In 2024 alone, disruptions targeting mission-critical public safety infrastructure, such as computer-aided dispatch (CAD) and 911 call handling systems, rose by more than 60 percent, despite a modest overall decline in cyberattacks on public safety agencies. In such an ecosystem, even a few minutes of downtime or misrouting cost lives and erode public trust. For organizations protecting communities, a public safety–focused incident response plan is essential. This article explores how agencies build and mature IR programs to ensure continuity, resilience, and rapid recovery when every second counts.

Escalation of Attacks on Mission-Critical Public Safety Systems

Public safety IT systems are increasingly under threat. In 2024, there was a marked rise in attacks specifically targeting mission-critical public safety technologies, such as public safety radio, CAD, and Public Safety Answering Points (PSAPs). These attacks are not simply nuisances. They directly affect the ability of first responders to do their jobs, with real world consequences. As agencies consider or refine their incident response plan (and more specifically, a cyber incident response plan), understanding how these risks have escalated is crucial.

Key Trends & Data

Surge in Mission-Critical Disruptions

  • In a report by the Public Safety Threat Analysis (PSTA), attacks on critical public safety systems rose 60% from 2024–2025, as overall attacks fell 12%
  • Also in 2024, 24 emergency communication systems were fully offline due to cyberattacks, some for weeks, as per Motorola Solutions.

Vulnerable Systems & Attack Vectors

  • CAD systems saw a 100% increase in disruptions year-over-year between 2023 and 2024. Average downtime for dispatch services after such attacks was about 15 days, with some disruptions lasting up to six weeks.
  • Disruptions also hit 9-1-1 emergency call handling systems and public safety radio systems, both essential for rapid response.

A case in point: Central Texas’ 911 call system was hit by a denial-of-service (DoS) style cyberattack in August 2024, where robocalls overwhelmed the system, disabling emergency call processing across several counties for many hours.

Implications for Incident Response Planning

Because of the growing frequency and severity of these attacks, a robust incident response plan becomes non-negotiable. Specifically:

  • Agencies must ensure their cyber incident response plan quickly detects and contains threats to CAD, PSAPs, and radio systems.
  • Incident response plans must cover worst-case scenarios, recovery procedures, backups, redundancy, and cross-system dependencies.
  • Incident response plans should define roles and communication protocols across IT, dispatch centers, leadership, and external stakeholders.

In summary, the escalation of attacks on mission-critical public safety systems in 2024 demonstrates that simply having an incident response plan is no longer sufficient. What matters is having one that’s tailored for public safety’s unique risks, interdependencies, and high stakes. Next, we look at how agencies develop cyber incident response plans tailored to this threat landscape.

Core Principles of an Incident Response Plan in the Public Safety Context

An effective incident response plan starts with structure and accountability. In public safety, clear roles for containment, communication, and recovery ensure continuity. NIST recommends embedding these roles into governance for coordinated IT, operations, and leadership response. This integration helps agencies maintain a chain of command that remains functional even under crisis pressure.

Detection and Prioritization

Strong detection and prioritization protocols are central to any cyber incident response plan. Public safety IT environments rely on rapid visibility into network behavior and asset status to act before threats escalate. As CISA’s 2024 report on PSAP cybersecurity highlights, understanding system dependencies and maintaining accurate inventories allow faster containment and triage when anomalies occur. This means that incident response planning treats threat detection not as a technical function alone but as an operational safeguard.

Communication and Coordination

No cyber incident response plan is complete without a tested communication strategy. When dispatch or emergency communications are disrupted, agencies have to be able to share verified information internally and externally in real time. Regular tabletop exercises remain the most effective way to ensure teams understand their roles and escalation paths. Equally, collaboration with technology vendors and local partners needs to be codified within the incident response plan to prevent confusion about responsibilities during an event.

Alignment with National Standards

Finally, aligning incident response planning with national frameworks such as CISA’s National Cyber Incident Response Plan and NIST’s updated recommendations ensures consistency and compliance across jurisdictions. This alignment allows local agencies to coordinate seamlessly with state and federal partners, promoting faster recovery and minimizing legal exposure.

