The prospect of smart cities is exciting; urban developments with integrated ICT and IoT solutions delivered in a secure fashion to manage a city's assets. These assets include local departments' information systems, schools, libraries, transportation systems, hospitals, power plants, water supply networks, waste management, law enforcement, and so on. In short, smart cities are envisioned to improve quality of life by using technology to improve efficiency and services to meet residents' needs. But where there's connectivity, there will be hackers, and according to cybersecurity experts, it's only a matter of time before vulnerabilities are exposed in smart city infrastructure.
In early August, a hacker exposed the vulnerability of digital infrastructure in Atlantic City, New Jersey. Lori Nichols, a photojournalist, was driving down a highway when she saw something so strange she had to stop to take a photo. It was a road sign, typically setup to warn people of road works or an accident ahead. Instead, the road sign she saw displayed digital letters which read "POOP". Somewhere in Atlantic City, a hacker was having the last laugh.
What's worrying about the situation is that the prankster was able to gain seemingly easy access to an unlocked panel at the back of the sign and produce whatever message they saw fit. The hacker could have typed "mass shooting ahead" or "terrorist threat in area" which could have produced a very different outcome. Moreover, this type of incident could potentially be unleashed on a much larger scale. Imagine if hundreds of signs around the United States were externally controlled by a hacker. It could unleash nationwide chaos.
According to cybersecurity experts, it's only a matter of time before hackers begin to exploit smart city infrastructure, such as transportation clouds. Hackers could potentially control traffic lights, street lighting, automated bus stops, and many other digitally controlled city systems. That power in the hands of a crazed activist could result in mass casualties. In Russia for example, a researcher from Kaspersky Lab, Denis Lagezo, was able to manipulate traffic sensors and capture data by simply looking up what kind of software was used, and then finding a user manual online from the sensor manufacturer.
Vulnerabilities have been highlighted in major countries such as the U.S., U.K., France, Australia and China, according to a blog post by Cesar Cerrudo, CTO at security firm IOActive Labs. Referring to a scene in the film Die Hard 4 where hackers cause chaos by manipulating traffic signals, he says it's not really that simple, but he does believe that it's entirely plausible to wreck havoc on a smart city using cheap computer software.
"I don't think now we are seeing many attacks, maybe some isolated attacks on lower maintained systems. But everything indicates that in the future they will become common because cyber threats are continually evolving," says Cerrudo. "As technology gets widely adopted, cybercriminals get more familiar with it and get more resources. Maybe they attack transportation systems and say, ‘If you want to keep running the system you have to pay up'."
Taking a stand against smart city cybercrime
There will be vulnerabilities with any leap forward in technology, and these loopholes in the security of smart city systems have not gone unnoticed. In 2015, a non-profit initiative called Securing Smart Cities was launched, aiming to raise awareness and solve the existing and future cybersecurity problems of smart cities. Since its inception, the initiatives supporting community has increased three-fold, according to a Kaspersky Lab report, from ten cybersecurity experts from around the world, to more than thirty. In addition, the number of supporting organizations has grown from four to fifteen.
Contributors and supporters of the initiative have been successful over the past year in increasing awareness of the potential cybersecurity problems in smart cities, says the report. The initiative has published several documents aiming to assist city authorities considering how to adopt smart city technologies properly, and how to organize a Smart City Security Department. The initiative has also produced several practical research assessments and published their findings, covering major security issues, surveillance system problems, and city communication networks and their availability to hackers.
"In its first year the Securing Smart Cities collaborative initiative has made substantial progress - before we started the topic was rarely discussed, but now many people are aware of the cybersecurity implications of smart city technologies, and have started trying to address the issues we have raised," says Cerrudo. "While we're really just getting started and there is a lot of work to do, the results from the first year have been amazing and are a big incentive for us to continue working hard to help cities around the world be more secure and better protect their citizens."
A Kaspersky survey revealed that expensive cyber attacks are now almost routine with 90 percent of the 5,500 companies surveyed reporting at least one security incident, and nearly half, 46 percent of businesses, lost sensitive data due to an internal or external security threat. It shines a light upon the urgency for more awareness on the issue of cybersecurity in cities, which continue to get smarter and constantly incorporate new technologies into their infrastructure, but too often ignore the importance of security.
A city like Dubai, which is rapidly advancing its digital parameters, needs to be especially careful with regards to cybersecurity. The UAE is currently the target of five percent of the world's cyber attacks, and the attacks have gone up by 500 percent in the country over the past five years. A survey conducted by International Data Corporation (IDC) found that firms in the UAE are found to be lacking in efficient security infrastructure. The survey suggests that 8 percent of businesses in the country lack the ability to analyze threats, while 52 percent are unable to adapt and integrate risk management solutions, and 42 percent say the cybersecurity support systems are not enough to manage cyber-risks.
"Currently the 5.6 percent year-on-year increase in IT security spending in the UAE is not sufficient," says RSA general manager and senior director Peter Tran, who leads the firm's worldwide cyber defense practice division. But Tran is optimistic that security spending in the UAE will increase - particularly in Dubai - as the country moves towards adopting smart city initiatives. "Because of the large investments being made to transform Dubai into a smart city, the IT security industry stands to gain as it forms a key part of this digital transformation," he said."
In Kansas City, Missouri, a new smart city project is being hailed as an excellent example of storing public information safely. The new RideKC Streetcar, a free service that runs for 2.2 miles, is part of the new smart city project, as well as in-street parking sensors allowing cars to find spaces near the streetcar route, and cameras placed on lamp posts that monitor traffic conditions and trigger brightness controls on nearby streetlights if there's a pedestrian in the area.
The city made a conscious decision to make its data public, and in order to keep it safe, the data isn't stored in one location in cyberspace. Instead, "The cloud is used to store data from the smart city installation [camera data, streetlights, and so on] but not for streetcar vehicle specific systems," explains Tom Gerend, executive director at Kansas City Streetcar Authority and chairman of the Smart City Advisory Board. "Generally, we have separate services for the individual sub-systems and then aggregate and pool data that we want to make publicly accessible."
But even as communities adopt clever measures like this to counter cyber-attacks, cities will have to be extra careful as transportation hardware manufacturers start incorporating security measures into their products for the first time. Cerrudo believes that communities need to be smarter when implementing new ‘smart' technology to improve infrastructure, because if they're not careful, it could leave the door wide open for any hacker who fancies a snoop around.