The town of Cary, N.C., currently is testing a system that could automatically generate an alert when a traffic signal is down, eliminating the need for citizens to make a 311 call or for city maintenance workers to happen on the downed light.
The system would generate both a traffic management alert to the town to send maintenance crews and to citizens via the mobile application Waze, informing those on the roads of the outage, says Terry Yates, the manager for Cary’s Project Management Office.
The innovative approach is part of Cary’s adoption of smart city concepts, alongside vendor partner Cisco, which it began two years ago. The smart city build-out uses several Internet of Things connected devices, such as smart water meters and smart streetlights. The expansion of IoT has brought not just benefits around city maintenance and services, but also a new slew of IoT security threats for Cary and other cities and states seeking to make the most of the technology.
City IoT Devices: Challenges and Concerns
New IoT security threats, such as the Mirai botnet, are poised to take advantage of IoT devices specifically. Meanwhile, many of these endpoints don’t have security built in, leaving unpatched devices vulnerable.
Citizens aren’t blind to these concerns either. A recent report found that 87 percent of surveyed consumers are worried about how entities collecting data through IoT are keeping it secure.
Jesse Berst, chairman of the Smart Cities Council, says that, while IoT security is a new field for CISOs to navigate, the concept is actually similar to those tactics used to safeguard a house.
“Every time you add a new door or window to the bottom floor, you’re adding another potential access point for a burglar,” he says. “It’s the same with the Internet of Things. Every time you add new sensors you’re adding a potential new entry or access point.”
Mohamad Amin Hasbini, a security researcher at Kaspersky Lab, says the IoT security risks include not only privacy issues related to citizens’ data and tracking, but the possibility of real physical, financial or even emotional and psychological damage to people if, for example, an IoT failure affects power, water or nuclear equipment.
“The risks are very serious,” Hasbini says. “Small examples of things going wrong could be a sensor sending wrong data or a service inaccurately stating a bill was not paid. These issues could stop a house, for example, from receiving water or electricity. It also could even report a false fire or incident, or not report one when there is a real, dangerous fire.”
Berst says that hackers and nation-state “bad actors,” such as those from Russia, China and North Korea, pose targeted threats to cities and states relying on IoT technology as well.
IoT Cyberthreats: Security Solutions Let Cities Outpace Challenges
On the edges of North Carolina’s Research Triangle Park, Cary is successfully staying ahead of those potential threats.
To help identify and prevent potential problems, officials thoroughly test IoT technology before it is introduced townwide. Cary has turned its own 150,000-square-foot town campus into a “simulated smart city.” The campus represents a mini-city that includes community centers, parks, office buildings, parking decks and more.
“Through our simulated smart city, we’re able to test different IoT applications before we ever would release them townwide,” says Cary CIO Nicole Raimundo. “We believe that is probably the best way for other municipalities to test different applications without as much risk.”
Those risks include managing endpoints, providing security updates and the ability to push out automatic updates, particularly when vulnerabilities are discovered, Yates says. He also points out the need for encryption protocols that could prevent hackers from accessing data.
The town recently tested parking sensors in an on-campus parking garage, he says.
“We can do that at almost no cost,” he says.
Planning, Best Practices Help Cities Mitigate IoT Disasters
Microsoft recently published a report focused on securing devices in the IoT. In the report, researchers predict that the “coming decade will likely see the deployment of billions upon billions of network-connected devices” and point out the need to secure those devices.
“Although we applaud those in the industry who have begun to recognize the critical importance of security in these coming devices, we believe that many fail to appreciate the need to give each of these devices the highest levels of security available,” researchers write in the report.
The report identifies seven properties researchers found to be critical in all highly secure, network-connected devices:
- hardware-based root of trust
- a small trusted computing base
- defense in depth
- certificate-based authentication
- security renewal
- failure reporting
Planning can help to prevent risks from becoming reality, according to Hasbini.
“Impeccable planning needs to be conducted to identify the best solutions required that best fit city needs, enhancing the life quality without endangering it or negatively impacting the city’s financial performance,” he says.
Berst says that security isn’t just a matter of buying additional technology, but rather an “ongoing process.”
“Typically, it’s an audit followed by corrective measures followed by training and another audit and around and around you go,” he says.