Smart cities are popping up all over the country, with cities both big and small deploying Internet of Things devices to improve services for residents and enhance public safety. This is all for the good, especially in cases where cities are focused on concrete and near-term benefits.
However, there is a dark side to this proliferation of connectivity. As Gary Hayslip, the former CISO of San Diego, recently wrote in StateTech, when cities become smarter they also become more vulnerable to cyberattacks.
“Smart city networks pose a unique challenge for security professionals and engineers alike, as large integrated networks of systems within systems and a mix of legacy and new technologies connect together,” Hayslip notes. “These complex arrangements ultimately open the network to risk.”
Importantly, as Hayslip adds, smart city IoT systems often connect to larger networks, “so if they are compromised, not only can they be a target, but they can also be a doorway to larger security incidents citywide.”
That is why it is critically important to understand the vulnerabilities smart city systems face, as well as how city governments can defend against such threats. Network segmentation, security incident and event management tools and penetration testing can help cities bolster their defenses.
The Vulnerabilities Smart City Systems Face
The researchers examined smart city products from three companies — Libelium, Echelon and Battelle — and discovered 17 vulnerabilities that could allow hackers to commandeer sensors and data for nefarious purposes. In some instances, the hacks were as obvious as entering a factory-default password like “admin” or bypassing authentication requests by adding slashes to a URL, according to the researchers. When the researchers found vulnerabilities in the products these vendors produce, the team disclosed them to the vendors, all of which were responsive and issued patches and software updates to address the flaws, according to IBM.
“According to our logical deductions, if someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” the researchers say.
These effects range from manipulating water level sensor responses to reporting flooding in an area where there is none — or preventing such sensors from alerting authorities in the event of an actual flood. Attackers could also set off radiation alarms when there is no radiation threat, causing mass panic. And they could cause vehicle traffic to come to a standstill by manipulating traffic signals.
How to Defend Against Smart City Cyberattacks
The first step city governments can take to ward off such devastating impacts is to use network segmentation, creating physically separate networks for IoT devices.
“With this approach, if a hacker is able to compromise the IoT devices, they are unable to conduct a ‘pivot attack’ to other enterprise assets, since the physically separate IoT network is ‘air-gapped’ from their secure enterprise network,” Ken Hosac, vice president of IoT strategy at Cradlepoint, writes in StateTech.
Instead of directing this network through a city’s data center, for example, city governments can direct the parallel networks to public or private clouds, limiting access to valuable information and reducing bandwidth bottlenecks, Hosac notes. “If hackers gained access to one of the parallel networks, they could not pivot to another network,” he adds. IBM also advises cities to implement IP address restrictions to connect to the smart city systems.
Additionally, IBM advises cities to take advantage of security information and event management (SIEM) tools to identify suspicious traffic. SIEM solutions — available from vendors such as Hewlett Packard Enterprise, IBM and Splunk — receive logs from a controlling network server and IoT endpoints, then use correlation rules to help IT security analysts monitor traffic entering the network, the launching of unsolicited services, software integrity, anti-virus feeds and other activities.
IBM also suggests cities leverage basic application scanning tools that can help identify simple flaws and use safer password and application programming interface key practices.
Finally, IBM advises cities to hire hackers to test systems for software and hardware vulnerabilities and find them before malicious actors do. Many vendors and value-added service providers offer such solutions. For example, CDW’s Comprehensive Security Assessment service uses white hat hackers using the same tools and techniques deployed by cybercriminals.
It is clear that smart cities are vulnerable to security flaws and attacks. Equally clear, however, is that they have the tools to fight back.