Grounding a cyber incident response plan in structure, detection, communication, and alignment forms the foundation of resilience. Yet, many agencies still struggle to operate these principles. Next, we examine common gaps in training, coordination, and resources, and how targeted improvements boost public safety response readiness.

Maturity and Gaps: What Public Safety Agencies Often Miss

Despite the growing awareness of cybersecurity threats, many public safety organizations remain in the early stages of incident response planning maturity. Too often, their incident response plan exists only as a static document, rarely updated, untested, or disconnected from daily operations. Training gaps are a recurring issue. Frontline staff do not know the first steps to take during a cyber disruption and leadership teams underestimate the time and coordination required for full recovery.

Another common weakness lies in how agencies measure and sustain progress. A mature cyber incident response plan requires continual improvement: periodic assessments, lessons learned from past incidents, and integration of new technologies such as automated monitoring or orchestration tools. However, many agencies lack the resources or governance mechanisms to support that evolution. Without dedicated ownership, even well-designed plans lose relevance as systems, threats, and staff changes. The result is an uneven security posture, one that looks strong on paper but falters in practice. To close that gap, incident response planning needs to be seen as a living process rather than a compliance exercise, one that evolves alongside the technology and mission it protects.

Best Practices for Strengthening Public Safety Incident Response Planning

Developing a resilient incident response plan for public safety systems requires more than compliance; it demands a proactive, tested approach. Below are key practices that elevate readiness and resilience:

  • Integrate response planning into daily operations: Treat the cyber incident response plan as part of normal workflow, not an isolated document. This ensures teams stay familiar with procedures and act instinctively under pressure.
  • Conduct regular tabletop and live exercises: Testing the plan under realistic conditions reveals operational gaps before a real emergency does. Agencies need to update their incident response plan after each exercise to reflect lessons learned.
  • Establish multi-agency communication protocols: Public safety incidents often cross organizational boundaries. Define in advance how IT, communications, and leadership coordinate during a cyber event to avoid confusion or overlap.
  • Maintain system visibility and redundancy: Real-time monitoring and segmented architectures reduce the blast radius of cyber incidents. Redundant CAD and PSAP systems ensure that emergency operations continue even if one environment is compromised.
  • Align with NIST and CISA frameworks: Incorporating guidance from NIST SP 800-61r3 and CISA’s National Cyber Incident Response Plan promotes consistency, compliance, and interoperability with federal partners.
  • Document and iterate: Incident response planning is iterative: each event, exercise, or audit provides data to refine processes. Version control and after-action reviews are essential to sustain maturity.
  • Invest in continuous training: Every employee, from IT specialists to dispatch operators, has to understand their role in a cyber incident. Regular training reinforces confidence and accelerates coordinated response.

As public safety agencies face an increasingly complex cyber threat landscape, the ability to detect, contain, and recover from incidents swiftly defines operational resilience. A robust incident response plan serves as a safeguard for maintaining public trust and ensuring service continuity. Effective incident response planning blends structure, coordination, and adaptation, ensuring agencies protect mission-critical systems even under pressure.

At Centurion, we help public sector organizations strengthen their cyber incident response plan frameworks through tailored assessments, strategy design, and implementation support. Our goal is to ensure every response plan not only meets regulatory standards but also sustains the essential services that keep communities safe. Contact us today!

About Centurion Group

Centurion Group, LLC, a Woman-Owned Small Business headquartered in Herndon, VA conveniently located near Washington D.C., is a national IT Services consulting firm servicing the public and private sector by delivering relevant solutions for our client’s complex business and technology challenges. Our leadership team has over 40 years of combined experience, including almost 10 years of a direct business partnership, in the IT staffing, federal contracting, and professional services industries. Centurion’s leaders have the demonstrated experience over the past three decades in partnering with over 10,000 consultants and hundreds of clients from Fortune 100 to Inc. 5000 firms –in multiple industries including banking, education, federal, financial, healthcare, hospitality, insurance, non-profit, state and local, technology, and telecommunications. www.centurioncg.com.