As the ubiquity of technology infiltrates further into our cities’ infrastructure we are becoming more and more at risk of cyberattacks. Professor Rob Kitchin discusses where the biggest fault lines are, and how we might avoid any possible disaster.
Smart city solutions utilise complex, networked assemblages of digital technologies and ICT infrastructure to manage various city systems and services. Any device that relies on software to function is vulnerable to being hacked. If a device is networked, then the number of potential attack points multiples across the network, and the hack can be performed remotely. Once a single device is compromised, then the whole assemblage becomes vulnerable to cyberattacks that seek to alter, disrupt, deceive, degrade or destroy computer systems and networks or the information and/or programs resident in or transiting these systems or networks.
There are three forms of cyberattack: availability attacks that seek to close a system down or deny service use; confidentiality attacks that seek to extract information and monitor activity; and integrity attacks that seek to enter a system to alter information and settings (such as changing settings so that components exceed normal performance, erasing critical software, or planting malware and viruses). The vulnerability of smart city systems is exacerbated by a number of issues including weak security and encryption; the use of insecure legacy systems and poor maintenance; large and complex attack surfaces and interdependencies; cascade effects; and human error and disgruntled (ex)employees. The result is that the process of making city systems and infrastructures ‘smart’ has also made them vulnerable to a suite of cyber-threats.
Cyberattacks can target every type of smart city solution and particular system components. There are a number of weak points – including SCADA systems, the sensors and microcontrollers of the Internet of Things, and communication networks and telecommunication switches.
Various forms of urban infrastructure, including the electricity grid, water supply, and traffic control, rely on SCADA (supervisory control and data acquisition) systems that are used to control functions and flow. These systems measure how an infrastructure is performing in real-time and enable either automated or human operator interventions to change settings. SCADA systems can be traced back to the 1920s, but were extensively rolled out in the 1980s. As a consequence, many deployments are quite dated. Many have been found to operate with their original security codes.
In some cases, while the infrastructure is relatively secure, the communications network is vulnerable. A number of SCADA systems have been compromised, with hackers altering how the infrastructure performs, or causing a denial-of-service, or have stolen data. Probably the most infamous SCADA hack was the 2009 Stuxnet attack on Iran’s uranium enrichment plant in which the system was infected by malware that destroyed a number of centrifuges by running them beyond their design specifications. By 2010 over 90,000 Stuxnet infections were reported in 115 countries.
Electricity grids, controlled by SCADA systems, are at particular risk from hackers. Electricity grid utilities in the US report being under near constant cyberattack, with one utility recording that it was the target of approximately 10,000 cyberattacks each month. As smart grids and smart meters are installed, the number of potential access points to grid networks increases enormously.
Internet of Things
The Internet of Things refers to the connecting together of machine-readable, uniquely identifiable objects across the Internet. Some objects are passive and can simply be scanned or sensed (such as smart cards with embedded RFID chips used to access buildings and transport systems). Others are more active and include microcontrollers and actuators. All kinds of objects that used to be dumb, such as fridges, thermostats and lights, are now becoming networked and smart, generating information about their use and becoming controllable from a distance.
Moreover, sensors can be embedded into the urban fabric and throughout critical infrastructures to produce data concerning location, proximity, velocity, temperature, flow, acceleration, sound, vision, force, load, torque, pressure, and interactions’. Sensors and microcontrollers are hackable as they often have little effective security, encryption, or privacy protocols in place. RFID chips, for example, can be hacked, jammed and spoofed.
Communication networks and telecommunication switches
The Internet of Things are linked together via a number of communications technologies and protocols. Each of the modes of networking and transferring data are known to have security issues that enable data to be intercepted and provide access to devices. Likewise, telecommunication switches that link together the local and long distance internet infrastructure are known to have vulnerabilities including manufacturer and operator back-door security access and access codes that are infrequently updated.
