Software Engineering Institute

The Wireless Emergency Alerts (WEA) service is a collaborative partnership that enables local, tribal, state, territorial, and federal public safety officials to disseminate geographically targeted emergency alerts to users of capable mobile devices in an affected geographic area. The end-to-end WEA alerting pipeline comprises the following four major elements: (1) alert originators, (2) Integrated Public Alert and Warning System Open Platform for Emergency Networks (IPAWS-OPEN), (3) commercial mobile service providers (CMSPs), and (4) alert recipients. This report presents the results of a study of the CMSP element of the WEA pipeline conducted by researchers at the Software Engineering Institute (SEI). The goal of the study is to provide members of the CMSP community with practical guidance that they can use to better manage their cybersecurity risk exposure. To conduct the study, the SEI research team used the Security Engineering Risk Analysis (SERA) Method to assess high-priority cybersecurity risks in the CMSP WEA infrastructure. The research team used the results of the risk analysis to develop a set of cybersecurity guidelines tailored to the needs of CMSPs.