The Cybersecurity Risks Operational Technology Faces in Smart Cities
Security experts traditionally use the “CIA” pyramid — confidentiality, integrity and availability — to help break down and describe information security risks. The immediate focus is most often on confidentiality, because data breaches and loss of privacy are generally the biggest issues that enterprise IT has to worry about. By contrast, operational technology in smart cities faces all three risks in a balanced way; in fact, confidentiality is often the least important security risk (unless security cameras are involved).
When traditional IT managers working in this area begin to focus on security, the shift in emphasis from confidentiality toward data integrity and overall system availability can be jarring. The relative lack of traditional tools and techniques presents a second challenge.
For example, one of the first security rules every IT manager learns is “keep your systems patched and up to date.” In the world of OT, patching is not so simple.
Some of the components in an operational technology system may not be easy to patch. The vendors tend to be smaller and often don’t have the resources to generate new software for older devices, so there may not be patches. The devices may require physical disassembly to update firmware or software, costing real dollars and system downtime. Testing patches and updates is hard when virtualization and test labs are not available. And sometimes compatibility issues between vendors and products will completely block patches.
This change in perspective means that securing OT systems is not the same as simply repurposing IT security tools into the OT environment. Instead, it is critically important to start from scratch and consider each of the “CIA” risks when building a threat mitigation plan.
Potential threats to data integrity and data availability are especially significant when smart city systems may be making real-time decisions on everything from traffic control and lighting to building security. Maliciously or accidentally corrupted sensor data, for example, has very real consequences if it affects the city’s water or sewage systems. Operational technology security practitioners sometimes emphasize the need for special focus by renaming “CIA” to “AIC” and by adding their own security terms, including resiliency, reliability and safety.
An additional risk to keep in mind is that many smart city systems are the grandchildren of devices that were never meant to be connected to an outside network. Although they may use networking internally, they were designed to be run in isolation: the oft-mentioned air gap security. When IT and OT teams try to leverage existing city networks, close the air gap and bridge these types of devices to less secure city or internet networks, the security issues can be immense.
EXPLORE: How can smart grid technology be protected?
Operational Technology Security Standards
OT security standards come from two points of view: SCADA and the Internet of Things.
The SCADA side is represented by groups such as the International Society of Automation, with its ISA 62443 standards, and the ISACA SCADA framework. SCADA’s process control and industrial automation orientation means these standards are very specific about threats and even more specific with required remediations.
IT and OT teams can review these documents to see excellent examples of what might be needed when deploying OT in smart cities — but they also need to keep in mind that these are much more restricted in scope than modern OT requires.
The other point of view for OT security comes from a growing group of organizations active in the area of IoT standardization, sometimes subdividing themselves into Industrial IoT, or IIoT. In the U.S., the National Institute of Standards and Technology has a Cybersecurity for IoT program that ranges from consumer and household applications up to industrial IoT with several standards in process, and the private sector Industrial Internet Consortium focuses more tightly on areas of interest to smart city OT managers.
The intrusion of IoT into OT security comes from the realization that the days of single-vendor systems are coming to an end. Smart cities bring a huge mix of devices and products (and vendors) to the table to meet requirements. The term IoT has come to represent all those devices attached to common wires and wireless networks, everything that doesn’t look like a smartphone, PC or server. The sensors and control devices built into smart city technology projects fit the definition of IoT pretty well.
Although the traditional strictly controlled viewpoint that comes from the world of SCADA has its uses, the real challenges for OT teams come when a smart city project includes poorly controlled components, such as internet-sourced data feeds, consumer-grade devices and sensors and graphical user interfaces designed for untrained end users. These add up to a lot of potential security problems, and this makes the more encompassing viewpoint of IoT standards a better way for teams to start thinking about OT security.
LEARN MORE: What are the main security vulnerabilities in a smart city?
Building an Operational Technology Security Framework in Smart Cities
The differing emphasis in OT security on reliability, trust and safety over traditional IT concerns such as privacy and confidentiality requires IT professionals to take a deep breath and begin with a clear risk assessment. The earlier that security is considered in any smart city project, the better for everyone.
As the risks and threats become clearer, it is important to keep cycling through the layers of an OT project to ask whether risks are being mitigated at each layer. As with traditional IT programs, it’s helpful to start with broad layers: physical, network and application, and then dive deeper from there. For example, many smart city projects may include some public cloud components — weather information, maps, cloud-based authentication services — creating additional risks of availability, integrity and confidentiality as third parties and their infrastructures become part of the project.
The broad and uncontrolled user base in many smart city projects also calls for a special emphasis on endpoint protection of every device within the network. When a project involves traditional end-user computing devices such as tablets, smartphones and laptops built into kiosks, then equally traditional endpoint protection technology such as anti-malware tools, mobile device management systems, encrypted hard drives, certificate-based authentication and locked-down configurations can be brought into play.
However, if custom devices are part of the project, some of these risks may need to be dealt with by assuming the devices are compromised (even if they are not) and protecting every other part of the system based on that assumption.
To the greatest extent possible, teams working on OT projects should try to recycle existing IT technology where it can provide protection. For example, microsegmentation and fine-grained access controls on firewalls, routers and switches should be used to break up the OT network into a different security zone for every device type, and possibly for every device. All traffic should be end-to-end encrypted at the application layer, but encrypted/authenticated network-layer VPNs also should run under the application, giving an extra level of security. Network access control should be used for any wired or wireless connection, both to authenticate devices and to provide individual access controls.
Some IT technology may not help in the world of OT. For example, intrusion prevention systems, web application firewalls and vulnerability scanners are of limited use within any smart city project — although all are helpful in adding security when OT meets the internet.
MORE FROM STATETECH: Find out how to protect your utility from a cyberattack.
