In the 20-page ‘An emerging US (and World) Threat: Cities Wide Open to Cyber Attacks' whitepaper released earlier this week, IOActive CTO Cesar Cerrudo closely examined the vulnerabilities of smart cities, which he says are becoming a “global, accelerating and unstoppable phenomenon”.
For his research, he defined smart cities as using technology to automate and improve city services, thus enhancing citizen lives. For example, this might involve the use of Internet of Things (IoT) sensors for traffic lights that can adapt to traffic conditions, or street lights which adjust to the weather and the time of day. Other smart cities are utilising real-time water and energy management systems to reduce costs for citizen, or to improve quality and reliability.
Cerrudo, who demonstrated how you could hack traffic control systems at DEFCON last year, cited Saudi Arabia investing US$ 70 billion (£46.5 billion), South Africa establishing a US$ 7.4 billion (£4.91 billion) project and Barcelona, already believed to be the biggest smart city in the world, as examples that the trend is in full swing. These cities, in the market forecast to be worth a US$ 1 trillion by 2020, are backed up by IoT sensors, machine-t-machine learning technologies, open data, mobile apps and fibre optics networks.
“Every new technology and innovation brings new challenges and problems. In this report, I'm focusing on cyber security-related problems that currently affect or will affect cities in general around the world, whether considered smart or not. These problems would impact the city government, residents, and the businesses and other organisations that conduct business there,” wrote the IOActive exec.
“Keeping in mind the new technologies and life in a smarter city, let's consider what could happen if one or more technology-reliant services don't work. What would commuting look like with non-functioning traffic control systems, no street lights, and no public transportation? How would citizens respond to an inadequate supply of electricity or water, dark streets, and no cameras? What if garbage collection is interrupted in summertime and stinks up the streets?
“That scenario might not be as unlikely as you think. Any number of cyber-security problems could trigger it.”
As examples, he drilled down on a lack of security testing, poor or non-existent security, weak encryption, a lack of communication with CERTs, complex attacks, no or irregular patching, insecure legacy systems, the prevalence of simple bugs, and no emergency plans in the event of an attack. He also noted the potential use of DoS attacks and of technology vendors selling cities insecure products.
On testing, he said: “Sadly cities are implementing new technologies without first testing cyber-security. In fact, this is happening in most countries. I have proven this with my latest research. I learned that about 200,000 vulnerable traffic control sensors were installed in important cities around the world such as Washington DC, New York, Seattle, San Francisco, London, Lyon, and Melbourne.”
A number of these remain running legacy systems, with some main building systems still on the outdated Windows XP and he urged cities to “seriously consider how to best prepare about possible cyber-attacks.”
“Cities need to develop an emergency plan that provides steps to follow during a cyber-attack and educate people on how to react while under attack. Fast and effective reaction can be key to preventing bigger problems including city chaos.”
Cerrudo, who presented his findings on the paper at RSA in San Francisco yesterday, added that “cyber-war attacks will target city services and infrastructure”, while cyber-criminals and hactivists will also have reason to look to compromise cities' technical infrastructure.
“The current attack surface for cities is huge and wide open to attack. This is a real and immediate danger. The more technology a city uses, the more vulnerable to cyber-attacks it is, so the smartest cities have the highest risks,” he said.
“It's only a matter of time until attacks on city services and infrastructure happen. It could be at any moment. Actions must be taken now to make cities more secure and protect against cyber-attacks. It's extremely important: Technologies used by cities must be properly security audited to make certain that they are secure before they are implemented. To fail to do so is reckless.
“When we see that the data that feeds smart city systems is blindly trusted and can be easily manipulated, that the systems can be easily hacked, and there are security problems everywhere, that is when smart cities become Dumb Cities.
Karen Lomas, director of smart cities EMEA at Intel, however told SCMagazineUK.com that the cities she's worked with rate cyber as one of their top concerns, and are undergoing the relevant assessments (often through contractors, but involving systems integrators and telcos) prior to implementing new technology.
She said that smart cities are routinely examining different types of technologies, protocols and standards (like Zigbee for sensors), as well as insisting on the use of encryption and API management (for developer provisioning). ‘Intelligent' gateways are being introduced for maintenance and performance, as well as remote provisioning and automated patching.
“There's always an opportunity [for cyber-attacks] but I've seen very reasonable approaches being taken in regard to security,” said Lomas, adding that cities were “a lot more sophisticated than the article implies.”
“Cities are very aware of [the risk]; I haven't come across anywhere where security is not an issue.” She did note that cyber-enabled physical threats is a concern and data privacy too, as boundaries need enforcing to ensure this citizen trust “is not abused in anyway.”
“Cities should care about data privacy but also about data openness and if data can be tokenised or anonymised.” She added that cities were also busy securing data so that it “can't be used for, on in the assistance of, a lock-down of the city.”