Security

Cities Are Getting Smarter — and More Vulnerable to Cyberattacks

Smart cities introduce new vulnerabilities that can be exploited to wreak havoc. Here’s how cities can defend themselves.

Gary Hayslip

Twitter

Gary is an enterprise cybersecurity expert with 17 years of experience. Gary is currently CISO for Webroot, a provider of threat intelligence and endpoint security, and he previously held multiple CISO, IT director and senior network architect roles for the city of San Diego, the U.S. Navy and the U.S. government.

Picture this: Transportation delays are a thing of the past. Fully autonomous systems ensure timely arrival and departure, free from accidents through human error. Advanced artificial intelligence predicts weather patterns with unprecedented accuracy. Sensor-enabled parts alert humans to potential hazards and servicing needs before there is an incident. And we’ve solved the electric scooter situation.

This dream vision of future smart cities is now within reach, but not without serious focus on building cyberattack-resilient networks. The more connected we become, the more opportunities arise for cybercriminals to wreak havoc, and with a greater impact, as more services, systems and citizens rely on those networks to function.

We’ve already seen ransomware attacks take down Colorado’s Department of Transportation and San Francisco’s BART, not to mention Petya from last year, which affected transportation and telecommunications systems globally. Most recently, a ransomware attack in early October forced a North Carolina water utility offline; the water supply services were not interrupted, but the damage could have been much more severe had the attacker been able to access a broader smart city network because the utility had been connected.

VIDEO: Find out how Minnesota is approaching cybersecurity!

How Smart City Networks Can Come Under Attack

Smart city networks pose a unique challenge for security professionals and engineers alike, as large integrated networks of systems within systems and a mix of legacy and new technologies connect together. These complex arrangements ultimately open the network to risk.

It’s critical to keep in mind that these systems are connected to larger networks, so if they are compromised, not only can they be a target, but they can also be a doorway to larger security incidents citywide. For example, a single successful phishing or social engineering attack on a network administrator could cause full public transportation paralysis if adequate security controls are not in place to prevent infecting the entire network with ransomware.

It should also be noted that these are different technologies than what one would find on normal business networks. Many of the sensors, switches and traffic computer systems require specialized maintenance services to be managed correctly, causing potential delays or other challenges in detecting and responding to cyberthreats.

For example, city network security teams often need assistance from several different experts to mitigate a single threat that has infected multiple different systems to ensure it doesn’t continue to spread. Slower incident response means more time for the attack to do damage.

Smart Cities Need Smart Cybersecurity

Fortunately, it is very rare that cybercriminals use the latest zero-day vulnerability or tool to force their way into a secured network. Instead, time and again, we see breaches are the result of basic security controls, frameworks and policies not being implemented correctly or not being followed in the first place.

To best defend against smart city attacks, cities and government agencies need to follow basic cyber hygiene best practices and continually monitor for changes. This includes network segmentation, patch management, backups, data encryption and employee education programs — all of which need to be done on a regular basis. Needless to say, any employee or contractor with access to city networks should go through extensive and regular security awareness training in several key areas:

Cybersecurity basics: Encryption, ransomware and cybercrime; examples of major recent cyberattacks; how to keep information safe and help prevent future attacks
Password security: Best practices; the importance of strong and unique passwords (remember length, not complexity or variety of characters, is the most important factor in password security)
Phishing awareness: Risks stemming from phishing and social engineering attacks; common and new phishing techniques; how to spot and respond to email, phone and website phishing attempts
Social media awareness: The risks associated with sharing different types of personal information and using social media at work; how personal and corporate accounts should be used differently; the corporate social media policy
Understanding malware: The various types of malware; the prevalence of polymorphic malware; what to do in the case of an infection
The dangers of installing unauthorized software: Risks involving malicious websites and malicious software; best practices for software management; how to detect and avoid malicious websites
Physical access security: How to properly secure work areas and computers in-office and while traveling; security best practices for visitors

These security best practices need to be supported and funded by the leadership team and have employee buy-in. Good cyber hygiene can only exist if it is fully integrated into an organization’s culture as normal operation, not something that is done occasionally to keep compliance auditors happy.

Cybercriminals are always searching for new vulnerabilities within smart city networks and working to develop new vulnerabilities and methods for exploiting them, meaning networks are never immune to cyberattacks.

The best thing that cities and government agencies can do to protect their networks is eliminate the low-hanging fruit and raise the breach difficultly bar by following all the cyber hygiene basics — all of the time — and continuously monitor them to make sure they are effective.