Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:15 PM
Connect Directly

Smart Cities' 4 Biggest Security Challenges

The messiness of politics and the vulnerability of the Internet of Things in one big, unwieldy package.

It's no secret that Internet of Things devices like Nest smart meters and Fitbits are behind the curve on information security -- lax encryption and access control standards for both wireless network and data security, for starters. So what about when IoT devices run a "smart city," and the public water system, power grid, waste management, traffic control, street lighting, public transportation, and physical security systems are all as vulnerable as that Fitbit on your wrist?  

"Most cities around the world are unprotected to cyber attacks," says Cesar Cerrudo, CTO of IOActive. At DEF CON last year, Cerrudo presented research about serious vulnerabilities in vehicle traffic control systems, which could be exploited to cause traffic jams or crashes. His studies inspired him to create Securing Smart Cities, a global non-profit initiative established in May by IOActive, Kaspersky Lab, Bastille, and the Cloud Security Alliance with the purpose of better definining the security challenges of smart cities and finding workable solutions.  

"Cities are really important, because they're the backbones of civilization. They're the backbones of economy," says Greg Conti, associate professor and director of the Army Cyber Institute at West Point. Conti, along with West Point associate professor David Raymond and Drawbridge Networks CTO Tom Cross, will be presenting a session on "Pen Testing a City" at the Black Hat Briefings in August.

"We're going to be looking at the security of cities, whether they're dumb, moderately intelligent or smart," says Conti.

What makes cities, particularly "smart" cities, uniquely challenging?

Insecure Products & Insufficient Testing

One of the biggest concerns about smart buildings and smart cities is that the sensors in the equipment can be hacked and fed fake data -- which could be used for all manner of mischief, like causing signal failures that shut down subways or allowing contaminants into the water supply.

"Most product vendors are releasing hardware, software without any security, and governments are releasing it without any testing," says Cerrudo. Although they may test rigorously for functionality, cybersecurity won't be part of the process. Cerrudo discovered there were 200,000 vulnerable traffic control sensors installed in cities across the world, including New York, Washington D.C., and London.

Cross says that people's attitudes toward new technology's vulnerabilities often slide through something like the five stages of grief. First it's "denial," when they remain too enamored of the technologies' fun functions to consider the risks. Then they'll move through "anger," "bargaining," "depression," and eventually "acceptance." "Smart cities technology are following the same pattern," he says, and there's still a long way to go before we reach acceptance.

As Cerrudo wrote in a report in April, "At IOActive Labs, we continue to see vendors that do not know anything about cyber security; they lack skilled security people and don’t seem interested in improving security. For instance, many vendors don’t object to giving full privileged access to a device or system to anyone who is on a local network, because they think of the internal network as safe."

Huge, Complex Attack Surface

The trouble is, the notion of "internal network" doesn't really translate to smart cities. The trend is, the smarter the city, the more computer systems, the more integration between the systems, and the more open the access to the data collected by all those systems. 

As futurologist Dr. Simon Moores said at the IFSEC conference last month, the task of integrating an entire city of buildings outfitted with smart electric meters, doors, HVAC systems, and lighting is an "almost intractable problem."

Cross explains that the challenge of integration is not just technological; it's about all the operational interdependencies that exist in a city. "If the subway shuts down, people can't get to their jobs, and then other things don't get done," he says.

Cerrudo explains that attackers know about this "cascade effect," and that they can use it to their advantage by launching an attack on a small, poorly secured system that doesn't seem very critical, and setting off a chain reaction.

The definition of "critical" may vary from city to city, too. Cross says to look at something like Las Vegas. "The economy is very dependent on casinos," he says, "but casinos are not considered critical infrastructure."

The degree of complexity also varies by the age and the size of the city -- an aspect Conti, Cross, and Raymond plan to discuss at Black Hat. "We're getting a sense there may be a sweet spot," says Conti. A city that's somewhere in the middle in terms of size and age, "small enough that it can get its arms around its technology," using "new but not necessarily bleeding-edge" technology" seems to have the best chance of success. "We thought that was an interesting dynamic," he says.

Lack of Oversight and Organization

At IFSEC, Moores posed the rhetorical question, "Who's responsible when a smart city crashes?"

Other experts agree that in many cities there is still no clear cybersecurity leadership, and that cities need to establish city-specific CERTs and/or security operations centers -- not just for information sharing, but also for cross-function vulnerability assessment and incident response planning.

"Each fiefdom can't develop infrastructure in a vacuum," says Cross.

IOActive's Cerrudo says cities need to start treating cybersecurity in the same way the private sector does.

Shifting Politics, Shifting Budgets

That's all easier said than done.

"Cities are ultimately political beasts, with responsibilities to the populace," and with that comes increased visibility, Conti says. That increased visibility can ultimately be either good or bad for security, but either way it will be subject to public scrutiny in a way that regular companies don't need to consider.

Plus, getting budget for security always requires a process of educating leaders and obtaining their buy-in. However, in the public sector, the leaders and the budgets may change severely every time there's an election.

"If [the elected official gets] tossed out, you have to start the process over again," Cross says. 
"You constantly have to reeducate and resell."

Conti adds that often there will be a failure or a breach that is the event that transforms a leader's attitude towards security. "The new leader," he says, "hasn't gone through the same transformative event."

And the security skills shortage tends to be worse in the public sector, according to Cross. "The most talented people work in the private sector," he says, "because they get better salary and compensation."

"Security problems in cities are real and are current," Cerrudo says. "The possibilities are out there ... So we need to start working on improving security right now."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
7/4/2015 | 9:13:42 AM
Re: Smarter Cities Securoty Challenges
@Peter: Indeed, malware even found its way onto the International Space Station via an infected flash drive!

It really makes me paranoid about accepting free flash drives from vendors at conferences; that's for sure.
Peter Williams
Peter Williams,
User Rank: Apprentice
7/2/2015 | 4:57:10 PM
Smarter Cities Securoty Challenges
Actually - far from Nest and such being the issue, I would guess that the the bigger threat to infrastructure is ancient PLCs being found on Shodan that still have the manufacturer's default password hard coded into them...That, and some idiot sticking an infected flash-drive in the machine running the SCADA system.

One angle that may offer some hope is the growing focus on resilience, where the need for multi -disciplinary working etc to plan for and manage disasters seems to be inceasingly accepted.  At least some cities include cyber events in their resilience planning - maybe we could make it more widespread?

Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
7/2/2015 | 6:06:34 AM
Las Vegas
The Las Vegas example got me thinking about what would happen if the Strip were shut down for a day.

And, having worked for the Nevada Attorney General in a role that dealt, in part, with utilities issues, the first thing that came into my mind was that -- despite the economic loss -- there'd be a HUGE savings in energy and natural resources.
Blog Voyage
Blog Voyage,
User Rank: Strategist
7/2/2015 | 2:55:40 AM
What a big work
Very nice ideas, but it will be a very hard work. As you know, security is a very difficult job. Wait and see.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious u...
PUBLISHED: 2021-06-16
Valine 1.4.14 allows remote attackers to cause a denial of service (application outage) by supplying a ua (aka User-Agent) value that only specifies the product and version.
PUBLISHED: 2021-06-16
TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certain situations.
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway 13.0 before 13.0-76.29, 12.1-61.18, 11.1-65.20, Citrix ADC 12.1-FIPS before 12.1-55.238, and Citrix SD-WAN WANOP Edition before 11.4.0, 11.3.2, 11.3.1a, 11.2.3a, 11.1.2c, 10.2.9a suffers from uncontrolled resource consumption by way of a network-based denial-o...
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must b...