Transport management systems and vehicles
There have been a number of cyberattacks on transport management systems in recent years, as well as proof-of-concept demonstrations of possible attacks. For example, a cyberattack on a key toll road in Haifa, Israel, closed it for eight hours causing major traffic disruption. A research team from the University of Michigan managed to hack and manipulate more than a thousand traffic lights in one city using a laptop and wireless radio. Likewise, IOActive Labs have hacked traffic control sensors widely used around the world and altered traffic light sequencing and interactive speed and road signs.
A teenager in Lodz, Poland, managed to hack the city tram switches, causing four trams to derail and injuring a number of passengers. In the US, air traffic control systems have been hacked, FAA servers seized, the personal information of 58,000 workers stolen, and malicious code installed on air traffic networks. Vehicles themselves are also open to being hacked given that a new car contains up to 200 sensors connected to around 40 electronic control units and can connect to wireless networks.
A recent Wired article details how two hackers were able to remotely hack a car through its internet computer that controls entertainment and navigation systems, facilitates phone calls and can provide a wifi hotspot, using it as a route to replace firmware that enabled them to take control of the car’s internal computer network. The hackers could then take over the driving of the car from over 10 miles away, turning the driver into a passenger.
Building management systems
Building management systems are often considered an aspect of property services rather than IT services and cybersecurity is not a key issue in purchase or operation. The consequence is weakly protected systems, often still configured with manufacturer codes. Moreover manufacturers often do not have processes in place for responding to vulnerabilities or a notification process to inform customers about security threats. The vulnerabilities of building management systems pose two main threats. The first is that if they are hacked building operations could be disrupted and safety risks created. The second is that they provide a potential route for breaking into enterprise business systems and critical company data if they share the same network.
Cities are full of a plethora of CCTV cameras; some owned and controlled privately, others by public authorities and police services. The security of these cameras is highly variable, with some lacking encryption or usernames and passwords, and others open to infection by malware and firmware modification. Accessing a camera provides a means to spy on individuals, such as viewing home presence or using a bank ATM camera to monitor the digits being pressed. Demonstrating the scale of the issue, one website provides access to the feeds of thousands of unsecured or poorly secured cameras (uses admin passwords) from 152 countries. Cameras can also be turned off, with some lacking the function to be restarted remotely.
Many cyberattacks are relatively inconsequential, such as probes and address scans, and are unsuccessful, while a small number are much more significant and involve a security breach. In a 2014 study of 599 utility, oil and gas, energy and manufacturing companies nearly 70% reported at least one security breach that led to the loss of confidential information or disruption of operations in the previous 12 months; 78% expected a successful attack on their ICS (industrial control systems) or SCADA systems in the next two years.
Cyber-attacks can be performed by hostile nations, terrorist groups, cyber-criminals, hacker collectives, and individual hackers. Former FBI director, Robert Mueller, details that 108 nations have cyber-attack units, targeting critical infrastructure and industrial secrets. The majority of attacks are presently being repulsed using cyber-security tools, or their effects have been disruptive or damaging but not critical for the long term delivery of services. Indeed, it needs to be recognised that to date, successful cyber-attacks on cities are still relatively rare and when they have occurred their effects generally last no more than a few hours or involve the theft of data rather than creating life threatening situations.
That said, it is clear that there is a cyber-security arms race underway between attackers and defenders, and that more severe disruption of critical infrastructure has been avoided through the threat of mutually assured destruction between nations. This is not to suggest that smart city initiatives should be avoided, but rather that the cyber-security challenges of creating secure smart cities should be taken seriously. It is likely that cyber-attacks will increase over time, they will become more sophisticated, and that they have the potential to cause significant disruption to city services and the wider economy and society.
Deconstructing the Smart City: Q&A with Professor Rob Kitchin
Does the benefit of developing smart cities outweigh the potential risk of cyberattack? Can you outline some of the key benefits?
