Cybersecurity And The Rise Of Smart City Vulnerability

October 05, 2015

Smarter Cities
 
Cities have been incorporating new technologies for several years, but lately the rate of adoption has increased, and cities around the world are becoming smarter. Newer technologies, along with faster and easier connectivity, allow cities to optimize resources, save money, and, at the same time, provide better services to their citizens.
 
U.S. cities, like New York, San Francisco, Los Angeles, Washington D.C., Seattle, and Miami, are becoming smarter by the day. The trend is worldwide. In Europe: London, Barcelona, Amsterdam, Paris, Stockholm, and Berlin; in Asia-Pacific: Singapore, Seoul, Tokyo, Sydney, Melbourne, and Hong Kong; in the Middle East: Abu Dhabi, Dubai, Saudi Arabia, and Qatar; and in the South American cities of Rio de Janeiro and Santiago.
 
According to some estimates, by 2020 the potential market for smart cities could be more than $1 trillion.
 
City services become smarter by deploying new technologies in traffic control, parking, street lighting, public transportation, energy management, water management, and waste management, to name a few.
 
Cyber Security Problems
 
Every new technology and innovation brings new challenges and problems. Currently, cities (whether considered smart or not) around the world face huge cyber security problems. These problems could have a direct impact on government, residents, and the businesses and organizations that conduct business there. Cyber security in cities is extremely important, but we have yet to fully realize the risk.
 
Let’s imagine what could happen if one or more technology-reliant services stopped working. What would commuting look like with non-functional traffic control systems, no street lights, and no public transportation? How would citizens respond to an inadequate supply of electricity or water, dark streets, and no cameras? What if waste collection was interrupted during summertime, and garbage piled up and began to stink in the streets?  It would be unpleasant and probably cause a lot of chaos in any city.
 
These scenarios might not be as unlikely as you think. Sadly, there are many cyber security problems that could trigger them.
 
One such problem is the lack of proper security testing of the technology used by cities. Cities in numerous countries are implementing new, untested technologies. In my latest research, I learned that about 200,000 vulnerable and insecure traffic control sensors were installed in important cities around the world such as Washington D.C., New York, Seattle, San Francisco, London, Lyon, and Melbourne.
 
In our research at IOActive Labs, we constantly find vulnerable technology in use across industries. This same technology also is used for critical infrastructure, without undergoing any security testing. Although cities may rigorously test devices and systems for functionality, resistance to weather conditions, and so on, there is often little or no cyber security testing at all, which is concerning to say the least.
 
Another huge problem is technologies with poor or nonexistent cyber security features. Many vendors claim to implement security features, which turn out to be obscure, nonexistent, undocumented, and only described in a sales pitch. At IOActive Labs, we continue to encounter vendors with little or no experience in implementing security features; they lack skilled security people and don’t properly invest in security. Poor security practices are common in industrial systems and devices on the Internet of Things (IoT). These bad practices are being propagated into smart cities.
 
Most new technologies are wireless (traffic and surveillance cameras, smart meters, street lights, traffic lights, smart pipes, sensors, and so on), which makes them easy to implement and even easier to hack, if communication is not properly encrypted. City deployments frequently lack good encryption, do not have encryption turned on, or have improperly implemented encryption.
 
Patch deployment and system updates cause many problems as well. Because of their complexity, patches are often difficult and costly to install. It is increasingly common for cities to use vulnerable devices and systems because vendors are either slow to release patches or patches are not available.
 
Another important issue is the lack of specific Computer Emergency Response Teams (CERTs) in cities and states.
 
Existing CERTs can suffer from problems with coordination and communication. For instance, as part of the latest important research at IOActive Labs, we provided detailed information to CERTs, but we still received calls and emails from the military, federal agencies, and others. We don’t know why the military and federal agencies do not receive such important information on time. This miscommunication and lack of coordination is common.
 
While many cities have plans for how to react on natural disasters, they don’t have any plans for how to response to cyber attacks. Cities should be required to seriously prepare for possible cyber attacks given how they are becoming more and more dependent on technology. Cities need to develop emergency plans that provides step-by-step procedures to follow during a cyber attack and educate people on how to react while under attack. Fast and effective reaction can be key to preventing bigger problems, including city-wide chaos.
 
Another problem affecting city cyber security is government bureaucracy. When dealing with security issues, there is no time to lose. On top of time pressures, cities have a shortage of workers with security skills as well as inadequate budgets, training, and resources to help workers develop these skills.
 
Large and complex systems also make problems worse. When you have a city that is running hundreds of systems and devices for critical services, a simple software bug can have huge impact. With so much complexity and interdependency, it is difficult to identify what is exposed and how the system will react. Simple problems could have a large impact due to interdependency and chain reactions.
 
Let’s consider a real example to better illustrate this:
 
August 14, 2003, a blackout affected an estimated 10 million people in Ontario and 45 million people in eight US states. The blackout's primary cause was a software bug in the alarm system at a control room of the FirstEnergy Corporation, located remotely in Ohio. The impact was huge, 508 generating units at 265 power plants were shut down, hundreds of flights were cancelled, and New York State was responsible for billions of dollars in costs.
 
This was all from a simple software bug, and there are many more examples. Imagine what could happen if a cyber attacker could trigger a problem like this at will.
 
We Need To Take Action Now
 
Cyber security problems are all around, and cities are currently wide open to cyber attacks. This is a real and immediate danger. The more technology a city uses, the more vulnerable to cyber attacks it is, so the smartest cities face the highest risks.
 
It’s only a matter of time before cyber attacks on city services and infrastructure happen. It could be at any moment.
 
It’s extremely important that the technologies used by cities are properly audited to make certain that they are secure before they are implemented. Failing to do so is reckless. Technology vendors also must start taking cyber security very seriously and produce more secure products.
 
Action must be taken now to make cities more secure and protect against cyber attacks. Being prepared is key to preventing bigger problems and chaos.
 
When we combine the fact that the technology used by smart cities can be easily hacked with the knowledge that there are cyber security problems everywhere, smart cities become Dumb Cities.
 

Overlay Init

Curated By Logo