Blog Post

14 types of cyber-attacks a smart city can face

As urban centers continue to grow in population, many are becoming “smart cities” through a digital transformation aimed at improving the lives of their residents, more effective governance and more efficient resource consumption by instrumenting almost everything in a city. Streetlights, traffic lights and security cameras, electricity and gas meters or sewers in any metropolis can be sensorized to obtain data to feed this digital infrastructure. For years now, and no longer a novelty, citizens in a large part of the world have also been connecting to the infrastructure of their smart cities to obtain municipal services or pay bills.

Overall, the market for smart city solutions is expected to exceed €1.7 trillion over the next 20 years. But the interconnectivity between the physical and virtual infrastructure that makes a Smart City work also creates significant new cybersecurity risks. With each additional access point, vulnerabilities for exposure to sensitive data expand. Smart cities can be susceptible to numerous cyberattack techniques, such as remote execution and signal jamming, as well as traditional means, such as malware, data manipulation and DDOS.

To counter the risks, comprehensive smart city protection plans designed to safeguard what is clearly “critical infrastructure” are needed on behalf of all parties involved, from the individual citizen to large public and private institutions.

Many technologies converge to transform the city

When we think of Smart Cities, it is very common to think of streets full of screens and Wi-Fi even in the bathroom. However, the term smart city means much more than that. The basis of the smart city is the combination of IoT and big data, and a proper use together with analytics is necessary to achieve the main goal of a Smart City: to be able to manage resources on its own to improve operability, optimize energy resources, be sustainable and environmentally friendly.

Essentially, a smart city is the redevelopment of an area or city that uses information and communication technologies to improve the performance and quality of urban services, such as energy, connectivity, transportation, utilities and many others. A smart city is developed when “smart” technologies are implemented to change the nature and economics of the surrounding infrastructure. It is about implementing a network of connected objects and machines that transmit data via wireless technology and the cloud, where it is stored and processed to make sense of what is happening in the city.

Essentially, the goal is for IoT applications to send and manage data in real time to help businesses and residents make the best possible decisions to improve the quality of life of city residents, whether it is to improve traffic congestion, solve power outages, optimize Internet connectivity and other services, etc., while reducing the costs of operating all of this.

Therefore, safety and security are two of the main concerns in any city, and with the incorporation of digital technologies, the concern is greater. In addition, with the increasing risk of cybercrime and data theft, smart cities must be prepared to deal with any potential threats. As mentioned, technologies are expected to help citizens and city decision-makers make better-informed decisions. Indeed, the inclusion of smart technologies has the potential to reduce incidents in connected cities and improve emergency response times.

Vulnerabilities of smart cities

In general, the adoption of various connected technologies carries risks. Cities need to integrate solutions that provide strong authentication and identity management solutions to ensure a secure urban environment. Since a threat can be introduced into a smart city’s infrastructure at any compromised location, the risk can quickly escalate as one system can compromise the next, as they are all connected.

When a seemingly harmless connected device is hacked and injected with malware, that attack could affect other devices it is linked to, causing cascading damage throughout the infrastructure. For example, a breach in street lighting systems could lead to control of lights, which could lead to servers, which in turn would generate data on individual customer behavior and ultimately end up accessing financial and other personal information of citizens, possibly even their medical records.

It’s not unlike a recent major distributed denial of service (DDOS) attack, in which everyday IoT devices, such as baby monitors, were hacked and turned into a botnet to take control of some of the world’s largest websites. Cities could be equally susceptible to this type of hacking by deploying tens of thousands of connected devices in municipal domains.

In addition, customer-centric information intended for citizen convenience may also be quite vulnerable. Unfortunately, the development of cybersecurity credentials and security and prevention systems for smart cities has not kept pace with the growing adoption of digital capabilities. Even in the most security-conscious cities, the technology that allows ambulances to green red lights has already been hacked, for example. Meanwhile, penetration into power grid infrastructure is not uncommon. And, of course, examples of personal information breaches in the private sector abound.

Once a city becomes “smart” through interconnectivity, the potential for havoc is limitless. Imagine all the traffic lights in a city turning green in a worst-case scenario. Recognizing the need to start and budget for cybersecurity measures as part of projects to transform our cities into smart cities can help avoid additional expenses once the system is already in place. As with IoT in consumer products, connected systems throughout the city also need security protocols.

