[ Editor's Note:This is a cross post from Authors Blog. The question of passive defense and active defense is very relevant for SmartCity and needs some FreshThinking]
Smart cities integrate cyber-physical technologies and infrastructure to create environmental and economic efficiency while improving the overall quality of life. There is going to be a paradigm shift of what we experience and what we come to expect from the cities around us.
In times to come, smart cities will provide businesses with unprecedented economic opportunities. In effect, these transformations of today’s cities into smart cities will be an amalgamation of two major technologies –Internet of Things (IoT) and Network that connects all of these nodes together and enables real-time communication. By 2020, there will be more than 50 Billion Internet-connected devices that will transform the way we live and work. As per Tripwire Survey: Cyber Attacks Against Smart City Services May Pose Public Safety Threat:
- 81 percent of the respondents believe a cyber-attack targeting critical city infrastructure could cause physical damage.
- 83 percent of the respondents are worried about cyber-attacks that target smart city transportation initiatives.
- Only three percent of the respondents believed there would not be a cyber-attack against smart city services this year.
Vulnerabilities of Smart Cities
Internet of Things (IoT) based Smart devices as the enabler for effectively converting the city to be a smart city. These are extensively utilized in traffic and surveillance cameras, meters, street lights, traffic lights, smart pipes and sensors are easy to implement.
Every new technology and innovation brings in new Risks and Vulnerabilities. These vulnerabilities would impact the city administration, residents, businesses and other organizations alike that conduct business there.
As the cities become smarter with implementation of IoT technologies, consider as to what could happen if one or more technology-reliant services fails to function.
- What would commuting look like with non-functioning traffic control systems, no streetlights, and no public transportation?
- How would citizens respond to an inadequate supply of electricity or water, or to dark streets, and no cameras?
- What if garbage collection is interrupted in the summertime and the smell of refuse stinks up the streets?
To anybody’s guess that it would probably cause a lot of chaos in any city and inconvenience, it does not take long before these issues create major concerns.
Though, Internet of Things (IoT) are easy to implement, however. at the same time are even easier to hack as they lack of stringent security protocols and insecure encryption mechanisms. This is a major point of concern as smart cities are implementing IoT technologies at a very fast pace without testing them for cyber threats and its vulnerabilities.
Few of the very dreaded Cyber Threats will be presented with an unprecedented attack surface in smart cities as there would be significant increase in the number of interconnected IoT devices.
Smart IoT devices create huge potential for cyber-attacks due numerous vulnerabilities, making the future of smart cities more vulnerable than today’s computers and smartphones. People residing in such a city might face a panic attack when they are made slaves of their “cyber masters/criminals for Ransom.” This scenario might not be as unlikely as you think.
Voids in implementing foolproof cyber security could trigger anytime causing devastating effects. Few of the vulnerabilities that could trigger cyber-attacks in smart cities are as under:
- IoT and Sensor technologies (system, devices, etc.) are being deployed without any security testing.
- Ease-of-use and quick deployment vs security plagued by vulnerabilities (vendors are clueless about security).
- Almost every component in the network is wireless which could be easily hacked.
- Custom protocol and encryption-related issues (even in RF transceiver chips).
- Lack of CERTs due to weak coordination and communication on security incidents.
- IoT Device in Smart Cities give a huge and unknown attack surface for hackers.
- Complexity, inter-dependency, chain reaction, patch deployment and systems updates. How to test on non-production system?
- How to keep up patching up to date? If patch isn’t available for a vulnerability, stop the service? Patch delays by vendors and patches difficult to apply Legacy systems (vulnerable) communicate with new systems.
- Lack of protocol standardization amongst different devices deployed as part of the Smart City Network.
- Insecure legacy system. Integration and inter-operability between newer and older technology may cause vulnerabilities. Some of the old technologies lack standards would require a piece of technology in the middle to communicate between old and new systems and to translate protocols.
Cyber Attacks on Smart Cities
Simple vulnerabilities if not addressed can cause big problems and have big impact, whether it’s a water barrage or power grids, financial institutions, water systems or online networks, all these infrastructures are going to be at risk and would be under threat like never before, and we need to do more to safeguard these critical infrastructures. Technologies used by smart cities would pose a major cyber security threat and open the door for several possible cyber-attacks. Each new city technology or system creates a new opportunity for cyber attackers. Some of the key technologies and systems that together make up the smart city’s complex attack surface are:
- Traffic Control Systems.Traffic control systems could be easily hacked as some of the IoT and sensor devices used are without any encrypted communication between traffic control systems and traffic lights, traffic controllers, and so on, allowing an attacker to intrude and change traffic lights.
- Surveillance Cameras. Traffic and surveillance cameras are the eyes of the city and by attacking them with DoS attacks, attackers can make cities blind.
- Smart Street Lighting Systems. Wireless street lighting systems are being deployed in many cities around the world. Most systems use wireless communications and have hardly any strong encryption. Attacks on smart street lighting systems are not complex and can have big impact by causing street blackouts in large areas.
- City Management Systems.Every city has hundreds of systems to manage different services and tasks. Hacking these systems would give an attacker a lot of options to cause harm. Just as simple software bugs can create significant harm, manipulating simple information could also have a seemingly over sized security effect.
- City Cloud Infrastructure. City servers and cloud infrastructure are exposed to common Distributed Denial of Services (DDoS) attacks. Servers and cloud infrastructure are cheaper targets for cyber criminals or cyber terrorists.
- Smart Power and Water Grid. Attacks on a smart grid and water could be devastating, causing millions of dollars in losses and even loss of life.
- Public Transportation. By just by displaying incorrect information by manipulating public transportation information systems, it’s possible to influence people’s behavior to cause delays, overcrowding, and so on.
- Location-based Services. With many services going location-based, which means GPS spoofing and other attacks are possible. People get real-time location information, and if the location is wrong, then people will make decisions based on incorrect information. The nature of the impact depends on the extent to which a city relies on the services affected.
Securing Smart Cities
Some of the vulnerabilities of smart cities should be plugged incorporating security from the design stage itself, while working out policies and procedures, risk framework and architecture to make stakeholders accountable. It should follow a holistic approach, with key indicators to secure smart cities:
- Taking cognizance of legal , regulatory and compliance frameworks
- Should not implement any networks /systems and IoT devices without Vulnerability assessment and penetration testing.
- Fix security issues in the network as soon as they are discovered. A city can continuously be under attack if issues are not fixed as soon as possible.
- Capacity building - developing standards, manpower; developing professional certification and agency certification.
- Cooperation between intra-state, intra-agency, public-private partnerships and international players.
- Create City CERT that can handle incidents, vulnerability reporting and patching, coordination, information sharing, etc.
Special thanx to paper written by Cesar Cerrudohttp://www.ioactive.com/pdfs/IOActive_HackingCitiesPaper_cyber-security_CesarCerrudo.pdf
Food For Thought- One major point to ponder is that whether Smart Cities should adopt Defensive cyber security architecture or should have deterrent based security architecture to thwart the cyber-attacks – Think and decide.