Smart City Hacking Threats Focus Of IBM Report

August 13, 2018
ibm smart city hacking

In issuing a chilling cybersecurity white paper on August 9, two things seem clear: IBM has gotten the attention of smart city leaders across the country, and hackers pose a clear, present and costly danger worldwide. Here, then, a summary.

The paper, “The Dangers of Smart City Hacking” makes clear its warning, in writing that if smart city device manufacturers and the agencies deploying them do not learn from these recent examples and work harder to secure them today, they will be faced with episodes of mass confusion and potentially chaos when they’re compromised in the future. The discoveries by the IBM Security and Threatcare team paint a frightening picture of the possibilities.

While acknowledging the transformational value of adopting the wide range of smart city technologies to improve resident’s lives within municipalities, the paper’s authors warn that the same innovations that make smart city technology attractive to cities – such as their connectivity and ease of management – also make them attractive targets to attackers. It adds the reality that city leaders and citizens alike are trained to trust these systems and their alerts. Yet, if control is placed in the wrong hands, attackers can abuse that trust, to devastating consequences.

With its assessment of smart city growth, IBM’s paper addresses the ubiquity of technology. Notably, a rapidly growing array of internet-connected sensors are now employed to monitor and control factors, such as traffic, environmental variables, the electrical grid and more to help manage infrastructure and improve public safety. It adds that these Internet of Things (IoT) enabled devices have become cost-effective and easy to deploy and manage, while saving cities time and money. How? In alleviating the response process, smart devices remove the need to deploy personnel to check a widespread network of devices that may or may not need immediate attention.

The cost of smart city cybersecurity is staggering. Worldwide spending on technologies that enable smart cities is projected to reach $80 billion in 2018 and will grow to $135 billion by 2021, according to the Worldwide Semiannual Smart Cities Spending Guide released by Framingham, MA-based International Data Corporation (IDC). The report further noted that the United States is expected to be the largest market, with China close behind. Further, IDC’s Guide predicted that Latin America and Canada is expected to see the fastest growth in spending.

To better address these intensifying vulnerabilities, IBM established X-Force Red. This autonomous group within IBM Security is an elite squad of consultants who specialize in security testing almost anything in the world — from networks and applications to planes, trains and automobiles, and everything in between, according to the company. It promotes the X-Force Red team members as colleagues in the vulnerability research community, available to help in all aspects of offensive security.

In early 2018, as part of an ethical hacking project, IBM X-Force Red and Threat- care discovered 17 zero-day vulnerabilities in smart city sensor and control devices currently deployed across the globe by various municipalities. As the combined X-Force Red and Threatcare team uncovered vulnerabilities, they followed standard disclosure practices by reaching out to device manufacturers and appropriate city agencies.

Smart city security challenges are increasingly daunting and complex. In addressing the key challenges, IBM’s white paper notes key issues that smart cities face moving forward. At a high level, smart city technologies present, and sometimes further complicate, many of the security challenges that local government and ICS networks have been facing in the last decade. The white paper discusses how this is often the result of devices/assets being attached to legacy equipment on legacy operating systems, or having been connected to the internet without a full security audit.

The IBM white paper attempts to addresses solutions to smart city hacking threats. While there are no easy answers, IBM writes, “When it comes to device security, the responsibility is twofold: while it’s the manufacturer’s job to make sure that their products are built securely, it’s the user’s
responsibility to make sure they are practicing good security hygiene. Further, there’s a shared responsibility between the manufacturer and the user: with the former issuing software updates for security issues, and the latter actually applying those updates.” Still, says the paper’s authors, with so many connected devices deployed over so many miles, and from many vendors, city IT leaders can’t easily patch or automatically update their sensor networks. Because of these factors, vulnerabilities can go undiscovered for a long time, allowing hackers a foot in the door.

As smart cities grow, city leaders and smart city vendors need to prioritize security by re-examining the vendors’ security protocols, building proper frameworks for these systems, and developing standard best practices for patching security flaws. Devices’ default configurations are often weak enough to allow attackers to access the sensors by finding the default credentials or hard-coded API keys. On the provider side, vendors should add network port restrictions and stronger password controls to ensure that the devices are accessible only by authorized users. In addition, vendors and city leaders should run frequent security tests and IP scans on devices and networks to provide additional protection against unauthorized access and manipulation.

The IBM white paper, in its entirety, includes assessments and causes for threats, a history of cyber attacks worldwide, specific programs that wreak havoc on city systems, as well as recommendations to smart city leaders and their IT staff. The fast and widespread coverage of the report comes amidst growing warnings on the federal level about threats to the country’s electric grids and election systems identified, and currently being addressed, by agencies, cities and cybersecurity experts worldwide.

Overlay Init

Curated By Logo