When the question “Who’s responsible when a smart city crashes?” was posed by Futurologist Dr. Simon Moores during his keynote session at IFSEC last month, it sparked an intriguing and still un-concluded debate. It not only challenged topics of ownership and responsibility, but also highlighted smart city vulnerabilities and our growing dependency on connected technology.
The Internet of Things (IoT) still faces "two really, really big challenges – security and a lack of standards. Integrating an entire city full of these networks presents an almost intractable problem", Moores said.
It's no secret that IoT devices like Nest and Fitbits are behind the curve on information security; lack solid encryption and access control standards for both wireless network and data security, among other things. So what about when IoT devices run a "smart city," including the public water system, power grid, waste management, traffic control, street lighting, public transportation, and physical security systems?
Attacks could disrupt the very heart of urban society; knocking out power, contaminating water, grid-locking road systems or backing up waste. While physical security systems, discussed in depth in our recent report The Physical Security Business, are very counter productive to safety if accessible by potential antagonists.
"Most cities around the world are unprotected to cyber attacks", says Cesar Cerrudo, CTO of IOActive. At DEF CON last year, Cerrudo presented research about serious vulnerabilities in vehicle traffic control systems, which could be exploited to cause traffic jams or crashes. His studies inspired him to create Securing Smart Cities, a global non-profit initiative established in May by IOActive, Kaspersky Lab, Bastille, and the Cloud Security Alliance with the purpose of better defining the security challenges of smart cities and finding workable solutions.
Cerrudo and his team found ways to make red or green traffic lights stay red or green, tweak electronic speed limit signs, or mess with ramp meters to send many cars onto the freeway at the same time. In San Francisco, among other cities, they discovered information coming from these sensors could be intercepted from 1,500 feet away, even by drone, simply because one company had failed to encrypt its traffic. After alerting the authorities Cerrudo tested the same traffic sensors in San Francisco one year later, and found that they were still not encrypted.
"Cities are really important, because they're the backbones of civilization. They're the backbones of economy", says Greg Conti, associate professor and director of the US Army Cyber Institute at West Point. Conti, along with West Point associate professor David Raymond and Drawbridge Networks CTO Tom Cross, will be presenting a session on "Pen Testing a City" at the Black Hat Briefings in August. "We're going to be looking at the security of cities, whether they're dumb, moderately intelligent or smart", says Conti.
[contact-form-7 id="3204" title="memoori-newsletter"]
Would it now be fair to say that a dumb city is safer than a smart city? After all both are vulnerable to physical attacks, be it a gunman at a power station or a chemical deposited in the water supply. Smart cities, however, also open themselves up to cyber attack through potentially millions of connection points linking to numerous targets.
However, the bigger trouble may come from the big data generated by all these smart devices. "The value isn’t in the IoT at all", said Moores, “the real value is in the ability to apply the data from the sensors at the endpoints".
As the amount and value of this data increases, its value as an attack target could increase, both attacks that steal private information or manipulate it and damage its integrity. As Moores explains, “the persistent collection of data about people's movements also raises privacy concerns something that some city’s citizens are beginning to push back against”.
Until now, Moores said, smart city development has focused on technology, not people; cost-savings, not security; and top-down, not bottom-up approaches. A “long, messy, and incremental process is ahead”, he suggested, and the winners and losers will depend upon how well they can adapt.
Vulnerability to cyber attacks on physical systems and private information is not a new debate for the IoT and smart technology sector. It is simultaneously the major obstacle in developing the purist’s smart cities and an essential foundation on which the system should be built. The further we develop our integrated smart cities, buildings and infrastructure without adequate security, the more vulnerable they are and the greater the potential scale of an attack.