While the concern over smart city security is broadly distributed, a survey of government IT professionals reveals that actions to address these concerns are few and far between.
The term “smart city” is as broad as the successes that are frequently published in industry journals and advocacy websites. It’s clear that the opportunities for the industrial Internet of Things to automate city infrastructure are expansive. From helping to manage waste removal in Seoul to more effective flood mitigation in Calgary, the world is now applying connected technologies to make our cities more efficient, greener and more livable.
There is a cloud behind that smart city silver lining, however. The security research community has been clearly calling out the risks involved in smart city technology, but cybersecurity remains a secondary consideration in planning these initiatives. In part, the failure to adequately address cybersecurity is a consequence of the breadth of these initiatives. There is no silver bullet for securing smart cities because the term really refers to a wide collection of technologies that could be deployed. There are, however, widely accepted best practices for building cybersecurity into initiatives that can and should apply to smart cities, starting with design and ending with operations.
In order to more fully understand the reality and challenges of securing our smart cities, Tripwire conducted a survey of more than 200 IT professionals working for state and local government. Government IT workers are frequently on the front lines of smart city technology in real-world deployments, providing the survey with a valuable perspective on the topic. The results confirm that while the concern over smart city security is broadly distributed, actions to address these concerns are few and far between. To set the stage, the respondents overwhelmingly agreed (74 percent) that smart city initiatives are “very important.” At the same time, a majority (55 percent) said that cities do not devote adequate resources to cybersecurity for smart city initiatives. Clearly, while these initiatives are vital to the future of our cities, cybersecurity is a missing piece of the smart city puzzle today.
In order to understand more about where these concerns come from, we asked respondents about which smart city initiatives their jurisdictions had actually adopted. The top four responses were public Wi-Fi, surveillance cameras, public lighting and apps for city services. These top four initiatives only partially map to where respondents thought there was the most risk from cyberattacks.
Public Wi-Fi is both the most common and most risky of the identified smart city technologies. That conclusion isn’t surprising. Public Wi-Fi systems are a service explicitly open to connection from the community, including attackers. That No. 1 spot is where the similarities between prevalence and risk end, however.
The smart grid ranks second in terms of perceived risk from our respondents, but eighth in prevalence. Disruptions in the energy supply, whatever the source, are always high visibility and they directly affect the average citizen. It’s telling, however, that the respondents who ranked the smart grid second in terms of risk from cyberattacks aren’t average citizens, but IT professionals working in government. Their perspective on risk is ideally more informed for this topic.
Of course, there have been highly public incidents to drive concerns around smart grid security as well. In late December 2015, about 230,000 residents in the Ukraine were left in the dark after a cyberattack. The attack wasn’t simply opportunistic, or the result of a misconfiguration, but a planned and executed multistep operation. It included a coordinated cyberattack that resulted in disabled UPS systems, disabled substations and a telephone denial of service to prevent Ukrainian customers from reporting outages. While this incident occurred outside the U.S., experts have said that the U.S. might not fare as well in such an attack. The Ukrainian power grid was successfully attacked again, nearly a year later. In this case, the result was smaller, about 20 percent of the capacity for the city of Kiev . The tactic was different as well, starting with malware delivered via email phishing that stole valid user credentials.
If these incidents weren’t enough to raise awareness and concern, don’t forget that Ted Koppel published a book in late 2015 called Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, perhaps foreshadowing these kinds of attacks.
How other countries would fare under the same types of attacks is an open question, and while not explicitly answered by the Tripwire survey, the level of concern is certainly clear.
The third place for risk from a cyberattack goes to transportation systems, which ranked fifth for prevalence of initiatives. Transportation includes anything from driverless buses to the much more common connected traffic lights. In 2015 a pair of security researchers demonstrated that they could remotely infiltrate an unaltered passenger vehicle. Not only did they undertake simple operations, like changing the radio station or turning on the windshield wipers, they also remotely killed the vehicle. Researchers have also gained access to traffic data and the ability to alter traffic signals in recent years. While we haven’t seen a serious, criminally motivated incident involving cyberattacks on smart city transportation systems, it’s only a matter of time before these individual risks are assembled into a coordinated attack. The evolution of smart cities means that these attacks aren’t simply about stealing data, they now endanger human life.
Dramatic, foreboding conclusions never solved any problem alone. The survey respondents were also asked about why cities don’t devote enough resources to cybersecurity for these initiatives. The responses were uncharacteristically evenly split.
Budget, politics and a lack of understanding were all fairly close in terms of response percentages. That’s a telling triad. The allocation of budget, the ultimate fuel for any action within government, is directly affected by the politics and the understanding of the risks involved. Phrased a little differently, government officials don’t understand the risks well enough and aren’t being pressured enough, to allocate sufficient budget to addressing cybersecurity within smart city initiatives. That’s why the security research outlined above is so important.
If you’re not familiar with the security research community, it may be tempting to see these researchers who are discovering and publicizing risks as causing problems by making this type of information public. While an understandable initial viewpoint, it’s ultimately incorrect, unproductive and increases real risk. In most cases, the research that gets publicly shared was conducted with the explicit objective of increasing the security of these systems. History has demonstrated that without this type of research from the security community, these risks remain hidden and are ultimately exploited by criminals. In the best cases, the security research community partners with affected technology vendors to jointly disclose risks after a fix has been created. This type of cooperation benefits the researcher, the vendor and the community of users. It’s this type of cooperation and partnership that should be fostered around cybersecurity for smart cities.
Addressing cybersecurity for the industrial Internet of Things that drive the smart city isn’t all about finding and fixing risks that are already out there. In fact, addressing risks in deployed technologies is the most expensive method available. In order to make more meaningful progress in securing our smart cities, these initiatives need to build cybersecurity in at the design phase. That means addressing basic security best practices around authentication, encryption and secure configuration of systems. It means monitoring the systems to ensure that they’re not being changed or tampered with, either maliciously or simply through human error. Securing complex, connected systems isn’t easy, but it’s not rocket science either. Incorporating the basic, foundational security principles at the planning stage, following through with adequate monitoring of deployed systems, and partnering with security researchers can deliver substantially more secure systems. There may be no silver bullet for securing our smart cities, but there are some solid roadmaps.
Tim Erlin is a senior director of security and IT risk strategist at Tripwire, a provider of security and compliance solutions for enterprises and industrial organizations. Erlin is responsible for the solutions and strategy. He previously managed Tripwire’s Vulnerability Management product line, including IP360 and PureCloud.