Security and Smart Cities

Cameron Camp, the security researcher at ESET explains that for various reasons, most of the cities in the world are yet ill-prepared to handle the cyber security risks associated with Smart Cities despite big huge focus on Smart Cities at this year’s CES. 

This year at CES there was an entire section devoted to smart city initiatives municipalities are rolling out in many cities around the world, or planning to. As we noted in our look at automotive security and IoT security previously, the technologies surrounding transportation are converging; so too are the technologies that make cities work. From automated street lights that change color to alert you of a hazard, to centrally-planned dynamic traffic flows and car-to-car communication, cities will change rapidly. But how they will manage these changes is another story.

Stage one is the deployment of sensors that passively assess traffic flows, pedestrian traffic and potential hazards. Shortly thereafter, cities will deploy more active measures, such as controlling traffic lights and entire systems based on holistic input from the swarms of sensors.

One of the hotspots (literally) will be city lamp posts, especially if they are connected electrically. This will be the focus of considerable attention, as they are a perfect platform for Wi-Fi, temperature and other ambient condition sensors, and hence, potential hosts for super-high-speed, ubiquitous, wireless connectivity. Want to get a feel for what’s happening across the whole landscape? Fire up a mesh of a bazillion sensors on the lamp posts and start getting a better picture. All this without significant development and acquisition of land.

Next will be law enforcement, or more specifically, rolling out these new rafts of collected data (after being sifted and enriched) to provide real-time data as they drive, walk, or ride around the city.

So the swarms of sensors will feed the central offices, which will then feed data back out to the swarms of consumers . . . after being digested and enriched.

The problem is that cities are extremely ill-prepared to staff and manage all the complexity, let alone secure it all. If, for example, attackers are able to gain access to one part of the sensor network, it becomes potentially easier to use as a potential onramp to escalate to more privileged access and hop back to the critical data stores and exploit them as well.

This dynamic would be much easier to manage if cities had vast budgets to hire the best cybersavvy technicians and specialists, but it is important as it is paradoxically rare. Here, “fire and forget” just doesn’t work well. We’ve seen breach after breach where organizations had the right technology deployed, but failed on implementation or triage and escalation of potential breach incidents.

For cities that try to outsource their needs, concerns such as data leakage and misuse come to the fore. In light of the raft of legislation for protecting personally identifying data, the potential blowback from leaking security information for example, would make for some rough public relations for the mayor of a city, who’s staff might not be digital experts at all.

Most cities are primarily concerned with keeping the lights on, the water flowing, the streets open, the trains running and so on. The politicians and critical infrastructure managers are far more concerned with high availability than high security – or indeed, any security at all. Year after year at the Black Hat conferences we see examples of city systems trivially exploited. Yet, with the increasing interconnectivity of their systems, smart cities will soon be saddled with understanding and implementing cybersecurity well.

Oh, and without significant budget increases!

No pressure, then.