Smart City network infrastructure demands a proactive approach to find vulnerabilities before hackers find them
Smart technology continues to change how people live and interact with the cities around them. While the full value of a connected city evolves – one that leverages innovations powered by artificial intelligence and machine learning – cybersecurity stands as one of its greatest challenges.
The Smart City Conundrum
While the promise of Smart Cities provides municipalities and inhabitants with the efficiency and value of “smart” services, it also creates a cybersecurity challenge. Each connected component – from devices to the network infrastructure – offers a potential entry point for hackers to steal data, damage systems, and gain access to information they shouldn’t have.
Smart City ecosystems could be filled with tens of thousands of Internet of Things (IoT) devices communicating over public network infrastructure. In order for the Smart City to succeed, each IoT device must be low power, exhibit excellent performance, be able to withstand interference, and be reliable. They’ll operate with the free flow of data between devices and the network infrastructure that connects them. How do Smart Cities ensure that each part of the Smart City ecosystem – the devices and network infrastructure — remains secure?
Smart City device security begins at the component level
Smart City device manufacturers — from smart lighting and water systems to smart traffic management systems and transportation systems — serve as the first line of defense when it comes to security. Each device may feature many technologies working together such as chipsets, sensors, communications protocols, firmware and software. These technology components must be built or sourced with security in mind.
Security testing of components and devices should not be an afterthought, but a proactive part of the design and manufacturing process. Best practices may include:
• Communication protocol testing – For example, Bluetooth vulnerabilities like Sweyntooth and Braktooth in communication chipsets, could open the door to hackers. Braktooth vulnerabilities recently impacted billions of devices from the system-on-a-chip (SOC) in more than a thousand chipsets used in laptops, smartphones, IoT and industrial devices. Protocol level vulnerabilities like these are difficult to detect. While the security community established best practices for discovering application-level vulnerabilities, protocol-level vulnerabilities are much harder to pinpoint. The only way to test for these kind of vulnerabilities is using protocol fuzzing which detects vulnerabilities during the communications handshake or hand-off process.
• Cybersecurity firmware, software and password update capabilities – Cybersecurity threats and vulnerabilities change over time. Many headline-making IoT security incidents have been caused by poor passwords and out-of-date firmware. Device manufacturers can take simple steps to enable Smart City device owners to strengthen authentication and provide methods to update firmware and software as the cybersecurity landscape evolves over the lifetime of their devices.
Unfortunately, once a device is purchased, there is little a Smart City can do to improve its security, so making the right purchase is the key to success. The purchasing process should consider cybersecurity in the “bill of materials” (BOM) that requires that the device manufacturer considered component and device cybersecurity and can validate that their devices passed appropriate cybersecurity testing. Smart City owners should keep in mind that over time, smart device manufacturers may continue to develop new devices with short product cycles. This means that owners will need to understand that manufacturers will may accelerate dropping support for older devices.
Taking the risk out of the Smart City network
The second line of defense in a Smart City is network infrastructure. In a Smart City, the back-end network is the nerve center that keeps everything running smoothly. That’s why it’s important for Smart Cities to rigorously test their back-end network’s security posture including policies and configurations on a continuous basis.
There is additional network infrastructure to consider. Smart Cities now connect operational technology (OT) systems such as water and energy utilities to Smart City network infrastructure. These OT connections increase the risk to the network since they are prime targets for bad actors. OT systems traditionally existed as stand-alone city infrastructure separated from the connected network. Now, newly connected to the shared network infrastructure, OT systems must be secured like traditional IT systems.
Smart City owners should follow cybersecurity best practices to improve their overall network security posture. Smart City network infrastructure demands a proactive approach to find vulnerabilities before hackers find them. A proactive approach includes utilizing breach and attack simulation tools to continuously probe for potential vulnerabilities. Adopting these tools can:
• Prevent attackers from moving laterally across the network
• Avoid “configuration drift” where system updates and tool patches cause unintended misconfiguration and leave the door open to attackers
• Reduce dwell time by training your security information and event management system to recognize indicators-of-compromise for emergency or common attacks.
Smart Cities promise to deliver value from big data and analytics. However, for every new connection, there’s an attacker looking to exploit it. For Smart Cities to truly live up to their promise, we shouldn’t forget that – like all infrastructure – safety and security are a top priority.
Learn About Securing Smart Cities at SecurityWeek’s ICS Cybersecurity Conference