This November we will once again witness the unstoppable digital transformation that cities were undergone at Smart City Expo - Empower Cities, Empower People, the 7th edition of the world’s leading smart cities congress that this year has seen the participation of over 18.700 visitors and over 700 cities from around the world who came to Barcelona to share their challenges and strategies for the future, placing citizens more and more at the centre of their smart initiatives.
But, let's talk a little about the digital risk of a Smart City. Are smart cities cybersecure?
By definition, any hardware, software and the communications between them are susceptible to having security vulnerabilities, just as they are susceptible to the threat of cyberattacks. This fact is of even greater importance when it comes to Smart City applications or systems, since a security incident would have a much greater impact, putting at risk the city’s physical systems (energy and water supply, transportation, public health, safety, traffic, lighting, waste, pollution, ...) which are connected to the Internet of Things (IOT), also, curiously enough, known as the Internet of Threats.
On the other hand, the development of the Smart City is usually based on the new technologies of web services, mobile apps, big data and sensorization overlaid on the traditional infrastructure of the city and legacy computer systems, whose design did not take into account the fact that they were going to be connected to the Internet.
Today more than 2 billion connected things, which will number an estimated 50 billion by 2020, together with distributed systems linked to the combinatorial diversity of manufacturers and communications between sensors, services, applications, all represent a huge number of vulnerabilities that cybercriminals can exploit, making cities relatively easy to hack.
4th of July – the United States is the victim of a brutal massive attack on its computer systems as hackers bring the country to its knees, taking control of the Internet, mobile phones and traffic systems and causing a large-scale blackout on the east coast. That is the plot of the film Live Free or Die Hard starring Bruce Willis. But is that scenario only plausible on the silver screen? Unfortunately, there are numerous examples of cyberattacks on connected systems in the real world. Here are some examples:
- Friday April 17 2017: In a cyberattack in Dallas, criminals take control of 156 alarm sirens in the city which are set off 15 times for 90 seconds until the authorities manage to deactivate the system in the early hours of Saturday morning.
- December 2015: The BlackEnergy cyberattack in Ukraine gave cybercriminals access to the Prykarpattyaoblenergo power plant, causing a power outage that left a whole city and some 230.000 citizens without electricity for light or heating (in December, in Ukraine).
- November 2011: In the town of Springfield (Illinois), which is the setting of The Simpsons, cybercriminals gained remote access to the local water company’s control system and caused a water pump to fail by exploiting vulnerabilities in its SCADA system.
Another Bruce, Bruce Schneier (who appears with a beard and a cap in the photo) is a computer engineer, cryptographer, CTO at Resilient Systems IBM and one of the world’s leading experts in cybersecurity. He believes that, with the Internet of Things, we are creating an Internet that is capable of feeling (sensors), thinking (data analytics/AI) and acting (actuators), and that since software is “eating up the world” and permeating every aspect of our daily lives, cybersecurity is becoming the security of everything, which means that the regulations that pertain to the physical world must be transferred to the digital world.
In Europe, ENISA (European Union Agency for Network and Information Security) is developing and promoting cybersecurity studies and guides for Smart x, in which x stands for Cities, Airports, Cars, Hospitals, Home. While there are many interesting security guides and recommendations for the IOT, they are insufficient to tackle the full extent of the problem. We will only succeed in ensuring that these guidelines and recommendations are adopted if there is an associated regulatory framework, which makes it essential for governments to address the threats to the IOT regardless of what the private sector does.
Most software is of low quality and is insecure since we have been unwilling to pay for high quality software (fast and cheap before good), which means that there exist endless lines of code riddled with errors and security vulnerabilities. We can improve the security of the Smart City in the same way as we would other environments, by providing better prevention through security audits, by incorporating security into the software development cycle (S-SDLC), by encoding sensitive data and communications, by automating patching and isolating legacy systems, by providing specialized SOC/CERT services that monitor and manage security incident alerts, and even by devising city-level emergency plans.
Will that be enough?