The principal argument for deploying smart city technologies are that they potentially help solve pressing urban problems, or at least ameliorate them. The promise is that employing digital technologies in urban settings will improve efficiency, productivity, safety, security, quality of life, transparency, and accountability, and lead to a better governance, a stronger economy, a more vibrant civic sphere. It is relatively straightforward to argue that these benefits outweigh the risks of cyber-attack – as long as cyber-attacks do not become so frequent and damaging that cities begin to fail systemically. Without strong cyber-security that is a possibility.
What kind of cyber-attacks are Ireland’s current smart city initiatives vulnerable to?
All cities globally are open to the same kinds of cyber-attacks, such as simple phishing scams to gain usernames and passwords, denial of service attacks, remote hacks that take control of a system, or steal critical data, or seek to do damage by altering settings or shutting a system down.
Can you identify a vulnerability you think needs particular attention?
The two I think need particular attention at present are legacy systems and the Internet of Things (IoT). Many smart city technologies are layered onto much older infrastructure that relies on software and technology created 20 or 30 years ago which has not been upgraded for some time, nor can these systems be easily migrated to newer, more secure systems. These technologies can create inherent vulnerabilities to newer systems by providing so-called ‘forever-day exploits’ (holes in legacy software that vendors no longer support and thus will never be patched).
IoT is widely acknowledged as being particularly vulnerable, at present. IoT consists of any object that is linked to the internet and can be accessed/controlled from a distance. It can be difficult to ensure end-to-end security of IoT because most sensors and low-powered devices on the market do not have sufficient computing power to support an encrypted network link. Also, IoT systems are large and diverse, with many interconnected systems meaning they have extensive attack surfaces and it is difficult to know how all the components are exposed and to mitigate risks. IoT systems can also be used to perform other kinds of hacks, as with the Dyn denial of service attacks in autumn of 2016 in which many significant websites were disrupted by the Mirai botnet that took over unsecured IoT devices and used them to bombard Dyn servers.
What precautions need to be taken to prevent a cyber-attack?
The main solutions at present are traditional cyber-security approaches such as the use of access controls (username/password, two-stage authentication, biometric identifiers), properly maintained firewalls, virus and malware checkers, end-to-end strong encryption, routine software patching, audit trails of usage logs, and effective offsite backups and emergency recovery plans. These techniques aim to reduce attack surfaces as much as possible, to make the surface that is visible as robust and resilient as possible, and to make the system easily recoverable after failure. Ideally, we technologies should be developed using a security-by-design approach. That is, security should be part of the design process, rather than designing and building the system and then trying to work out how to secure it (which most commonly happens). If a cyber-attack does occur than there should be a Computer Emergency Response Team (CERT) that flies into action to try and mitigate its effects and restore order.
Is there a point at which you think we should avoid connecting fundamental infrastructure to a system that can be accessed remotely?
I think the strategy of prevention through ‘air-gapping’ (physically isolating digital technology) is something to be considered. The most obvious example is nuclear power plants or nuclear weapons. The risks of these being accessed and sabotaged in some way has to out-weigh any benefit gained from them being networked. I think we also might want to consider whether the supposed benefits of smart city technologies are actually being gained and to assess the return on investment against the costs and potential risks. If little is being gained then rather than exposing the city to potential risks alternative solutions should be pursued.
Is the movement towards data sharing putting citizens’ private information at risk?
Undoubtedly. Data security is a live issue and there is hardly a month goes by without a news story detailing that millions of customer records have been compromised. Some smart city technologies generate personally identifiable information such as names, addresses, faces, vehicle license plates, smart card details, and also track location, movement and actions. It is critical to try and protect these data from theft and pernicious use.
Rob Kitchin is a professor and ERC Advanced Investigator in the National Institute of Regional and Spatial Analysis at Maynooth University, for which he was director between 2002 and 2013. He is currently a principal investigator on the Programmable City project, the Digital Repository of Ireland, the All-Island Research Observatory and the Dublin Dashboard.