A combination of job prospects, local amenities and other attractions is drawing more people to city living than ever before. Indeed, the UN estimates that by 2050 two-thirds of the global population will be living in cities, up from just over half currently. However, at the same time central government investment for urban areas continues to shrink, with UK cities being on “life support” due to lack of funding from Westminster for instance.
To cope with increasing populations and tightening budgets, civic managers are looking at better ways of doing more with less through automation technologies. While the creation of these “smart cities” has the potential to drive efficiencies and improve services, their implementation needs to be coupled with robust cybersecurity solutions and practices to mitigate the vulnerabilities that would make them attractive targets for threat actors.
What’s at risk?
Tempted by the possibilities of being able to remotely control and monitor assets and processes throughout their districts, city administrators are implementing smart technologies across a whole host of services. These include streetlighting, transportation, traffic control and utilities. Frost and Sullivan has predicted that there will be at least 26 fully fledged major smart cities around the world by 2025.
However, through greater connectivity comes greater risk and the results of a successful cyber attack on smart city infrastructure can be catastrophic. For instance, an attack against a city’s electricity grid could knock out power for an extended period resulting in businesses not being able to operate, and residents having to be without heating, lighting and cooking facilities. Another example could be that IoT sensors being used to notify refuse collectors when to pick up waste are taken down. The result would be that rubbish piles up for weeks at a time creating a public health risk.
In addition to the physical impact of a cyber attack, these systems run on a significant amount of data, including personal information, which presents another tempting target for thieves.
How severe is the threat?
Attacks against the IT systems of public sector authorities are happening almost continuously, with UK councils being hit by 800 every hour according to a freedom of information request from insurance brokers Gallagher. This should offer cause for concern to those in charge of smart cities as once a threat actor has infiltrated the IT environment, they could move laterally into an OT system if they are not properly segmented from each other.
While such an attack against an OT network has not yet affected the infrastructure of a smart city on a wider scale, businesses in the industrial sector have witnessed them to their cost. The likes of WannaCry and NotPetya infected production environments via the IT systems of companies including Merck and Renault, severely disrupting operations.
Unfortunately, risks are seemingly built into connected city systems. For instance, there are vulnerabilities inherent in the operating systems used in the OT and IoT devices common in smart cities. One such example is IPnet, which has not been supported since 2006 but is still being used in operating systems, leaving them open to attack. Further, those designing the architecture of smart devices look to make them as lightweight as possible, meaning that security is often an afterthought at best.
These risks are magnified by the fact that there are potentially hundreds of thousands, if not millions, of devices connecting to the OT network, all of which increase the attack surface for threat actors. The advent of 5G is adding to this, offering not only IoT devices new and better ways of connecting to the OT network, but cybercriminals too.
Mitigating the risks
To ensure they reap the benefits of creating smart cities without putting the safety of infrastructure, data and citizens at risk, city administrators must take a cybersecurity-first approach. They need to recruit and train security specialists who understand the different requirements for managing and protecting IT and OT networks.
City administrators should also look to implement robust processes and invest in the right technologies. Such technology should offer total visibility of what is running on a city’s network, as this is vital to keeping it safe. After all, you cannot protect something if you don’t know it’s there. As such, security teams need to know every detail about everything on their networks from make and model of a device through to IP address, patching schedule and risk level.
Armed with this information, security professionals will be able to see where the vulnerabilities are on their networks and take steps to remove them. In OT and IoT environments this can only be achieved through specialized solutions that are able to recognize the unique communication protocols used in production networks.
There is also the need to know how every asset on the network should behave when functioning normally. This will enable any unusual activity to be detected and acted upon. To be effective, automated monitoring should run continuously 24/7, providing security teams with contextualized alerts that are prioritized as to how urgently they need to be acted upon. In this way, security teams will have all the necessary information they need to deal with potential risks in order of severity, cutting down on the number of hours wasted in investigating low-level risks or even false positives.
Ultimately “smart” cities need to think of themselves as “cybersecurity” cities, building security into their OT networks, in the same way they build safety into their road networks.