbers from which they call the emergency service, so call handlers cannot simply block all incoming spoof calls. Ultimately, a successful DDoS attack may prevent genuine callers from reaching the control room, resulting in a potential loss of life. It can also erode public trust in the response system, resulting in panic or confusion. As of June 2025, there have been 27 DDoS attacks on control rooms in Europe – that adds up to one a week – which accounts for 59% of all cyberattacks. Worryingly, while the exact number of cyberattacks fluctuates from year to year,  DDoS attacks in Europe have continued to rise year on year since 2022.

Another particularly disruptive method currently on the rise in Europe is ransomware, where an attacker remotely locks systems or data and demands payment to unlock them. In March 2025 alone, Czechian authorities registered six ransomware attacks on government systems. One of these – an attack against a fire brigade TETRA infrastructure in the Královéhradecký and Zlín regions – was classified as “very significant” due to its disruption to the emergency services.

A final kind of attack which may target control rooms is that of credential abuse, in which a bad actor obtains legitimate system credentials. They may acquire credentials directly from an employee through deceptive means such as phishing; they may also purchase stolen credentials on the dark web, or use a brute-force “password spraying” method to guess IDs and passwords. Once attackers have these credentials, they can then disrupt the software from the inside. This was the most common method employed by criminals attacking US public safety infrastructure in 2024, who used legitimate credentials to gain initial access through unsecured service accounts. Then, they used lateral movement techniques to travel to the CAD or PSAP network perimeter, bypass the firewalls and access the target dispatch systems. In an example from 2022, an unnamed British police force was the target of a sophisticated phishing attack in which the bad actors attempted to gain officers’ Microsoft usernames and passwords via a fraudulent link.

Where should control rooms start when it comes to cybersecurity?

Given the sheer number and sophistication of attacks, it can seem like a daunting task to build a comprehensive, robust cybersecurity program. Fortunately, there are some simple actions that control room supervisors can take immediately to strengthen their cyberresiliency today.

An easy way to mitigate the more common cyberattacks is by educating your staff, who are the first line of defence against ransomware and phishing, through an in-depth cybersecurity awareness and training program. Teach them to recognise the signs of suspicious communications, such as a needless sense of urgency or emotion. Encourage them to double-check email addresses and links before they click; you should also ensure it’s easy for them to report these communications as spam, so your organisation can learn from previous failed attacks.

If your organisation has the resources to do so, you may want to consider engaging a third party to carry out penetration testing; this is so-called “ethical hacking” in which a good actor tries to breach your systems in the same manner that a bad actor would. There are multiple kinds of penetration testing, including transparent testing (in which the testers are given information about your systems), and opaque testing (in which the testers have no extra context, similarly to an actual attacker). Some non-profits even offer free penetration testing toolkits and guidelines, enabling organizations with limited budget to test their systems themselves.

Another route for prevention is cyber exercises, which can help you and your team test your incident response plan in a no-stakes environment. This enables you to understand whether you have the appropriate cybersecurity procedures in place, and if your security measures are truly effective. There are two options – tabletop exercises (TTX), which are discussion-based, and functional, which are operations-based. Some organisations even provide cyber exercises free of charge, to help you prepare for real-world incidents. These exercises encourage you to consider key questions such as who you would need to notify in the case of a cyberattack, and how you could prevent it from occurring again. They may also inform your continuity of operations plan – that is, how you can keep core emergency services up and running even when certain elements of your network are compromised.

Turning to more technology-focused solutions, one basic requirement in a control room is firewalls, which serve as a vital security layer between the internal network and the internet. These firewalls meticulously monitor and filter all incoming and outgoing network traffic, ensuring adherence to predefined security protocols. Correct firewall implementation is crucial for preventing unauthorized access and mitigating DDoS attacks by identifying and blocking suspicious traffic patterns indicative of malicious activity. Many of the most common attacks on emergency call handling systems come via firewalls; security update services are crucial, in order to avoid exposing vulnerabilities.

