For technologists, building smart cities is not an ambitious goal, but a necessity. The World Bank estimates that by 2050, 70% of the world’s population will live in urban areas, up from 56% today. This massive population shift will place increasing pressure on city infrastructure and the technology used to manage urban areas. Increased automation will also bring new threats.
Although the concept of a smart city may seem monolithic, in reality it is a set of independent technologies and systems that communicate with each other and a central management hub, creating a diverse ecosystem of technologies, which needs to be well protected, says Piyush Pandey, U.S. IT data market leader at business consultancy Deloitte. In many cases, these technologies have not been adequately protected individually, let alone as an interdependent ecosystem exposed to the public, he says.
“This is obviously not just a system that needs to be secure, … with this intelligent ecosystem and the huge number of interconnections, we are knowingly allowing our network to be exposed,” Pandey says. “Security isn’t really limited to applying some sort of firewall or physical security at the device level. We need to look at this holistically.”
Numerous countries are pursuing the concept of smart cities, from governments in the Middle East and Africa to Singapore’s assertion as the smartest city in the world. According to one study, a city can collect more than 500 million events per day from its vast array of systems: smart electricity meters, streetlights, transportation monitoring and emergency management systems. recent Deloitte report on protecting smart ecosystems. While the convergence of information technology (IT), operational technology (OT), Internet of Things (IoT) and automation will lead to greater efficiency, the intelligence of a smart city will also result in greater vulnerability to threats.
Ransomware has become an important issue for local governments and the increasing automation of cities adds to operational challenges concerns that ransomware could disrupt civic operations.
A trio of risk factors
From intelligent transportation systems to intelligent power grids to just-in-time critical infrastructure, smart city systems connect a vast array of devices, many of which lack built-in security features, to untrusted systems, such as smartphones, legacy, and desktops running outdated software. According to the report, the three most vulnerable and most impactful systems are those used for emergency alerts, road video surveillance and smart traffic lights a 2020 survey of smart city security experts conducted by UC Berkeley’s Center for Long-Term Cybersecurity.
Many of these systems have been put in place without much consideration for cybersecurity, says Rowland Herbert-Faulkner, a graduate researcher in urban and regional planning affiliated with CLTC.
“We haven’t built in product security for many things, and if we don’t have it in place, we will continue to broaden the threat landscape – the risks will increase exponentially,” he says. “This is something that’s been coming up in research for a long time: How do we manage product security, especially when we’re dealing with these interconnected systems? Especially when someone’s device can be used as an attack vector or as an entry point into the system .”
According to the Deloitte report, three main factors – convergence, interoperability and integration – drive risks in smart city ecosystems. The marriage of cyber and physical systems – convergence – allows one domain to influence the other, significantly increasing the attack surface. Devices from different systems, some old and some new, interact with each other, putting old systems at risk that should never have been connected. Finally, the tight integration of devices between systems means that an attack can quickly affect other systems, creating a cascade of impacts.
“Not only are the lines blurred because there are no organizational boundaries in a smart ecosystem, but there are no system boundaries, because now we’re talking about cyber and physical convergence,” says Deloitte’s Pandey, adding: “We have multiple vendors coming into the game with several disparate devices and systems that have varying degrees of security controls, so now that they are interconnected, the weakest system [becomes] the problem.”
Smart device security: a 20-year problem
Different systems vary by purpose (smart license plate readers have a different architecture than the smart power grid) and also by protocols. While they likely communicate via wireless technologies, they also likely communicate with each other through centralized hubs. Most devices can’t even run security agents, because that additional security would cause excessive performance degradation for many programmable logic controllers, Internet of Things devices, and other low-power hardware, says Tom Pace, the company’s CEO XIoT NetRise security system.
“We’ll probably get there, but it’s a twenty-year problem,” he says. “What you really need to do is for most of these device manufacturers to standardize some operating systems and processor architectures. Otherwise, you’re asking companies to create like 1,000 different agents that need to be installed, they’re just never going to work.”
Beyond the technological aspects of the problem, a great deal of cybersecurity expertise still needs to be developed to address smart cities. Improving the cybersecurity posture for smart cities is critical, says UC Berkeley’s Herbert-Faulkner. Due to the impact of ransomware on local government agencies, cyber insurers, for example, have retreated from issuing policies and become much more stringent.
“Cyber insurers aren’t too interested in covering cities, because a lot of local government staff don’t know the basics – they don’t have a structure in place to help them mitigate this risk,” he says. “Upgrading municipal and local government staff in terms of basic cyber hygiene will be critical, and we see this particularly when it comes to risk mitigation.”