Main cybersecurity vulnerabilities in Smart Cities

Throughout the length and breadth of our geography, and at an increasing rate, many cities have been betting on and incorporating new technologies into their infrastructures for several years. In the last five years, the speed of adoption has increased, and many cities are becoming more and more “intelligent”. Technologies related to data management, data storage and capture, along with faster connectivity, allow metropolises to optimize their resources, save money and, at the same time, offer better services to their citizens.

In fact, most of us, when we wake up to start a normal work day, we usually take a look at our mobile and start searching in different apps to choose the best alternative to go to the office or school. We check train, bus and subway schedules and delays. We also check in passing the temperature, pollution level and weather conditions of the day.

As we can imagine, in order for us to receive all this information, sensors are needed everywhere to feed the city’s systems, and they need to send the data to the mobile applications via the city’s ICT infrastructure servers.

Suppose then that we choose to go by car, as there is a delay in public transport and/or it is a rainy day. On the way to work, and in real time, we check again the best route to avoid the collapse of the main streets and consult another application to select parking based on availability and price. Traffic flow along the indicated route is good thanks to intelligent control systems that adjust traffic lights according to current congestion conditions. In the event of rain, intelligent street lighting leaves the street lights on until more natural light is available, and, if the rain causes flooding, detection sensors immediately alert the city administration, as well as citizens, so that the necessary measures can be taken, traffic redirected, or the fire department called. Since the municipal management teams closely monitor the entire city with the help of surveillance cameras, this monitoring does not pose major problems, and, although rain causes delays in public transport, information about these inconveniences is disseminated so that citizens can choose other transport alternatives.

Basically, and to conclude with the example, it is thanks to all the “smart” technology implemented in Smart Cities that is significantly changing the lives of people living in metropolitan areas.

What services turn a city into a Smart City?

Actually, the technologies behind the above examples are basically the same in all areas (latest generation mobile communications, short and long range wireless networks, Internet of Things, blockchain, artificial intelligence algorithms, etc.), but, applied to the main city services, and getting them to operate more efficiently and in coordination with each other, most Smart Cities have implemented services such as:

• Intelligent traffic control: traffic lights and signals that adapt based on current traffic conditions. The current volume of vehicles on the road is detected and that real-time information is used to coordinate and improve the flow of traffic on streets, roads, avenues, etc.
• Intelligent parking: Urban residents can use an app to find available spaces, check prices, availability, location, etc. All managed via smartphone and centralized in a municipal management service for private and public parking areas.
• Smart street lighting: Centrally managed, street lighting can adapt to weather conditions, report problems or be automated according to the time of day. Street lights can even be turned off and on based on the detection of moving cars and people, promoting energy consumption savings, more efficient energy use and regulation based on the actual needs of the city.
• Intelligent public transport: Possibly one of the most widely implemented services thanks to which real-time data is provided on schedules (bus, train, subway, etc.), arrivals and delays, breakdowns or service disruptions. The efficiency of public transport is, in some ways, the main measure by which many city dwellers evaluate the quality of city services and the one that is most complained about if it is not working properly.
• Smart energy management: A smart grid can supply energy according to the needs of consumers, because smart meters can talk to the distribution network to schedule the supply of energy at a specific time and at a lower cost. The smart grid can even turn off the home water heater during peak hours when electricity is most expensive. Using these same principles, smart buildings use the same type of techniques to conserve energy and purchase electricity when rates are lower.
• Smart water management: Smart pipes measure water quality thanks to multiple sensors present in them, detect leaks, distribute the water resource, detect problems or possible failures in the plumbing system, etc. Similar techniques are used for gas and oil pipelines, but, in cities, it is critical that this water management is done as efficiently as possible to guarantee supply to the entire population without wasting the available flow.
• Intelligent waste management: This is another service that already exists in many cities and improves waste management. Its use involves installing sensors in the garbage containers that detect volume, odor, etc. With this, waste collection can be better planned, skipping empty containers or making an early stop at a smelly container.
• Security systems: Traffic and surveillance cameras have become “intelligent”, thanks to programs that analyze the data they collect, as well as intrusion detection sensors in homes, factories, warehouses, etc. Security devices scattered around the city provide real-time information on what is happening and where. People counting technology, such as cell phone tracking or communication (such as Wi-Fi or Bluetooth), is used to determine the number of people in a given area, such as a street, park or building. It goes without saying that many governments use this same technology and function for facial recognition and population monitoring on a mass scale.

On the other hand, for all the above services to work, it is necessary that different technological components are developed and implemented with sufficient guarantees of operation and security measures, because, behind the intelligent management of everything we have discussed, there are a number of elements that form the basic technological substrate to serve the entire city:

• M2M (Machine to Machine) processes and programs: For a city to be smarter, devices (machines) are needed that talk to each other, system to system, making decisions automatically, and it is very necessary that all the security protocols that regulate the operation of these are robust and can ensure that the processes they regulate or execute do so correctly..
• Mobile applications: In the Smart Cities ecosystem, mobile applications encourage people to interact with the city. Thanks to multiple apps we can obtain information about events, services, infrastructures, etc., of the city, so they are generally the interface that allows citizen use of the data collected by Smart City sensors.
• Sensors: These are the devices that are at the base of most of the “Smart” services and are used for everything. These sensors (often wireless) continuously feed Smart City systems with huge amounts of data, so they serve to determine, among other things:

Cybersecurity issues in Smart Cities

However, every new innovation brings with it new challenges and problems. Considering the services we have seen above, what could happen if one or more of these services dependent on one of these technologies will not work? What would commuting be like with traffic control systems not regulating properly, no lighting and no public transport? How would citizens respond to inadequate electricity or water supply, dark streets and no cameras? What if garbage collection is interrupted in summer and stinks in the streets?