Another simple – yet necessary – step when preventing cyberattacks is to ensure that your control room software is up to date: suppliers will often include bug fixes and patches against known vulnerabilities in these updates. While consumers are often encouraged to enable automatic upgrades for their software and personal devices – which minimises the risk of forgetting  – this is less practical for control rooms, whose software is mission-critical and cannot be out of commission for any length of time. Instead, you should consider a staged update approach, where individual elements of the software are upgraded piece-by-piece. You should also work with vendors to schedule upgrades at certain points throughout the year, so your team has plenty of time to plan and accommodate any disruption.

When it comes to proactive threat detection, most legacy antivirus software simply can’t keep up with the increasing sophistication of cybersecurity attacks. That’s because legacy antivirus is too reactive, “[leaving organisations] only able to defend against known malware and viruses cataloged in the AV provider’s database.” Instead, control rooms should consider endpoint detection and response (EDR) in order to proactively identify and automatically remediate threats on endpoints within the radio system, dispatch and related enterprise network. When a threat is detected, EDR can automatically take steps to remediate the threat, such as isolating the affected endpoint or blocking malicious traffic. By continuously monitoring endpoints and then analyzing the data it receives, EDR can move to prevent bad actors before they do damage to a system. It’s important to note, however, that there are specific risks associated with EDR for control rooms specifically – such as accidentally flagging a genuine call for help as a false positive.

The most resilient cyber support available for a control room is a managed detection and response service, which combines human expertise with technology for more robust security. This builds on EDR with monitoring and support from cyber security experts in a Security Operations Centre (SOC), and includes components such as log collection and analytics, Network Intrusion Detections Systems (NIDS), External Vulnerability Scanning, Incident Response Support and Advanced Threat Insights.

Finally, you can also improve your control room’s cybersecurity protocols by connecting with your peers and sharing best practices, or getting regular risk assessments from cybersecurity professionals.

Are you compliant?

In recognition of the escalating cybersecurity threats, in December 2023 the European Network and Information Security Directive (NIS2 – EU Directive 2022/2555) became effective, marking a significant legislative evolution in the EU’s approach to cybersecurity. It repeals and replaces the original 2016 NIS Directive (EU 2016/1148) (NIS1), aiming to establish a higher common level of cybersecurity across the Union and improve the functioning of the internal markets. NIS1 resulted in wide divergences in implementation among Member States, particularly concerning scope, security obligations, incident reporting, and enforcement measures leading to disparities and fragmentation within the internal markets. NIS2 seeks to remove these divergences through requiring an expanded scope of entities that must comply, more stringent minimum cybersecurity risk management measures, expanded incident reporting requirements and enhanced enforcement mechanisms and penalties.

You may also have heard of DORA (Digital Operational Resilience Act Regulation EU 2022/2554) and the CRA (Cyber Resilience Act – Regulation EU 2024/2847), additional  EU legislation which address cybersecurity. However, NIS2 differs from DORA in that the latter only applies to financial institutions and certain vendors supporting those institutions; therefore, emergency call handling organisations are generally not bound by DORA. Additionally, NIS2 is a directive, meaning that it is the responsibility of individual member states to transpose the directive into member state law, while DORA is a regulation, meaning that it is applicable, enforceable law for all EU member states. NIS2 differs from the CRA in that NIS2 focuses on an entity’s security of the network and information systems used for their operations or for the provision of their services.  CRA focuses on the security of hardware and software products with digital elements placed on the market of the EU.  Like DORA, the CRA is a regulation and, therefore, applicable and enforceable law for all member states.

As of 2025, the transposition of NIS2 varies from country to country. Individual countries also differ in the security standards and frameworks that they consider as minimum security requirements supporting NIS2 compliance; for example, Belgium has created a “cyber fundamentals” framework which puts forward key measures that organisations should follow in order to stay secure and protected against attacks. Therefore, it is important to check your local laws and standards before implementing a cybersecurity strategy.

The key takeaway

While cybersecurity can seem like an intimidating topic, the stakes are so high in an emergency call handling context that your organisation cannot afford to ignore the issue. Fortunately, there are multiple resources available to help you establish the core tenets of a successful cybersecurity program. When you proactively manage these risks, either through educating your staff or by turning to technology, everyone benefits: operators can do their jobs with confidence, and the public trusts your organisation to respond in a timely manner.