The security challenge for smart cities

Smart city technologies are transforming the way municipalities manage their everyday operations and services all over the world.

The proliferation of IoT technology has resulted in hundreds of thousands of connected systems being embedded in many a city’s critical infrastructures, enabling city managers and urban planners to improve their operations and the daily lives of their citizens in real-time.

According to IDC’s Worldwide Semiannual Smart Cities Spending Guide, worldwide spending on technologies for smart cities projects is estimated to reach $80 billion in 2018 and will grow to $135 billion by 2021.

But at the same time that these emerging technologies are bringing increased efficiencies, smart city infrastructure is also opening up new avenues for attack.

>See also: Creating a smart city needs collaboration and open infrastructure

The Security Challenge

In early 2018, IBM X-Force Red and Threatcare discovered 17 zero-day vulnerabilities in smart city sensors and controls used in cities around the world.

According to a spokesperson from IBM: “Left unpatched, these vulnerabilities could allow hackers to gain access to sensors and manipulate data.”

“It’s important to keep in mind that even a simple false sensor alert, generated by malicious hacking or otherwise, can trigger mass panic.”

In August 2018, Ben-Gurion University of the Negev (BGU), Israel, cyber security researchers found vulnerabilities in a number of commercial smart irrigation systems, which enable attackers to remotely turn watering systems on and off at will.

>See also: Is the property sector holding back the development of smart cities?

Ben Nassis, a researcher for BGU, said: “By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty flood water reservoir overnight.”

“Although the current generation of IoT devices is being used to regulate water and electricity obtained from critical infrastructures, such as the smart-grid and urban water services, they contain serious security vulnerabilities and will soon become primary targets for attackers.”

Smart City Hacking

For IBM’s report, The Dangers of Smart City Hacking, a team set out to learn more about real-world possibilities or the hacking of smart city technology, and see if “supervillain-level” attacks on smart cities were possible.

Here are some key examples of the vulnerabilities the team uncovered:

1.Manipulation of law-enforcement response

Hackers could accomplish “simulta­neous traffic tie-ups on key city roads by taking control of traffic control infrastructure – enough to create gridlock and delay law-enforcement teams from accessing the real scene of a crime.”

2. Disasters, real and fake

“By causing water level gauges, radiation detectors, wind speed sensors, and other disaster detection and alarm systems to report incorrect data, an attacker could potentially cause an evacuation as a distraction. Alternatively, a city could suffer far worse damage as a result of the delayed response to external threats, like radiation.”

3. Agricultural crop manipulation

“Smart farming has become commonplace as farmers use sensors to measure humidity, rainfall, and temperature to efficiently irrigate crops and determine optimal harvest times. Manipulation of this sensor data could result in irreversible crop damage, tar­geting a specific farm or an entire region – which from a global perspective, could cut off food to populations, dictate new market realities, or even spread disease.”

>See also: The Future Smart City and the impact on risk, availability, security and …

The solution for smart cities

According to IBM; “There’s no easy way to patch a city, and this maps back to the fact that when it comes to device security, the responsibility is twofold: while it’s the manufacturer’s job to make sure that their products are built securely, it’s the user’s responsibility to make sure they are practicing good security hygiene.”

“Further, there’s a shared responsibility between the manufacturer and the user: with the former issuing software updates for security issues, and the latter actually applying those updates.”

However, with this in mind, due to thousands of connected devices being deployed over so many square miles – from different vendors – IT leaders for smart cities can’t easily patch or automatically update their sensor networks. For IBM, because of this, vulnerabilities can go undiscovered for a long time, allowing hackers a foot in the door.

IBM argues that both vendors and smart city leaders need to prioritise security by re-examining the vendors’ security protocols, building proper frameworks for these systems, and developing standard best practices for patching security flaws.

IBM also issued the following guidelines:

  1. Implement IP address restrictions for who can connect to the smart city devices, especially if networks rely on the public internet.
  2. Leverage basic application scanning tools that can help identify vulnerabilities.
  3. Use strong network security rules to prevent access to sensitive systems, as well as safer password practices.
  4. Disable unnecessary remote administration features and ports.
  5. Take advantage of security incident and event management tools to scan network activity and identify suspicious internet traffic.
  6. Hire ethical hackers to test systems, such as IBM X-Force Red. These teams are trained to “think like a hacker” and find flaws in systems before the bad guys do.

>See also: The Internet of Things: The security crisis of 2018? 

Nominations are now open for the Women in IT Awards Ireland and Women in IT Awards Silicon Valley. Nominate yourself, a colleague or someone in your network now! The Women in IT Awards Series – organised by Information Age – aims to tackle this issue and redress the gender imbalance, by showcasing the achievements of women in the sector and identifying new role models

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future

Related Topics

Cyber Risk