As cities continue to roll out new applications for connected devices, hackers could be preparing to unleash the next generation of ransomware — one that targets municipal systems.
“The burgeoning Internet of Things (IoT) offers a host of connective possibilities and is short on security standards,” advises a Kaspersky Labs guide to ransomware.
Recent breaches highlight IoT’s security vulnerabilities: In Suffolk County, N.Y., for example, hackers gained control of two state Department of Transportation electronic roadway signs, altering them to display political messages rather than safety notices.
While those hackers didn’t go so far as to install ransomware, the incident demonstrates that IoT breaches not only put data at risk but also can give malicious actors control over physical systems.
For smart cities, which rely on connected devices to manage everything from traffic control systems to energy grids, the prospect is daunting. But for hackers seeking a big payoff, the potential is great and growing: A recent CompTIA survey found that 61 percent of cities will have IoT pilots or more advanced initiatives under way within the year.
Although ransomware’s threat to internet-connected devices is relatively new, many of the defense tactics remain the same.
For instance, Kevin Williams, chief information security officer of Austin, Texas, says user education is still a top priority. “We have 14,000 employees, and I think of that as having 14,000 sensors in the field who can report to us,” he says. “Employees should know what’s normal and what’s not and know how to report what’s not to IT.”
Williams also recommends that city leaders make sure their staff understands the most common ransomware delivery methods — phishing emails and social media links — to better avoid them.
Education aside, Williams says compliance represents a critical safeguard against ransomware. He suggests going through a security review of vendors and devices to check that everything your city is using is up to par.
“Make sure devices are meeting NIST standards and are ISO/IEC 27001–compliant,” Williams explains. “Are your cloud-based tools following Cloud Security Alliance suggestions?”
Systems-level security guidance outlined by the CSA’s IoT Work Group states that connected-device users should design and implement a secure firmware and software update process and protect product interfaces with authentication, integrity protection and encryption.
Once IT leaders are confident that hardware and sensors are protected, they should turn their attention to the network, redoubling security efforts so hackers can’t get anywhere near the city’s connected devices or data.
Keep anti-virus and malware protection and firewalls current with patches and updates, and make sure network scanning includes intrusion and anomaly detection for things like mass encryptions and remote connections. “When you’ve got this kind of protection, it can detect the malware phoning home to the mother ship and block the connection at the egress point,” explains Doug Cahill, a senior analyst at research firm Enterprise Strategy Group.