SECURITY SOLUTIONS TODAY30 May 2017
Smart Cities? Not Until Those Cyber Weaknesses Get Sorted
Views: 166

What does Benny Hill have to do with the Smart Cities of the future? You may think very little, but there is a connection. Back in 1969 Hill played Professor Simon Peach in the classic caper movie The Italian Job, where his character is recruited into Michael Caine’s criminal gang. Computer expert Peach’s role in the heist was to replace the programming of the Turin traffic control system, causing a paralysing traffic jam which enables three Mini Coopers to escape with rather a lot of gold…

We have had computer systems connected to public networks for decades now, but the new trend towards the creation of ‘smart cities’ has meant that a host of technological developments have been rapidly deployed to solve age-old problems such as traffic congestion, energy efficiency and urban planning, but without much thought about the security this entails.

In 2014 security researchers at the University of Michigan successfully hacked nearly 100 traffic lights connected to a wireless network. Many of the devices used in the network were poorly secured – such as having default usernames and passwords that were available for anyone to see on the manufacturer’s website – but perhaps the more worrying conclusion was that the vulnerabilities of the system were ‘not a fault of any one device or design choice, but rather…a systemic lack of security consciousness’.

It’s not just traffic lights, either. Around midnight on April 7th 2017 all 156 sirens of the Dallas Storm Warning System started blaring across the city, once again demonstrating that public infrastructure systems are vulnerable to attack. What might have started as a prank ended with the city’s 911 call centre grinding to a halt as worried locals jammed the phone lines. That’s a city of over a million people not able to get access to the emergency services, all because someone worked out that a radio signal could be used to mimic the siren’s system and trip the emergency alert mechanism.

Cities all around the world are starting to become much more reliant on ‘smart’ technologies to improve the lives of residents and streamline services. Smart metering is already helping to reduce electricity consumption and personal water waste in homes across the UK, and new data-driven traffic systems will undoubtedly help reduce CO2 emissions by utilising artificial intelligence to decrease traffic congestion.

This is all good stuff. However, in the race to make all things smart and interconnected have a raft of potential security vulnerabilities been introduced and simply overlooked? Marrying a variety of old legacy systems that have been in operation for a long time with new, bleeding edge technologies might be a recipe for cyber exploitation. Add in poor security standards on the devices used to connect these systems and the increasing availability of sophisticated hacking tools and we may be facing an uncertain future.

We are already well and truly on our way to living ‘smarter.’ Keyless cars with WiFi hotspots, driverless cars, intelligent parking meters, smart energy meters, heating and air-conditioning controlled through your smartphone. The possibilities seem endless – there’s even such things as ‘smart’ lightbulbs and hairbrushes. It’s not surprising that the global IoT footprint is predicted to grow to over 50 billion connected devices by 2020. But fundamentally all this interaction needs to integrate with so many different connected platforms that serious security challenges certainly lay ahead.

Questions also need to be raised regarding the huge amounts of data that is being stored about us, for what purposes and by whom. It’s estimated that if you drive through just one town in the UK today, you will be pictured by 300 cameras on 30 different systems. Add in automatic number plate recognition systems and the ability to discover your location through tracking your mobile phone, and we are all very much under surveillance every day. Not just by the state, but also by thousands of private companies whom we voluntarily give up our data to all the time. Your personal data is mobile. It doesn’t live in one, secure place but is moving all the time, between different organisations and companies. Consequently, the security and privacy of a modern city’s citizens is also under threat.

It’s a similar story at home, too. Smart TVs and devices such as Amazon’s Alexa are constantly listening in on your conversations. Your smart meter could leave you without heating or electricity if it fails, and is it really telling the truth about your energy consumption? Recently a customer of SSE was surprised when their smart meter showed they had used over £33,000 of power in a single day. This is a rather obvious error, but those of a smaller scale will be much less noticeable to the end consumer.

When it comes to security the track record of many device manufacturers is notoriously poor. In a highly competitive industry companies are in a hurry to get their products to market fast, frequently reducing testing times and leaving security as an afterthought as these add costs and delay product launch. This is why there are so many devices with factory-set credentials that cannot be changed, and little in the way of proper protection.

No surprise, then, that in Finland recently hackers could attack a building automation system and leave residents without hot water or heating. But more serious damage could be done. The trend for connecting traditionally offline critical infrastructure systems, such as those used in power plants and water treatment facilities, to the internet opens up vulnerabilities in those systems to attack. Iran has attributed a spate of recent fires to cyber attacks, and the 2012 Saudi Aramco incident almost forced the world’s largest oil company to stop production – which would have had a massive impact on a global economy still recovering from the 2008 crash.

Governments are already starting to take steps to combat cyber attacks. The recent opening of the National Cyber Security Centre in London is a welcome start but there is much work to be done. Increased information-sharing on attacks will help, but we now need legislation to ensure manufacturers take appropriate steps to secure their devices.

Both public and private sector entities should also start putting security and safety before efficiency and profit, ensuring that they are building cyber resilience into their organisations and demanding that their suppliers do the same. Cities that stay informed and prepare appropriately will ultimately be able to respond to security issues quickly to mitigate potential chaos and widespread panic. If we can start getting smarter about cyber security, then we can all truly enjoy the benefits of living in technologically advanced cities that have the potential to significantly improve our quality of life in a myriad of ways.

Even if that does mean we won’t be seeing Minis driving through sewer pipes in future…