Smart cities — a cybersecurity wildfire waiting to happen?

“We should expect that this technology will be used as an entry point for ransomware, as a vector for hacktivism, and as a means of causing general chaos.”
26 August 2020

The smart city is an exciting concept where technology is used to enhance citizens’ lives, make governance more effective and resource consumption more efficient and sustainable.

Across the world, there are a handful of full-blown smart cities being architected from scratch.

For the most part, though — from Barcelona to Milton Keynes and Miami — these initiatives are emerging piecemeal around us, comprising a broad expanse of technologies from solar-powered smart bins to ‘smart utilities’ automatically optimized by reams of operational data fed from IoT sensors.

As with all things becoming more connected and reliant on technology, however, cities getting ‘smarter’ means they are becoming necessarily laden with more technological infrastructure and data — and that means they will become increasingly vulnerable to new threats.

Last year, we witnessed a speight of ransomware attacks against cities, towns, and government organizations. Augusta, Maine saw a cyberattack freeze its network and force its city center to close, hackers stole roughly US$498,000 from the city of Tallahassee, Florida, and a ransomware attack shut down Louisiana state websites and other online government services.

Those are just a few examples of hundreds, but they demonstrate how the digitization of civic infrastructure can if inadequately protected, put entire municipalities at the mercy of hackers.

In the cases above, the damage is largely financial and reputational. As is the case in most cyberattacks in both the private and public sectors, they are motivated by money.

But smart cities are also at risk of attacks motivated by politics and activism, targeting critical infrastructure could bring industrial control systems providing utilities to citizens to a halt, they could manipulate sensor data — such as disaster alert systems — to cause public panic or siphon citizen data. Most recently, in the wake of civil unrest over police violence across the US, hacktivist collective Anonymous released a massive trove of police files from departments across the US.

‘A city-sized IoT device’

“The backbone of the smart cities movement is the Internet-of-Things — wirelessly connected sensors that can manage traffic, operate transit systems and monitor air pollution to name just a small subset of potential applications,” noted Michael O’Malley, global vice president of strategy at Radware.

“We should expect that this technology will be used as an entry point for ransomware, as a vector for hacktivism, and as a means of causing general chaos.”

Indeed, PwC has said the fusion of connected technologies — be they innovations in mobile, big data, artificial intelligence, among more — essentially make smart cities “one gigantic, city-sized Internet of Things device communicating with each other and with residents’ smartphones or wearables, opening and closing virtual doors that would otherwise require locks and keys […] The reality, however, is that many of those smart-city doors are never completely locked.”

Given the connected nature of smart city infrastructure, with a threat able to enter at any point, the risk can quickly pass from one system to the next, with one weak link in the chain opening up access to an array of other devices and systems to devastating malware.

Breaching a traffic light system, for example, could not only enable an attacker to control the lights (frightening enough though that scenario is), but they could also gain access to servers, subsequently leading to data about individual customer behavior, and access to citizens’ personal information.

At present, the development of cybersecurity is not keeping pace with the eager adoption of smart city technologies around the world. When it comes to spending on cybersecurity for critical infrastructure, sectors like energy, healthcare, public security, transport, and water and waste are largely overlooked in favor of finance, ICT, and defense industries, where the need is perceived to be higher.

Smart city projects carry huge benefits, especially in managing the continuing rise in city populations. The market for these initiatives is expected to exceed US$1.7 trillion in the next two decades, according to PwC. At the same time, these projects will face a battle for citizen trust if they fail to address cybersecurity issues early on.

“Perhaps most importantly to a smart city project is the value of the city’s relationship with its citizens,” said O’Malley. “Recent polls show that the public is trusting of local officials. This trust is something to build on, but security lapses can quickly erode trust and support from citizens.

“From a security perspective, smart city planners need to take a hard look at IoT devices themselves. Many have significant vulnerabilities and there’s plenty of research documenting how IoT devices used in smart cities projects are susceptible to a determined attacker.

“Next, cities need to consider the APIs that they will use. APIs transfer data between sensors, applications, and larger systems. This is a growing attack vector that could be exploited by data theft or network intrusion.

Network segmentation is also a key aspect of security, O’Malley added. “For example, developers need to make sure that an intrusion into the system that monitors air pollution doesn’t leave another system also vulnerable. This is a case of isolating systems and making sure that any single intrusion doesn’t spread like wildfire across a city’s network.”