Could a criminal mastermind one day hold a smart city to ransom?
On December 22, 2014, hackers stole “non-critical” data from computer systems owned by Korea Hydro and Nuclear Power. There was no danger to Korea’s 23 nuclear reactors, authorities said.
Are people going to try to hack smart cities? Absolutely yes. - Nick Pollard
However, the incident raises concern over the growing number of information systems being connected to the Internet, particularly within smart cities.
Smart Cities Subject to Threats?
Jason Hart, vice president of cloud solutions at the digital security firm Gemalto, doesn’t doubt it. When it comes to securing the systems being used to create smart cities, he says: “We’re already too late. Even the basics have not been implemented.”
As a veteran of the information security industry, with 22 years of experience including a decades’ worth of ethical hacking, Hart should know. And he is not alone.
“Are people going to try to hack smart cities? Absolutely yes,” chimes Nick Pollard, senior director of professional services at Guidance Software, a digital investigations company. “Also, of course, they are subject to insider threats as much as external threats.”
It is uncomfortable to think that a script kiddie or disgruntled employee, let alone a James Bond-style master criminal, might be able to tinker with electronic road signs and bring a city to a standstill.
However, says Reuven Harrison, chief technology officer and co-founder of the network security company Tufin: “As more systems are connected, the task of preserving their security posture becomes exponentially more complex.”
Additionally, different parts of smart city infrastructure usually fall under the purview of different bodies, from utilities to public works bodies, with nobody in the center controlling cybersecurity standards across these organizations.
Hacking City Devices
The easiest way to do this is through thorough use of firewall technology, although in some cases systems may be so critical that it is best to not allow any connection to the Internet at all.
“IoT solutions in a smart city environment should take advantage of proper network isolation wherever possible to ensure that breaches in one system do not directly lead to a breach in another system.”
For networked systems, says Camejo: “Those responsible for smart city infrastructure need to realize that no system will ever be 100 percent secure. Monitoring systems to detect and stop intrusions is just as important as securing the systems in the first place.”
Get Smarter About Who Has Access to Your Data
Other experts echo these views. Hart, for example, agrees data and application owners need to get smarter about knowing who has access to critical data and systems.
“As a data owner I would want data encrypted with key management,” he says. “As an application owner, in the event the application is compromised I want to give the data owner the ability to manage things properly.”
Pollard, meanwhile, advocates the introduction of new monitoring processes that keep track of the behavior of infrastructures and the insiders that have access to them.
“Hackers do their best to avoid detection,” he says, “but they are materially changing critical files. If you have a baseline already set up of that piece of infrastructure, you can automatically detect that something has changed.”
Live monitoring is not an option at smart city scale because there is too much data, he says. But some smart cities in Europe are already rolling out technology that takes regular snapshots and looks to see where changes have occurred.
At Tufin, Harrison also warns of the need to take into account massive data volumes. “With so many interconnected devices, the process of manually monitoring and approving network access will have to go from human hands as smart cities evolve,” he says.
The good news is that smart city planners are now waking up to the need for protection.
Rob Miller, security consultant at MWR InfoSecurity, says: “Intrusion detection is a common component in IT systems, and we are starting to see products released that can perform this function on smart city networks.
“Smart city architects we have worked with are taking some very important steps to ensure they can both prevent and detect attacks. The simplest protection involves using mature technology rather than trying to re-invent the wheel, and then testing it does not create new vulnerabilities.”
The contents or opinions in this feature are independent and may not necessarily represent the views of Cisco. They are offered in an effort to encourage continuing conversations on a broad range of innovative technology subjects. We welcome your comments and engagement.
We welcome the re-use, republication, and distribution of "The Network" content. Please credit us with the following information: Used with the permission of http://thenetwork.cisco.com/.