In 2018, cybersecurity researchers at the Ben-Gurion University of the Negev in Israel prevented an attack on commercial smart irrigation systems. The security researchers discovered vulnerabilities that could allow attackers to turn watering systems off and on. This is just one example of how smart city technologies can turn into an easy target for cyber attacks.
According to IDC's worldwide semiannual smart cities spending guide, investments in smart city projects will reach $135 billion by 2021. A large portion of these funds is allocated for addressing security challenges. In this article, we’ll cover the main cyber security challenges smart cities face, and how to tackle them.
Why Information Security Is a Problem For Smart Cities
The inherent interconnectivity and transparency of smart cities make them highly vulnerable to security attacks. The city uses systems to collect data from users and sensors. A dedicated platform analyzes and processes this data. The city then uses this data to improve the services for its residents. At every step, at any connected point, there’s an opportunity for attackers.
The technology infrastructure of a smart ecosystem consists of three layers:
Edge—The front end of the smart city. Consists of connected devices such as sensors, actuators, smartphones, smart lights and smart trash collection. This layer gathers the data from IoT devices, then sends it through the communication layer to the core.
Communication—connects the core and the edge by a network system, such as WiFi, Bluetooth, or LAN. The components of the ecosystem connect through this layer.
Core—a cloud or IoT data platform that processes data and generates outputs that make sense of the data streaming from the edge.
Most smart cities add IoT solutions into their existing infrastructure. For example, water companies might deploy smart water meters while keeping the existing pipes. These meters usually have minimal security protocols, which makes them highly vulnerable to attacks.
Smart cities can’t function without IoT devices, which rely on information security. Unfortunately, IoTs are notoriously vulnerable. Today’s threat actors can launch sophisticated attacks, such as advanced persistent threats (APTs), to breach smart cities and cause critical damage.
Top Security Challenges in Smart Cities
Integration of the digital and the physical environment
Smart city technologies permeate all aspects of city life, blurring the lines between physical and digital. Residents, choice locales, and devices are connected via information technology (IT) systems and operational technology (OT) systems. These systems monitor events, devices and processes, and then compute the data to adjust city operations. This level of interconnectedness presents a heightened level of risk.
Every endpoint presents a potential gate for attackers. The more connected endpoints your network collects, the more vulnerabilities attackers can exploit. Such attacks can disrupt operations and compromise a city’s critical systems.
Convergence of legacy and new technologies
Cities taking the smart city route often need to integrate new technologies with legacy systems. This kind of integration creates significant challenges. Most legacy systems don’t allow for live updates or data encryption.
Merging disparate technology platforms can create “holes” in the security perimeter. That’s how actors attacks a wastewater treatment plants in Australia. The attackers discovered a vulnerability, and used it to disrupt the Supervisory Control and Data Acquisition system (SCADA).
Security Risks That Threaten Smart Cities
Smart city networks are especially vulnerable to advanced persistent threats (APTs), which are complex attacks involving a combination of techniques. For example, an APT campaign can combine involve zero-day exploits and malware with multiple access points.
Attacks on IoT devices sometimes cause damage to the point of non-recovery. For example, an attack on street lights can be used to mask a criminal operation, leaving the area unserviceable. The city then needs to replace or reinstall the hardware.
Some common attacks smart cities face are:
Data and identity theft—involves stealing personally identifiable information (PII) from unprotected smart city infrastructure. For example, an attacker can extract personal information from EV charging stations and use it for fraudulent transactions.
Device hijacking—the attacker assumes control of a device. In a smart city, an attacker can hijack smart meters to siphon energy from a municipality.
Man-in-the-middle (MitM)—when an attacker interrupts or redirects communications between two systems. For example, attacking a smart wastewater system valve to disrupt operations.
Distributed Denial of Service (DDoS)—floods the target with superfluous requests, disrupting services. As a result, users cannot gain access. An attacker can breach into the net of interconnected devices and overwhelm a city system.
Credential theft -an attacker can get credentials to critical systems, and use them to conduct a ransomware attack.
Making a Smart City Secure
There are a number of measures cities can take to minimize cybersecurity risks. A common method to test for vulnerabilities is penetration testing. This involves hiring a third-party security firm to simulate a break-in attack. The process involves assessing the situation, and then presenting findings and recommended attack prevention measures.
Another security measure involves protecting connected devices. Implementing an IoT security solution (endpoint solution) can prevent attackers from using them to disrupt operations. A smart city should implement a comprehensive security solution which includes the following features:
Data encryption—data should be encrypted both at rest and in transit. Encryption scrambles the data until it’s unrecognizable. To decode it, you need to use an encryption password or key. This is critical because city-systems usually handle sensitive data such as PII. Encrypting prevents attackers from misusing the data in case of a breach. Any systems that enable access must use two-factor authentication to prevent unauthorized access.
Security monitoring and analysis—a security platform that captures data across the system it protects, including endpoint devices and connectivity traffic. The platform analyzes the data, searching for potential indicators of compromise (IOC), which signal potential threats. If detected, the platform then can implement security measures such as isolating affected devices.
Multi-environment support—a security platform should be deployable across the many disparate systems that compose the smart city environment. It should support on-premises, IaaS, SaaS and hybrid cloud environments, to ensure that no device or server remains unconnected.
Smart cities are investing in more projects every year. As the number of smart city projects increases, so does the number of security risks they face. You can secure smart cities by implementing a comprehensive security solution.
Here are some implementation best practices to help you get started:
Integrating city and cybersecurity strategy—cities should align their cybersecurity strategy with the overall smart city strategy. This includes assessing their data and systems to identify and mitigate risks. A cybersecurity strategy should be a part of the broader city plan. For example, Singapore launched a cybersecurity bill as part of its smart nation strategy.
Capture tech talent—attracting innovators can provide fresh solutions for security challenges. Cities can use alternative efforts such as city challenges or prizes. An example of that is the London City Challenge.
Engage stakeholders and city governance—to create a culture of cybersecurity across the city. The city can implement an ecosystem involving private and public sector organizations. For example, the city of Hague implemented the Hague Security Delta, with more than 200 organizations working together for the city’s security.
You can use these best practices to secure smart cities from potential threats, and add more as your project changes and adapts. Treat your smart city as you would a bank- with care and as much security measures as possible. The consequences of not making cybersecurity a central point of a smart city strategy can be too dire to overlook.