Securing the Smart City of the Future

The concept of a “smart city” can hardly be considered the city of the future anymore. Instead, it’s the new normal. With rapid advances in the Internet of Things (IoT), local governments are investing in and implementing the means to improve efficiency and convenience for its citizens. But all of this spending on smart cities comes with its fair share of challenges. As cities become more advanced, so do the cyber attacks that threaten them.

Everything in a city—from street lights, traffic signals and cameras, electric and gas meters and sewers can all feed into the digital infrastructure, so it’s important to understand that these endpoints require network-related security services in the middle.

What does a smart city look like?

The city of the future comprises a complex ecosystem of services that span public and private entities, people, processes, devices and infrastructure—all of which are constantly interacting with each other. It encompasses elements like:

Smart grids, or the use of technology to improve the communication, automation and connectivity of an electric power network.

Autonomous vehicles and self-driving transport.

5G and IoT-enabled technologies to bring innovations to the management of waste, energy, water and intelligent transport systems.

Traffic Data Services, using wireless data to help traffic planners improve how people move through the city.

Using smart lighting in streets to make cities feel safer and make lights more efficient.

Using AI and AR to make a city more people-focused, bringing immersive technologies to improve residents’ self-reliance, self-service and decision-making.

Interconnectivity is a Double-Edged Sword

Smart cities run on the backbone of sensors and IoT devices that are connected – to each other, to control systems and external systems – over the internet and cloud computing architectures. They transmit personal and confidential data through unsecure channels, with devices that are not patched and don’t support data encryption. The very interconnectivity that makes a smart city work also creates substantial cybersecurity risks. Every access point expands sensitive data exposure vulnerabilities and digital attacks have already begun.

What are the cyber security challenges faced in a smart city?

The more connected we get, the more risk we take on by increasing the attack surface. A smart city must remain vigilant against the threat actors that are increasingly targeting municipalities, using a vector that is getting bigger and less visible. Three key factors influence cyber risk in cities: the blurring lines between the physical and digital worlds; the interoperability between old and new platforms; and the integration of services leading to weak points in the network. Smart cities and cyber security must be considered hand-in-hand.

The smart city is at risk of threats on multiple vectors, and there are plenty of real-world examples to learn from.

DDoS Attacks – We’ve seen a rise in the number of hackers actively searching the internet to hijack smart systems. Hackers use these smart devices to download and install malware, and then launch DDoS attacks on other targets. These devices, though, can also provide an entry point to internal systems. The US Department of Energy reported in April 2019 that grid operators in Los Angeles County, California, and Salt Lake County, Utah, suffered a DDoS attack that disrupted operations but did not cause any outages.

Ransomware – The 2020 Verizon Data Breach Investigations Report found that ransomware is a large problem for the public administration sector, with persistent misdelivery and misconfiguration errors—75% of actor motives were financial, with 19% for espionage and 3% for “fun.” The report details a few city attacks in 2019, including the City of Baltimore being paralyzed by the RobbinHood ransomware in May. In addition, 22 Texas towns were infected with Trickbot, followed by Sodinokibi ransomware in August, after attackers breached their managed service provider and used its remote management tool to distribute the malware.

Lack of cryptographic measures – The weakest point in any system is often human error—phishing is still one of the top threat action varieties, according to the 2020 Verizon Data Breach Investigations Report. Smart cities should not just focus on the big issues; they need to also pay close attention to identity governance and encrypting data and access.

Easy Targets or Preventable Crime?

Cities make easy targets for cyber-criminals because they lag behind in technology usage and familiarity. The underlying technology running their critical infrastructure is, at best, outdated. The technological acceleration that transforms existing cities to smarter ones adds complexity. Smart cities aren’t built in one go, but rather evolve over time. Given that they use technologies that are initially experimental in nature, they remain perpetual beta versions – increasing the probability of mishaps.

Cities currently generate 70% of the world’s gross domestic product. This translates to an easy path for financial gains for cyber-criminals who can breach a smart city’s defenses. Smart cities must, therefore, be secure by design, not bolted on after systems are in place. They should base their systems on rock-solid, intuitive and automated security protocols and policies right from the start, consulting with and involving citizens at every stage. This will help build confidence and ownership about upholding citizens’ privacy requirements.

Atlanta was held hostage to a massive ransomware cyber-attack in 2018. The breach shuttered many devices for five days, interrupted law enforcement, business licenses and even America’s busiest airport, among several other disruptions. Ransomware attacks also took out most of Baltimore’s servers and paralyzed its 911 emergency call center in the same year, costing $18m in damages.

Attacks aren’t limited to American cities. Dublin’s tram system was disrupted in a ransomware attack, as was Stockholm’s air traffic control and railway ticketing systems. Power supplies to Johannesburg and Hyderabad were also crippled through ransomware attacks. Apart from ransomware, cyber-criminals deploy numerous other techniques including remote execution, signal jamming, as well as traditional means, such as malware, data manipulation and distributed denial of service attacks. Their digital arsenals are sourced from the deep web and their weapons are fully automated, powering attacks that can run 24/7.

How can we protect the city of the future?

In an increasingly connected landscape, a smart city is only as secure as its weakest link. Infrastructure needs to be future-proofed, but it needs to be done so in a “smart” way. First and foremost, smart cities must invest in cyber security. ABI Research found the energy, health care, public security, transport, and water and waste sectors are “woefully underfunded and incredibly vulnerable to cyberattacks.”

More than that, though, is the necessary education to shift culture and behavior for both workers and residents. Municipal governments should implement a security awareness and training program, install perimeter defenses and ensure secure configurations. Additionally, city planners should consult with experts in smart cities and cyber security who can help to ensure the right measures are taken, the right training is in place and the right recovery plans are ready for action. Because it’s not a matter of if the city is attacked—but when.