These scenarios are part of the worst nightmares of urban management technicians. And, to prevent them, a series of protection systems against cyber-attacks and security breaches are necessary. So, what could trigger cyber-attacks on Smart City infrastructure to succeed in disrupting its services? Let’s look at some of the most important points.

• Poor or non-existent security and lack of evidence on the resilience of systems against cyber-attacks. Most Smart Cities technology solution providers run a series of tests on the correct functioning of their systems before implementing them. Sensors are tested to ensure that they are collecting the right measurements, that network communications are working properly, that data is received without distortion, etc. However, simulations and tests of resistance to cyber-attacks, which are mainly directed against elements of IoT networks, are not usually carried out because the cost, sometimes, of installing a few sensors is very cheap, but providing them with resilience capabilities against possible remote manipulations increases their price. Within the parameters and decisions that are taken in the implementation of this type of systems, cost-benefit sometimes predominates over security, simply covering minimum requirements but that may not be enough for groups of experienced hackers who know how to exploit weaknesses in the control software of many of these devices.
• Encryption issues. Most new devices are wireless (such as traffic and surveillance cameras, smart meters, streetlights, traffic lights, smart pipes, weather sensors, etc.), making them easy to deploy, but also easy to hack if the communication is not properly encrypted. Wired communication requires physical access, which generally makes it more difficult to hack, although also some systems that rely on wired communication are exposed and easier to access, such as power line communication (PLC) technologies. An attacker could connect to the power line to access the network and, from the power line, have access to manipulate smart grid and street lighting systems that use this technology. For the same reason as in the previous point, some vendors implement custom wired and wireless communication protocols with very poor or no security. Even when encryption is implemented in wireless and wired communications, it may consist of obsolete and weak encryption algorithms. In other cases, known standard encryption is implemented, but with weak encryption key management. The most common encryption problems are related to this poor key generation, with fixed passwords being kept as they come from the factory, keys shared between users, leaked passwords and encryption keys, etc. As we already imagine, once an encryption key is compromised, attackers gain full access to communications, and when both wireless and wired communications security is poor, an attacker can easily intercept and hijack systems and take control of devices and networks.
• Problems deploying patches against vulnerabilities and flaws. The deployment of patches and system updates faces many security issues. Due to the complexity of these, and the high upgradability of many IoT device drivers, it is difficult and expensive to test all patches on non-production systems, as test environments identical to the real environment are expensive to replicate. It is increasingly common to find that “Smart” solutions are deployed with devices and systems that are easy to be cyber-attacked, because it takes time to release and update patches against emerging flaws or vulnerabilities or they are not available
• Insecure legacy systems. New technologies are being integrated with existing legacy technology that may be vulnerable. Some technology solutions that have been standard in recent years for the implementation and management of municipal services lack standards against cyber-attacks, because in the past it was not such an important issue. Now, however, it may be necessary to install elements that allow communication between old and new systems and that are necessary to translate the operating protocols of both. Some systems installed in cities do not (yet) work with newer, more secure operating systems, and since it is very costly to upgrade an entire computer network and thousands of servers and computers in the city, older, vulnerable operating systems continue to be used. This adds complexity, increases vulnerability to attacks and slows the adoption of new technologies
• Susceptibility to denial of service. With so many technology-dependent services in a city, potential attackers have many methods to abuse them, causing, as the most common strategy, a denial of service (DoS) that can completely block the operation of any of the city’s services. A DoS attack could disrupt a server that feeds data to traffic control systems, for example, or water quality monitoring services, or the city’s Smart Grid management systems. It is a matter of the city’s management technicians always having contingency plans ready to be able to defend against this type of cyber-attack, knowing the weak points through which they could occur, and the city having resilience mechanisms that can be used in the event that any of its critical systems are threatened or malfunction.

In summary

If cybersecurity is an issue that concerns companies and individuals, because it jeopardizes the normal functioning of our businesses, jobs or personal computer systems, when it comes to extrapolating protection mechanisms to a city, the situation becomes much more complex. Just as each of us ensures that our laptops and smartphones are secure and protected, the management technicians of a Smart City must ensure that all the IT systems in the city are secure and protected, because the impact of an attack is much greater and more dangerous than a simple breach of a personal computer of a single person or business. All services of a city that are based on the technological management of its operating systems require analysis against cyber-attacks before being implemented, and must be tested and evaluated regularly, updating the software and control programs of these as vulnerabilities or breaches that compromise the system are detected.

The security of these services is the security of all the city’s inhabitants, and their proper functioning and protection is what makes the difference, in many cases, between a technologically “patched” city or a fully functional “Smart” city.