Smart City security needs a change in mindset
Prevention may be all but impossible, so cure becomes key to smart city resilience
Recent hacks of Internet of Things devices have highlighted how vulnerable the components of a smart city could be to cyberattack, and also indicate that smart city security requires a lot more planning.
Dozens of IoT devices and systems have been successfully compromised. Smart home controllers, autonomous cars, traffic sensors, medical equipment, digital billboards - all have made headlines for being hacked over the past 12 months.
There are plenty of reasons to hack a smart city - hacktivism, cyberwarfare, curiosity - even collateral damage - DDoS attacks have been detected using IoT devices. Ransomware is being targeted against new sectors every day and with digital currencies providing a secure means of payment, ransomware is booming as hackers look to extort a quick buck from any system they can compromise.
IoT devices are unlike traditional ICT systems. They are missing the human element, which removes one major threat, but also means that many IoT devices are designed and configured to simpler standards. And often, the companies that make them just don't seem to have ever thought about security.
This problem was highlighted by vulnerabilities in traffic sensors, made public by a security researcher in 2014. The sensors lacked basic protection and were easily hacked, but the company responsible denied it had a problem and said that its users didn't want security or encryption - its customers didn't have the resources to manage thousands of complex devices.
To add to the mess, the compromised devices, which should only have been sold to government customers, were found on eBay, and it took the company over a year to patch the vulnerabilities. They just didn't seem to have considered security, in the device's design, in its configuration, support, supply chain etc.
The network may be able to take some of the burden of detecting compromised devices, but it's no guarantee. A compromised device may only show a small misalignment, or minimal loss of data over time, so that alarms are not tripped. Or aberrant behaviour might simply be concealed - Stuxnet intentionally hid the physical malfunctions it was causing, and that was six years ago. Network monitoring will also have to scale to unprecedented levels to watch a whole smart system.
Realistically, the level of risk facing IoT devices require a change in mindset - smart cities should be planning for the ‘when', not the ‘if'. The relatively short history of cybersecurity shows that even the biggest organisation can be hacked, and while IT security is the first line of defence, the burden cannot rest solely with the IT guys. Planning to minimise the damage of a successful attack should be an equal part of the equation, and disaster recovery and resilience are as important as perimeter controls and firewalls. Smart cities present too big and complex a target to avoid every single attack, but the systems involved are too sensitive to go down, in this case, the cure is more important than prevention.