Potential vulnerabilities and methodologies that could be used against a smart city

In general, all attack mechanisms related to cybersecurity can be extrapolated to a Smart City, so its managers and technicians may have to face situations such as:

  • Man-in-the-middle. An attacker breaches, disrupts or spoofs communications between two systems. For example, a man-in-the-middle attack against a smart valve in a wastewater system could be used to cause a biohazard spill.
  • Data and identity theft The data that smart city infrastructures originate unprotected, such as from parking garages, electric vehicle charging stations and surveillance feeds, provides a wealth of personal information to cyber attackers that can be exploited for fraudulent transactions and identity theft.
  • Device hijacking. SOccurs when an attacker hijacks and effectively takes control of a network-connected device. These attacks can be difficult to detect because, in many cases, the attacker does not alter the basic functionality of the device. In a smart city context, a cybercriminal could exploit hijacked smart meters to launch ransomware attacks against energy management systems (EMS) or stealthily divert power from a municipality to other points on the grid.
  • Distributed denial of service (DDoS). A denial-of-service attack (DoS attack) attempts to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting the services of a host connected to the Internet. This is usually achieved by flooding the target with superfluous requests to prevent legitimate requests from being fulfilled. In the case of a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding a target originates from multiple sources, making it difficult to stop the cyber offensive by simply blocking a single source. In smart cities, it is possible to attack a large number of devices, such as parking meters, and have them join a botnet programmed to crash a system by simultaneously requesting a service.
  • Permanent denial of service (PDoS). Permanent denial of service (PDoS) attacks, also called phlashing, are attacks that cause damage to the device that require the replacement or reinstallation of its hardware. In a smart city environment, a hijacked parking meter could also fall victim to sabotage and would need to be replaced.
  • Security measures. Issues related to cybersecurity, integration, and data sharing need to be addressed. But, until agreement is reached on specific standards, here are some fundamental best practices for the security of connected cities:
    • Smart policies. Too often with IoT, the focus is on the benefits and little attention is paid to the risks. Creating a policy on privacy and use of IoT data from the outset can help ensure against unintended misuse. A strong policy can help guide employees and users toward greater cybersecurity and responsiveness to potential attacks.
    • Protect individual identities. Identity management is critical in connected systems. Each piece of connected infrastructure may have different rules or standards for providing access, some weaker than others. By synchronizing access credentials, thus eliminating weak points, cities can help protect residents’ identity information.
    • Protect information at its source. Each connected device begins generating data the moment it connects and continues to do so every second thereafter. Before the system goes live, smart city managers need to be clear about how much data will be collected and how it will be used. In this way, they can be better protected and properly encrypted from the outset, and costly forensic and mitigation efforts will be avoided in the future.
    • Standardize on a need-to-know basis. Very few people in any organization need to know everything on a given system. Protocols and access options create boundaries while providing the desired openness and functionality for the connected infrastructure to be effective. These protocols provide complete accountability, identifying who is using the information, ensuring they are authorized and controlling that access. They also promote a culture of cybersecurity by establishing automatic rules and limitations.
    • Firmware integrity and secure boot. Secure boot uses cryptographic code signing techniques, ensuring that a device only executes code generated by the device’s OEM or other trusted party. The use of secure boot technology prevents hackers from replacing firmware with malicious versions, thus preventing attacks. Unfortunately, not all IoT chipsets are equipped with secure boot capabilities. In this case, it is important to ensure that the IoT device can only communicate with authorized services to avoid the risk of replacing firmware with malicious instruction sets.
    • Mutual authentication. Each time a smart city device connects to the network, it must authenticate itself before receiving or transmitting data. This ensures that the data comes from a legitimate device and not a fraudulent source. Secure mutual authentication, where two entities (device and service) must prove their identity to each other, helps protect against malicious attacks.
    • Security monitoring and analysis. Data must be collected on the overall state of the system, including end devices and connectivity traffic. This data is then analyzed to detect possible security breaches or potential threats to the system. Once detected, a wide range of actions formulated in the context of an overall system security policy must be executed, such as quarantining devices based on anomalous behavior.
    • Security lifecycle management. The lifecycle management feature enables service providers and OEMs to control the security aspects of IoT devices when they are in operation. Rapid modification of the device key during cyber disaster recovery ensures minimal service disruption. In addition, secure device decommissioning ensures that discarded devices will not be reused and exploited to connect to an unauthorized service.

An interconnected smart city sounds great: drivers avoid traffic jams; city services predict citizens’ needs in advance; utilities provide real-time information, allowing residents to adjust usage, etc. However, a cybersecure interconnected utopia includes the right controls with proper implementation to ensure that connected infrastructure is accessible only to the right people at the right time for the right reasons.

Related Posts