The smart city is coming. And it’s bringing with it unparalleled changes in the way public and private sector organizations use connected technologies to benefit mankind. Analysts predict the market for related solutions will be worth over $1.2bn by 2022. While there’s a certain degree of industry hype at play here, there’s no denying that the promise of improved safety and quality of life, seamlessly delivered government services and more is a tantalizing one. There’s just one major roadblock: cybersecurity.
IoT and Operational Technology systems are already proliferating in our cities. But they’re riddled with systemic vulnerabilities, offering hackers multiple attack paths and raising the prospect of gridlock, utilities outages and even loss of life. This needs urgent action or else the Internet of Things will become the Internet of Threats.
Smart city challenges
In reality, the first true “smart city” is still some way off. We haven’t even found a standardized definition for the term yet. Installing some internet-connected street lights or a smart traffic management system doesn’t make a city smart. But it’s a start, and one day the hope is these systems will be all-pervasive and inter-connected, improving business efficiency and the citizen experience.
Yet the challenges from a cybersecurity perspective are monumental. In fact, in a recent Wi-SUN Alliance study, security was cited as the number one concern among those embarking on smart city and other IoT projects. IoT endpoints and sensors are already everywhere. Gartner predicts a total installed base of 25 billion by 2021. They are highly heterogeneous, built on ethernet and old bus protocols from multiple siloed vendors, and can have a relatively long lifespan. This makes security updates a major challenge – that’s if manufacturers even make patches available. Many devices and protocols have been designed with functionality rather than security in mind. Because they’re not part of normal operational patch management procedures, many may be running old/unsecured firmware versions. Mission critical components could be left exposed because the operator cannot find a suitable maintenance window in which to patch them.
The implications are severe: not just for data loss but also public safety. Attacks on traffic control services could cause gridlock and life-threatening accidents on the roads; attacks on the communications systems used by the emergency services could impair their ability to respond to serious incidents; manipulation of IP surveillance could allow criminals to act with impunity. That’s not to mention attacks on utilities: we’ve seen the impact of this already in December 2015 and 2016 when Ukrainian providers were hit in sophisticated attacks which caused blackouts for hundreds of thousands.
With many IoT components left exposed and unmanaged, and data flows and protocols left unmapped, unauthorized access becomes far easier than it should be. It doesn’t even take a sophisticated Ukraine-style attack to cause havoc. The 2017 WannaCry ransomware campaign had a major impact on critical infrastructure providers and smart systems. In the UK, it led to an estimated 19,000 cancelled NHS operations and appointments.
Prepare to defend your ground
So how do we mitigate these risks so the Internet of Things doesn’t become the Internet of Threats? IoT/OT operators in the smart city space need to:
- Gain visibility of IoT/OT devices
- Conduct security risk assessments of smart city core components (smart grid, water supply etc) according to ISO/IEC 27005, ISA/IEC 62443, NIST 800-53v4, GDPR
- Consider secure architecture for smart cities
- Implement network segmentation for core components
- Develop and apply security policies for smart city environments
- Ensure secure and controlled maintenance access
- Secure communication between IoT/OT devices
- Develop IoT/OT traffic anomaly detection – in-house or as a manged service for smart cities
- Conduct regular penetration testing with a Purple Team approach
In that Wi-SUN Alliance research, half of respondents claimed that proven security with multi-layer protection and continuous monitoring is “absolutely crucial” for smart city solutions. Awareness of cyber risk is clearly growing, but there’s still some way to go.
Set to land in early May, the NIS Directive will mandate strict new rules designed to improve baseline security for operators of critical infrastructure – with maximum fines aligned with the GDPR. IoT/OT operators must therefore act with some urgency to manage an ever-expanding Internet of Threats.