Taking advantage of advances in information and communication technologies (ICT), Smart Cities or smart cities have been offering many potential benefits to their residents for years, such as improved energy efficiency, personal management and security, mobility within their streets and avenues, etc. However, this reliance on ICT also makes Smart Cities prone to cyber-attacks, as are all systems that, in one way or another, are nowadays connected to the network.
Rapid advances in ICT have been harnessed to streamline the design, operation and management of urban environments in a variety of ways. For example, it is possible to measure energy consumption in real time with smart meters and use this information to coordinate generation and distribution resources through the smart energy grid, or Smart Grids, continuously track traffic jams and road hazards and automatically communicate this to vehicles and travelers, or manage our street lighting with automatic brightness sensors.
Advances in these areas have helped to reduce costs, increase efficiency, improve safety and comfort, and reduce pollution and greenhouse gas emissions, and more and more cities around the world are implementing small or large-scale solutions based on smart metering and automation systems to improve the efficiency of their services and infrastructures.
Scope of Smart Cities
Among the many definitions that we find to explain what we mean by a smart city we could say that “a smart city uses digital technologies or information and communication technologies to improve the quality of life of its inhabitants and urban services, to reduce costs and resource consumption, as well as to interact more effectively and actively with its citizens. The sectors that have been most widely developed within smart cities are public services, transportation and city management, energy, sanitation, water and waste.”
For the topic of cybersecurity and to classify the areas on which we could make a study of the possible threats present on the infrastructure of a Smart City, we could divide it into six key components:
- City economic systems, financial services
- Environment and basic service infrastructures (water, gas, electricity, etc.)
- Governance, city management mechanisms
- Urban life, “smart” citizen services
- Mobility within the city, public and private transportation
- People and everything related to personal connectivity within the city.
It is clear that this classification is simply an aid to examine, in a more or less organized way, which areas within the Smart City could be susceptible to cyber-attacks and on which we should plan in greater detail protection and security mechanisms.
Thus, on the one hand, while many of the developments to transform a service or infrastructure management into “Smart” have been designed from the beginning, starting from the non-existence of previous systems that would have to be adapted on the fly, on the other hand, most of the transformations that have been carried out to transform a service or infrastructure management into “Smart” have been designed from the beginning, starting from the non-existence of previous systems that would have to be adapted on the fly, In fact, most of the transformations of systems into their “smart” counterparts in our cities have been made on the basis of the existence of previous systems that have simply been adapted and protected “on the fly”, as new developments in ICT technologies were progressively integrated into the operation of urban areas. As we have seen in recent years, cities can become “smart” by adopting modern technologies for transportation, traffic control, disaster response and security, resource management and other aspects of urban management, but these cities have not been born or built on the basis of a “Smart” system with its protection mechanisms against cyber-attacks, but rather by adding technological components to existing ones that may or may not be designed to resist attempts at remote manipulation.
Putting the focus on protecting the systems that make our cities smart
No one disputes that these improvements to our cities are very valuable, but they carry with them a number of inherent risks. This is often because a smart city often involves the installation of many new systems and devices under novel conditions and often without thorough security testing. Many of these technologies are wireless and therefore rely on custom protocols and encryption platforms. Even seemingly minor bugs can cause very serious problems, if those who attempt to exploit them do so with that intent.
Even more worrying is the fact that many smart cities have yet to develop action plans outlining responses to potential cyber-attacks targeting city services, infrastructure and ICT. Since all systems are interconnected, weaknesses in one element can have wide-ranging consequences. For example, encryption problems can result in gaining access to a wireless network, which in turn can be exploited by hackers to attack the electricity or water supply, as happened a few months ago in the city of Florida, where an attempt was made to manipulate (remotely, with a cyberattack) the amount of chemicals present in the city’s water to levels dangerous for human consumption. It is clear that cyber threats to smart cities must be taken very seriously if we are to continue to develop our cities towards increasingly interconnected systems that depend on remote control technologies.
And, as we can already imagine, this is an issue that continues to grow. According to industry estimates, by the end of 2020 there were 8740 million devices connected to the internet, in what is known as the Internet of Things (IoT), and, at the rate of growth we are going, we will reach 25 billion by 2030. On a demographic level, United Nations projections indicate that 70% of the world’s population is expected to live in urban environments by 2050. The rapid growth of the world’s urban population, as well as the increasing interconnectedness of this population, makes the cybersecurity of cities incredibly important, and the situation will become even more pressing with the introduction of increasingly smart and connected devices and infrastructure.
