Dangers of Smart Cities — How to Make Them Super Secure?
To serve the need of the ever-increasing population in urban areas is stressing the resources available and the management of these resources. Examples of these resources are water, electricity, west, traffic, transport, parking, health services. The urban planning teams are taking advantage of the technology advancements, availability affordability of high-speed connectivity, the proliferation of IoT devices, and other smart technologies to track and manage resources efficiently. This converts the cities into a digitally connected system, Smart cities.
Smart cities are becoming a reality as part of our everyday lives. We as a society have become dependent on digital technologies and IoT/connected devices, to run our cities. We are forgetting to take a pause and think, what will be the impact if the security that protects all these devices, data they capture, and applications that run the city fails or breached by malicious intention people?
In this article, we will explore the digital components of smart cities, what are the risk of this, and how we can limit the impact of these risks on our life.
We will neglect our cities to our peril, for in neglecting them we neglect the nation. — John F. Kennedy
What is a Smart City?
As per the Smart Cities Council, the definition of a Smart City is “A smart city uses information and communications technology (ICT) to enhance its liveability, workability, and sustainability. First, a smart city collects information about itself through sensors, other devices, and existing systems. Next, it communicates that data using wired or wireless networks. Third, it analyses that data to understand what’s happening now and what’s likely to happen next.”
Smart cities consist of various IoT devices, sensors, technologies, services, wired, wireless connections with high-speed internet to local low energy connectivity, data analytics, and storage. These interconnected devices and technologies provide convenience to the citizens as well as the city management team. At the same time, these devices and technologies leave behind challenges to handle the sensitive information that is captured and transmitted through the network.
For example, data generated by unprotected smart city infrastructures such as parking garages, EV charging stations, and surveillance feeds provide malicious intention people with an ample of information that can potentially be exploited for fraudulent transactions and identity theft.
Cybersecurity Concerns for Smart City
Many smart cities already include millions of internet of things (IoT), sensors, which have limited security or have problems with security. It is a topic of concern for the security experts about what could go wrong once more and more IoT devices, programs and high-speed connectivity like 5G network come online.
A single vulnerability in connected IoT devices in smart city infrastructure, when exploited can become more disrupting than the same vulnerability gets exploited in an enterprise network. All these interconnected smart city programs not only create a large attack surface. It is also about what if any of these programs gets compromised, how it will impact the entire city, and affect the lives of citizens. If a whole network is failed due to a cyberattack, the loss of data, damage, and property, and the potential risk to lives due to disaster can be shocking.
This is especially true in the current environment when we see the escalating amount of ransomware attacks that lock city data behind encryption. As per the CrowdStrike Global Threat Report 2020, ransomware like RobbinHood, Ryuk, REvil, DoppelPayme is targeting municipalities and local governments, several U.S. states, and cities. As per the CRN report till June 2020 attackers have targeted five municipality governments.
Following are the major concerns from the cybersecurity point of view:
- IoT devices vulnerability can lead to botnet attack like Distributed Denial of Service (DDoS) which can flood the target with superfluous requests, disrupting services. This prohibits legitimate users to gain access. The hacker can breach into interconnected devices and overwhelm a smart city operation
- Smart City applications will be capturing a lot of data which can be personally Identifiable Information or PII, this can attract hackers for Data and identity theft which will result in stealing PII from unprotected smart city infrastructure. Hackers can extract personal information from a smart metering application for electricity and use it for fraudulent transactions (Identity and Privacy breach)
- Attackers can hijack devices used for west management or water supply management and can create havoc in the system (Device hijacking)
- As we have seen in 2020, when people are working from home, social engineering attacks can lead to exposing the privilege of access to the attackers. And when this access is to the city critical infrastructure like health care or smart grids can have a terrible adverse impact on the life of citizens (Stolen Privilege credentials)
- Attackers can interrupt the insecure communication between sensors and the application to modify the data and disrupt normal life. For example, hackers can increase or decrease the pressure in domestic gas pipelines can lead to accidents or frustration among the citizens. (Man-in-the-Middle attack)
Securing Smart Cities
The security of smart cities should be following two principles, Secure by Design and Zero Trust architecture. As a part of the designing stage, performing threat modeling can help to identify the threats at the early stages will help incorporate mitigations as a part of the design. This is most important as it will save time and money than incorporating security as an afterthought. When designing security architecture use the Zero trust model, this will help to consider the security of all telemetry of the connected smart city programs. Apart from these two principles security of the IoT devices should be given as the highest preference as all the inputs that will be received for managing the smart city operations will be coming from these devices and security can be as strong as the accuracy of the uncompromised data.
Following are the mandatory security technology controls that must be incorporated as a part of smart city digital infrastructure:
- Cyber Security should be included as a part of smart city planning strategy and required stakeholder support should be provided from the governance and budgetary point of view. This will help to use the latest security technologies as part of smart city digital architecture as well as attract and retain the scarce cybersecurity talent
- Centralized Security Operation center that is facilitated with state-of-the-art tools and technologies to monitor and analyze the data across the smart city digital infrastructure by utilizing machine learning-based algorithms to automate analysis in real-time and identify abnormalities at early stages of attacks.
- Data Privacy — Data privacy should be considered as a separate topic and the latest techniques like differential privacy should be used when the data is captured, stored, and processed for statistical analysis.
- The data should be encrypted end to end, this means the encryption should be applied at all data touch points including endpoints where data is captured/generated, the network which will transport the data, and the storage where the data will be stored. For more on Data Touchpoints refer to my previous article “Holistic View of Cyber Security” here (Add link t the Blog)
- The cybersecurity architecture should be flexible enough to include multiple deployments that can be datacenter hosting, public, private or hybrid cloud, or SaaS. This will help look at cybersecurity as a single big picture and identify the impact of compromise in one area on the other parts of the entire smart city digital infrastructure.
Smart Cities — Future Impact on our lives
When I think about smart cities two things come to my mind,
First is the book by George Orwell’s Nineteen Eighty-Four (1984), which was published in 1949, and after more than five decades it still feels more relevant from the kind of personal data getting captured through the surveillance whether you are in your smart home or outside in the smart city. It is not only cameras capturing your moves but every aspect of your life is getting captured. I am not going to talk about surveillance that is a topic for another day, I am worried about the wealth of data which is going to be an obvious target for not only hackers, malicious intention people but for the nation-state as well.
The second thing that comes to mind is Person of Interest an American science fiction crime drama television series that aired on CBS from September 2011 to June 2016. This fiction gives us a glimpse of the power of data analysis using algorithms. The series raises an array of moral issues, from questions of privacy and “the greater good”, the concept of justifiable homicide, and problems caused by working with limited information program. As season one opens the main charter Harold Finch voice-overs “You’ll never find us, but victim or perpetrator if your number’s up… we’ll find you.” All this can become reality the only question is when? Smart cities are acting as a platform to collect the required data.
The kind of data smart homes, smart buildings, and smart cities will be capturing, if analyzed using the power of algorithms, it will be possible not only to predict our behavior online, offline, or entice us to buy some product ……. but it can be used to take control of the very aspect of being a human or it can threaten our existence, the way we thinking. As René Descarte quotes it…
“I think, therefore I am“.
and there we may not exist any more ….
And that is why we need to keep finding ways to stay ahead of cybercriminals.
On the heels of defeat, we have to start over again, failure is part of the process. You don’t know where you are vulnerable until you fail.