The rapid growth of embedded computing and the “Internet of Things” (IoT) have been felt in many industries and areas, but few organizations and jurisdictions have been affected as quickly and as deeply as cities. The emergence of “smart cities” – those cities that “…integrate cyber-physical technologies and infrastructure to create environmental and economic efficiency while improving the overall quality of life” – have created important increases in the understanding of infrastructure usage, improved efficiency, and better service provision to citizens. That said, the emergence of smart cities – and the installation and utilization of vast networks of sensors and data collection platforms – have also vastly increased the potential “attack surface” that these urban areas must protect and defend.
(For a good snapshot of the growing areas included in the IoT and this growing attack surface, see the chart on page 6 of the December 2015 Internet Protocol Journal, and for a snapshot of the security and privacy concerns around the IoT see this January 2015 Federal Trade Commission staff report)
Recently the Chief Information Security Officer (CISO) of San Diego, Gary Hayslip, published two interesting essays on what he has learned from his role as a smart city CISO – in San Diego, California. Hayslip acknowledges some of the problems that make working as a CISO charged with protecting city networks challenging:
“City networks grow over time, they tend to have a collection of technologies and applications that range from being brand new to being decades old.”
“I come from working in a military environment where I had always owned the data that traversed my networks…I started to look at our data through a lens that it belongs to my neighbors and it is entrusted to me. In essence our data belongs to our citizens and we are shepherds of that data.”
“Forty departments with different business requirements… My departments have business reasons why they want to purchase that new technology or develop that new application. It’s my job to give them alternatives, to show them the risks involved with these alternatives and provide recommendations for security controls to reduce any associated risk.”
Hayslip is right to point out these challenges, and there are myriad others. The first of these, the agglomeration of numerous technologies over time and the management problems that creates, are not unique to cities – in fact the New York State Chief Information Officer (CIO) recently gave testimony describing the same challenge at the state level in the Empire State.
Other challenges, like the proliferation of sensors from transportation and energy infrastructure and the privacy challenges of data around that expansion, are more pronounced in cities than they are in larger jurisdictions like states, provinces, and at the national level. Some of the many cyber security challenges facing cities in general, and smart cities in particular, have been outlined in thoughtful analysis at various recent information security conferences.
The Information Security Community Addresses Smart City Cyber Security
Greg Conti (West Point), Tom Cross (Drawbridge Networks), and David Raymond (Virginia Tech), delivered a fascinating paper and presentation at Black Hat last summer called “Pen-Testing a City.” The authors correctly point out that...
“The information technology infrastructure of cities is different from other entities. Cities feature complex interdependencies between agencies and infrastructure that are a combination of federal, state and local government organizations and private industry, all working closely together to keep the city as a whole functioning properly. Preparedness varies widely. Some cities have their act together, but others are a snarl of individual fiefdoms built upon homegrown technological houses of cards.”
This draws on a broader insight that while, in general, the information security community is good at security risk assessment at the asset and system level, when aggregating up to the level of a political jurisdiction (city or state), many of these processes break down. They argue: “The information security community does a great job of identifying security vulnerabilities in individual technologies and penetration testing teams help secure companies. At the next level of scale, however, things tend to fall apart.” By the way, this is not only a problem in information security, but is true more broadly as it relates to infrastructure risk. Risk assessment methods and security measures often don't scale well from the asset or system to the level of political jurisdictions – see for example “The Levels of Analysis Problem with Critical Infrastructure Risk.”
Cesar Cerrudo also gave a paper and presentation last year, both of which address the threats of hacking against smart cities. Cerrudo enumerates both a long series of cyber vulnerabilities that are common to many large smart cities (from lack of patch deployment capabilities, to limited cyber incident planning, to weak or no cyber incident response teams), as well as analyzing a host of potential attack targets and vectors that could be of particular concern to cities. Cerrudo describes potential attacks on traffic control systems, street lighting systems, water and waste water systems, and potential manipulation of smart electrical grids among many other concerns.
These concerns about service interuption and physical damage are on top of and beyond the obvious vulnerabilities that result from the massive collection and storage of sensor and other data. Data that will often include varieties of personally identifiable information (PII) and information on the behavior of citizens. In fact, another California CISO, Jon Walton – of San Francisco - acknowledged several years ago that concerns around cyber security in a smart city will result in important decisions being required on the “Balancing act between collecting data and keeping personally identifiable information (PII) secure.”
Smart City Cyber Security is a National Security Concern
Authorities at the national level – in numerous countries – have also begun to take the threats to smart cities seriously.
The Department of Homeland Security’s Office of Cyber and Infrastructure Analysis (OCIA) recently released a document entitled The Future of Smart Cities: Cyber-Physical Infrastructure Risk. The paper is designed to summarize “…the insights from a technology-informed futures analysis” meaning that OCIA worked with subject matter experts on cyber risk to analyze – as Cesar Cerrudo did – the possible attack types and consequences that could result from them. The purpose is “…to help Federal, State and local analysts and planners incorporate anticipatory thinking into Smart City design and continued critical infrastructure protection efforts relating to this new technology.”
In Ireland, the Data Protection Unit of the Department of the Taoiseach (the office of the Prime Minister) recently published a paper called Getting Smarter About Smart Cities: Improving Data Privacy and Data Security. This paper frames the tradeoffs between speed of adoption and risk minimization thusly “The challenge is to rollout smart city solutions and gain the benefits of their deployment while maintaining infrastructure and system security and systematically minimising any pernicious effects and harms.”
This paper focuses more on the data protection and data privacy concerns around smart cities as opposed to the potential for attacks on cyber-physical systems. It also benefits from a “case study” and examples from a real city (Dublin), and offers “a number of suggestions for addressing trepidations about and ills arising from data privacy, protection and security issues.” The suggestions vary pretty widely… “…it advocates a multipronged approach that uses a suite of solutions, some of which are market driven, some more technical in nature…others more policy, regulatory and legally focused… and some more governance and management orientated…”
Taken together, the DHS OCIA paper (focused on the vulnerability of cyber-physical systems) and the Taoiseach Data Protection Unit paper (focused on the privacy and data protection) provide a holistic look at the broad series of concerns and risks that come along with the many valuable advantages that arise from the emergence of ever smarter cities. In conjunction with the analysis by researchers like Conti, Cross, Raymond and Cerrudo, it is possible to begin to get a sense of the increasingly complex landscape of smart city cyber security.
The national security concerns around the broader IoT – as opposed to the narrower world of smart cities – are potentially even more profound. In his recent testimony on the “Worldwide Threat Assessment of the Intelligence Community,” Director of National Intelligence James Clapper listed Cyber and Technology as the first major area of concern – before terrorism, proliferation or counterintelligence among others – and specifically called out concerns around the rapidly expanding “internet of things.” He said “…security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services.”
This is true, but the potential national security implications are even broader and deeper. He goes on to suggest that “In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.” This important insight was neatly played upon in computer scientist Nicholas Weaver’s tweet that “The NSA thanks all foreign intelligence targets who decide to install a Nest Camera.”
Ultimately, the security questions around smart cities are like most security questions - a series of tradeoffs about risk and reward. Luckily, the information security community, the community focused on urban affairs, the national security community, and numerous others are beginning to have a much more lively dialogue about these risks – it cannot come quickly enough.
As Gary Hayslip notes, “In the end, technology will eventually change cities for the better. From improvements in productivity and operations, to innovation in services that enhance the lives of citizens, the promise of smart cities is filled with benefits and rewards. The responsibility of laying the digital groundwork for smart cities falls squarely on the shoulders of cybersecurity professionals.” Indeed.