“Internet of Things” (IoT) devices like Nest smart meters and Fitbit activity monitors are way behind the curve on security, leaving all the data they collect wide open to snoops and attackers.
So what about when IoT devices run a “smart city,” and the public water system, power grid, waste management, traffic control, street lighting, public transportation, and physical security systems are all as vulnerable as that Fitbit on your wrist?
“Most cities around the world are unprotected to cyber attacks,” says Cesar Cerrudo, CTO of IOActive. At the DEF CON convention last year, Cerrudo presented research about serious vulnerabilities in vehicle traffic control systems, which could be exploited to cause traffic jams or crashes. His studies inspired him to create Securing Smart Cities, a global non-profit initiative established in May by IOActive, Kaspersky Lab, Bastille, and the Cloud Security Alliance.
“Cities are really important, because they’re the backbones of civilization. They’re the backbones of economy,” says Greg Conti, associate professor and director of the U.S. Army Cyber Institute at West Point. Conti, along with West Point associate professor David Raymond and Drawbridge Networks CTO Tom Cross, will be presenting a session on hacking a city at the Black Hat conference in August.
“We’re going to be looking at the security of cities, whether they’re dumb, moderately intelligent or smart,” says Conti.
What makes cities, particularly “smart” cities, uniquely challenging?
1. Insecure Products & Insufficient Testing
One of the biggest concerns about smart buildings and smart cities is that the sensors in the equipment can be hacked and fed fake data — which could be used for all manner of mischief, like causing signal failures that shut down subways or allowing contaminants into the water supply.
“Most product vendors are releasing hardware, software without any security, and governments are releasing it without any testing,” says Cerrudo. Although they may test rigorously for functionality, cybersecurity won’t be part of the process. Cerrudo discovered there were 200,000 vulnerable traffic control sensors installed in cities across the world, including New York, Washington D.C., and London.
2. Huge, Complex Attack Surface
As futurologist Dr. Simon Moores said at the IFSEC last month, the task of integrating an entire city of buildings outfitted with smart electric meters, doors, HVAC systems, and lighting is an “almost intractable problem.”
Cross explains that the challenge of integration is not just technological; it’s about all the operational interdependencies that exist in a city. “If the subway shuts down, people can’t get to their jobs, and then other things don’t get done,” he says.
Cerrudo explains that attackers know about this “cascade effect,” and that they can use it to their advantage by launching an attack on a small, poorly secured system that doesn’t seem very critical, and setting off a chain reaction.
3. Lack of Oversight and Organization
At IFSEC, Moores posed the rhetorical question, “Who’s responsible when a smart city crashes?”
Other experts agree that in many cities there is still no clear cybersecurity leadership, and that cities need to establish city-specific security operations centers for information sharing, vulnerability assessment and incident response planning.
4. Shifting Politics, Shifting Budgets
That’s all easier said than done. Getting budget for security always requires a process of educating leaders and obtaining their buy-in. However, in the public sector, the leaders and the budgets may change severely every time there’s an election. Also, there is a shortage of cybersecurity professionals, and the private sector pays more.
“Security problems in cities are real and are current,” Cerrudo says. “The possibilities are out there … So we need to start working on improving security right now.”
Read the full article on DarkReading.com
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