When everything can be accessed through everything
A wide variety of systems, ranging from home appliances to medical devices in hospitals to air defense systems, could be affected by a single cyberattack targeting the energy grid. As the weapons of choice in this modern age are often no longer bombs, but malware designed to destroy, disrupt or take control of the complex systems that control the operation of smart grids, security managers no longer only have to plan defenses against potential “physical” attacks, but the balance is increasingly shifting to working on and developing defenses against cyber attacks. Furthermore, the immense complexity and scale of a smart city means that these issues need to be addressed as early as possible, and that, in existing cities, this needs to be addressed before it is too late to incorporate adequate cybersecurity measures, either because attacks have already occurred or because different cybercriminal groups have already “vetted” the weaknesses of some of the critical infrastructure in our Smart Cities.
In general, security analysts share the view that the cyber threat landscape is extremely fluid. In recent years there has been an exponential growth in the number of potential threats and the specific nature of the threats is also evolving and increasing in sophistication. Advanced persistent threats (APTs), where an unauthorized entity gains and maintains access to a network, is a good example of this trend. In many cases, the attackers are no longer “kids” playing from a garage to see if they can break into a server to test their skills, but highly skilled and organized professionals who are able to deploy a variety of sophisticated techniques to launch complex and coordinated attacks.
Thus, examples of known cyber threats that every Smart City must take into account when protecting its systems go through keeping in mind a:
- Hackers, individually or in highly organized groups.
- Malware, sometimes reaching levels of sophistication not seen in previous attacks.
- Zero Day vulnerabilities in new systems that are developed and have not been sufficiently tested.
- Botnets, which automatically generate attempts to enter and attack a weak point of a service or installation.
- Denial of Service (DOS), which cause overloading of systems
- Distributed denial of service (DDOS), the same as above, increasing the destructive potential of the attack.
With the above in mind, and with the different areas of action in which we can divide a Smart City when planning its protection mechanisms against cyber-attacks, some of the possible weak points that most of our cities present today, and that may be susceptible to greater attempts of cyber-attacks are:
- Traffic control systems
- Intelligent street lighting
- City management systems
- IoT sensors deployed throughout the city
- Public data, located in databases and servers with inadequate security measures
- Mobile applications
- Cloud and software-as-a-service (SaaS) solutions
- The smart grid
- Public transportation
- Surveillance cameras
An example of access to these systems can occur through an attack on the thousands of sensors that form the backbone of the smart city. With the right manipulation of data from these, attackers could fake an earthquake, tunnel problems or a broken bridge, make people believe there is a flood, malfunction fire sensors, etc., setting off alarms and causing general panic. An attacker could launch an attack by falsifying data from sensors for odor, contamination or the level of garbage in empty containers, to cause garbage collectors to waste time and resources. Keep in mind that many city systems and services rely on sensors, including smart waste and water management, smart parking, traffic control and public transportation. Hacking into wireless sensors is an easy way to launch remote cyberattacks on a city’s critical infrastructure.
Planning for cybersecurity from the start
Therefore, the importance of a structured and well-thought-out technology selection process for attack security should not be underestimated. In particular, it should be emphasized that cybersecurity issues should be taken into account from the very first phase of transforming a city into a Smart City. In the context of a smart city, all systems are interdependent and weak systems can cause large-scale damage and even affect the stability and security of an entire region, or a country.
A smart city requires new levels of confidentiality, integrity, availability and defense. All wired and wireless communications (data in transit) must be properly protected with strong encryption. The solution must support a strong authentication mechanism (one-time passwords, certificate or biometric based authentication, etc.).
All functionality must require and apply appropriate permissions (authorization) before any action is taken. Updates to software, firmware, etc. should be automatic and secure. Logs should also be securely stored against tampering. Devices must have a mechanism to prevent tampering by unauthorized sources. In the event that the system malfunctions or crashes, it must remain secure and protections must continue to run. Solutions must come with a secure configuration by default.
On the other hand, for the implementation of new solutions and technological improvements, the technology must pass a robust security test in the selection phase, as well as be delivered in a secure form and allow strong encryption. A system administration, which allows setting secure passwords, deleting unnecessary user accounts, disabling unused functions and services, enabling auditing of security events, etc., is essential. For operation and maintenance, the technology must pass the monitoring of its patches and updates, periodic assessments and audits, protection of the logging environment, access control, cyber threat intelligence, reaction and recovery of compromised elements, etc.
Finally, some recommendations for the disposal of technology that is no longer in use or has become obsolete should be taken into account. The reuse of systems from previous installations should be avoided, and all data should be securely deleted.
In conclusion
The field of smart city cybersecurity is still in its infancy, and many more policy, architectural and design solutions for security techniques are anticipated in this important area. With this in mind, and as security expert Eugene Kaspersky comments:
“”Smart technologies and interconnectivity should improve life around the world. But with all the opportunities they create, it is a challenge to prevent unauthorized people from taking advantage of them. We are convinced that it is possible to overcome this challenge, but it requires a lot of effort on the part of governments, software developers and IT security companies. We are just starting down this path, but we must follow it to ultimately build a secure digital world for all.”
