As Smart Cities Expand, So Do the Threats

For technologists, building smart cities is not an aspirational goal but a matter of necessity. The World Bank estimates that 70% of the world's population will be living in urban areas by 2050, up from 56% today. This massive population shift will place increasing pressure on city infrastructure and technology used to manage urban areas. Increased automation will also bring new threats.

While the concept of a smart city may seem monolithic, in reality it is a collection of independent technologies and systems communicating with each other and a central management hub, creating a diverse ecosystem of technologies — one that needs to be well secured, says Piyush Pandey, the US cyber data market leader at business consultancy Deloitte. In many cases, those technologies have not been adequately secured individually, let alone as an interdependent ecosystem exposed to the public, he says.

"This is obviously not just one system that needs to be secure. ... With this smart ecosystem and the massive number of interconnections, we are consciously allowing our network to be exposed," Pandey says. "The security is not really limited to applying some sort of a firewall or physical security at the device level. We have to look at this in a holistic fashion."

A number of countries are pursuing the concept of smart cities, from governments in the Middle East and Africa to Singapore's claim as the smartest city in the world. A city can collect more than 500 million events per day from its diverse array of systems — smart electric meters, street lights, transportation monitors, and emergency management systems — according to a recent Deloitte report on securing smart ecosystems. While the convergence of information technology (IT), operational technology (OT), the Internet of Things (IoT), and automation will lead to increased efficiency, the smarts of a smart city will also result in a greater vulnerability to threats.

Ransomware has become a major issue for local governments, and the increasing automation of cities adds to the operational challenges, with concerns that ransomware could shut down civic operations.

A Trio of Risk Drivers

From intelligent transportation systems, to smart electrical grids, to just-in-time critical infrastructure, smart city systems link a vast pool of devices — many with no built-in security features of their own — to untrusted systems, such as smartphones, legacy technologies, and desktops running out-of-date software. The three most vulnerable and impactful systems are those used for emergency alerts, street video surveillance, and smart traffic lights, according to a 2020 survey of smart-city security experts conducted by UC Berkeley's Center for Long Term Cybersecurity (CLTC).

Many of those systems were put in place without much consideration for cybersecurity, says Rowland Herbert-Faulkner, graduate researcher in city and regional planning affiliated with CLTC.

"We don't have built-in product security for a lot of things, and if we don't put that in place, then we are still broadening the threat landscape. The risks go up exponentially," he says. "That's something that's come up in research for quite a while: How do we deal with product security, especially when we're dealing with these interconnected systems? Especially when someone's device can be used as an attack vector or as an entry point into the system."

Three main factors — convergence, interoperability, and integration — drive risks in smart city ecosystems, according to Deloitte's report. The marriage of cyber and physical systems — convergence — allows one domain to affect the other, dramatically increasing the attack surface. Devices from different systems — some old, and some new — interoperate with one another, putting old systems that were never intended to be connected at risk. Finally, the tight integration of devices across systems means that an attack can quickly impact other systems, creating a cascading of impacts.

"Not only are the boundaries blurred because there are no organizational boundaries in a smart ecosystem, there are no system boundaries because now we are talking about the cyber and physical convergence," says Deloitte's Pandey. "We have multiple different vendors coming into play with different devices and disparate systems that have varying degrees of security controls, so now when they are interconnected, the weakest system [becomes] the problem."

Smart Device Security: A 20-Year Problem

The different systems vary by purpose — smart license-plate readers have a different architecture than the smart electrical grid — and also by protocols. While they are likely to communicate over wireless technologies, they also are likely to talk to each other through centralized hubs. Most devices cannot run security agents because such add-on security would cause too great of a performance hit for many programmable logic controllers, IoT devices, and other low-power hardware, says Tom Pace, CEO of XIoT security firm NetRise.

"It'll probably get there, but that's like a 20-year problem," he says. "What you really need to do is have most of these device manufacturers standardize on some operating system and processor architecture. Otherwise, you're asking companies to create like 1,000 different agents that need to be installed. It's just never going to work."

In addition to the technology aspects of the problem, a great deal of cybersecurity expertise still needs to be developed to tackle smart cities. Improving the cybersecurity posture for smart cities is critical, says UC Berkeley's Herbert-Faulkner. Because of the impact of ransomware on local government agencies, cyber insurers have pulled back from issuing policies, for example, and have become much more stringent.

"Cyber insurers are not too interested in covering cities because a lot of local government personnel don't have the basics down — they don't have a framework in place that's going to help them mitigate this risk," he says. "Bringing city and local government personnel up to speed in terms of basic cyber hygiene is going to be critical, and we see this particularly when you're talking about risk mitigation."