Last month, the City of Atlanta faced one of the most significant cyber-attacks mounted against a major city anywhere in the world to date. The threats to cities are only going to get worse as infrastructure becomes more connected. Vince Warrington, Director, Protective Intelligence, looks at the steps cities can take to better protect themselves.
Whilst chairing the World Cyber Security Congress in London last month, which hosted several presenters and delegates from the likes of the European Commission, NATO, the National Security Agency and Europol, it became very clear that global warfare has now moved quite emphatically on to a cyber stage.
It’s not just about nation states trying to manipulate the electoral processes in other countries, although that is a valid concern, but also that critical national infrastructure is under serious threat from sophisticated cyber-attacks.
I hope that this fact will greatly accelerate much-needed new safeguards to ensure that the smart cities of the near future will have cyber resilience built in from the very start, rather than as a reactive afterthought following a crisis.
Cities all around the world are starting to become much more reliant on these smart technologies to improve the lives of residents and streamline services. Smart metering is already helping to reduce electricity consumption and personal water waste in many homes, and new data-driven traffic systems will undoubtedly help reduce CO2 emissions by utilising artificial intelligence to decrease traffic congestion.
This is all good stuff. However, in the race to make all things smart and interconnected, have a raft of potential security vulnerabilities been overlooked?
Although computer systems have been connected to public infrastructure networks for decades now, the new trend towards the creation of smart cities has meant that a host of technological advances have been rapidly deployed to interact with a variety of old legacy systems through the internet.
This is designed to solve age-old problems such as traffic congestion, energy efficiency and urban planning – but without much thought about securing these developments from cyber-attack.
Marrying bleeding-edge technologies with decades-old control systems might be a recipe for cyber-exploitation. Add in poor security standards on the devices used to connect these systems and the increasing availability of sophisticated hacking tools and we may be facing an uncertain future.
Hacking is already happening
There are numerous examples of these systems being hacked. In March 2018, computers in the City of Atlanta were infected by a ransomware variant called ‘SamSam’, which crippled local services, left 8,000 civic employees unable to use their computers for five days, and resulted in over six million residents being unable to access key services. It’s one of the most significant cyber-attacks mounted against a major city anywhere in the world to date.
The fact remains, however, that we’ve known about the inherent vulnerabilities in metropolitan-wide networks for years.
In 2014 security researchers at the University of Michigan successfully hacked nearly 100 traffic lights connected to a wireless network. Many of the devices used in the network were poorly secured – such as having default usernames and passwords that were available for anyone to see on the manufacturer’s website – but perhaps the more worrying conclusion was that the vulnerabilities of the system were ‘not a fault of any one device or design choice, but rather…a systemic lack of security consciousness’.
New phone apps which talk to sensors in traffic lights have many potential benefits, such as enabling pedestrians with restricted mobility to request extra road crossing time or prioritising cyclists. But what happens if the application, or the backend system it interacts with, is hacked and manipulated?
Could traffic be brought to city-wide gridlock? Could vulnerable road users be put at risk?
It’s not just traffic lights that are vulnerable. In March 2018 it was reported that the Russian anti-virus company Dr. Web had detected 50,000 CCTV video cameras in Japan that were being used by hackers to carry our significant Distributed Denial of Service (DDoS) attacks worldwide, where vast numbers of infected devices work together to take down web services.
IoT devices of all kinds, when coupled with malware such as Mirai, are now the most popular means for malicious actors to wreak havoc via DDoS attacks that ultimately make online services unavailable by overwhelming them with traffic from multiple sources.
In Finland in 2016, hackers attacked a building automation system, leaving residents without hot water or heating.
Damage, at scale
We are already well and truly on our way to living smarter. Keyless cars with Wi-Fi hotspots, driverless cars, intelligent parking meters, heating and air-conditioning controlled through your smartphone, smart lightbulbs, kettles, energy meters, and even hairbrushes. The list goes on.
It is understandable that there is growing concern within the cyber security industry as the global IoT footprint is predicted to grow to over 50 billion connected devices by 2020. All this interaction needs to integrate with so many different connected platforms, meaning that serious security challenges lay ahead.
When it comes to security the track record of many device manufacturers is notoriously poor. In a highly competitive industry companies are in a hurry to get their products to market fast, frequently reducing testing times and leaving security as an afterthought as these add costs and delay product launch. This is why there are so many devices with factory-set default credentials that cannot be changed, can be looked up on the internet, and offer little in the way of proper protection.
But more serious damage could be done. The trend for connecting traditionally offline critical infrastructure systems, such as those used in power plants and water treatment facilities, to the internet opens vulnerabilities in those systems to attack – and we know that hostile states are already eyeing up the energy sector as a target. According to a leaked memo from Britain’s National Cyber Security Centre (NCSC), picked up by Motherboard recently, the energy sector is not only likely to have been targeted by nation-state hackers – but probably has already been compromised.
What can cities do?
Governments are already starting to take steps to combat cyber-attacks. The NCSC is doing what it can – but there is much more work needing to be done. Increased information sharing on attacks will help, but we now desperately need legislation to ensure manufacturers take appropriate steps to secure their devices.
The US National Institute of Standards and Technology recently published a paper called ‘Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things’, which it is hoped will lead to a global standard for IoT manufacturers to adhere to.
Both public and private sector entities should also start putting security and safety before efficiency and profit, ensuring that they are building cyber resilience into their organisations and demanding that their suppliers do the same. With its huge buying power, the public sector, especially those who are shaping our future smart cities, are in a unique position to influence the market and drive secure behaviours from manufacturers.
Cities that stay informed and share information on both a national and international level, and prepare appropriately will ultimately be able to respond to the inevitable cyber security issues quickly to mitigate potential chaos and widespread panic.
If we can start getting smarter about cyber security, then we can all truly enjoy the benefits of living in technologically advanced cities that have the potential.