We live in a connected world with traffic controllers, vehicles, and buildings—to the point that cities are smart enough to adapt to human needs and are designed to function efficiently and effectively at the highest levels. With this connectivity comes dangerous vulnerabilities.
Despite the fact that we are still in the early stages of the smart city revolution, it is estimated that more than 2.3 billion connected devices have been deployed in smart cities worldwide. Traffic controls, vehicles, and buildings are all connected to the point where cities are smart enough to adapt to human needs and designed to work at the highest possible levels of effectiveness, power efficiency, and safety.
The common threads in all of this are infrastructure, communications, and intelligence. They are all vulnerable to hacking and cyber-attacks. Atlanta, Baltimore, Greenville, NC, and other cities have experienced high-profile attacks in recent years. If manufacturers of internet-connected devices and municipal internet infrastructure do not adopt more suitable security policies, procedures, and protocols, such incidents will become more frequent.
Atlanta was crippled by the SAMSAM ransomware last year, which impacted about 30% of the city's "mission critical" applications for about two weeks. City officials refused to pay a $50,000 ransom demand by hackers. Officials in Atlanta reported that a 'decade's worth' of legal documents and 'years' of police dashboard camera evidence have been erased from their computers, creating far-reaching consequences for law and order. According to the Atlanta Journal Constitution, the city lost about $17 million in the hack.
A year later, Baltimore was hit by the RobbinHood ransomware in an attack that cost the city more than $18 million. The attack shut down the city's servers and left it without email or telecommunications, disrupting real estate transactions and bill payments, as well as emergency services.
Why are cities so vulnerable to dangerous attacks?
Let's look at the infrastructure first. The reprogramming of traffic lights and controls by cyber criminals has resulted in major traffic jams. Various digital traffic signs have been accessed and misused by others.
Most of these attacks did not cause any harm. With the advent of autonomous vehicles, that situation will change. In the near future, delivery trucks, buses, taxis, and personal vehicles will all be autonomous. A promise of autonomous vehicles is that, by communicating with each other and with a city's traffic system, they will be much safer and more efficient. This communication, however, requires close coordination between vehicles- possibly traveling at high speeds, just inches apart.
If one of these vehicles is hacked and loses its communication and can no longer coordinate with other vehicles, what will happen? Traffic will likely become tangled as a result. The hack could cause serious accidents, possibly resulting in injuries or even death for the passengers and/or pedestrians nearby.
Smart cities are also at risk from environmental controls within buildings. In retail stores, offices, and residences, ensuring the right temperature and humidity levels is a complex dance, balancing energy use with occupant comfort. Similarly, a hacker who gains access to the building's environmental control system can wreak havoc, rendering the building uninhabitable or even dangerous. The hacker could operate elevators, escalators, and internal doors if he gained access to the building's controls. A malicious hacker could trigger fire alarms and fire extinguishers and sprinkler systems, causing a great deal of disruption as emergency personnel rush to respond to incidents that may or may not actually occur.
Physical security should also not be overlooked. Hackers who gain access to a building's management system could remotely open and close external doors, allowing criminals to enter and trapping workers and residents inside.
Another example is the ability to remotely control utilities from afar. A hacker who gains access to critical systems could turn on and off the power to a city, turn off heat on a freezing day, cut water supplies, or interfere with sanitation and sewage. The utilities listed above are all controlled over the internet and could be targets for hackers.
All of this is in addition to the many traditional IT systems that each city needs to function. The government, schools, first responders, vendors and service industries that keep them running rely on digital operations to do their jobs. Consider the effects on a city and its residents if the city's computerized back-office stops working for critical services like food and fuel distribution. City operations can be disrupted just as much by cyberattacks on private industry as by attacks on smart infrastructure.
An attack does not need to control systems directly to cause havoc. As with the ransomware attacks above, criminals can easily hold hostage critical city systems and infrastructure networks, demanding hundreds of thousands of dollars or even millions of dollars to release a city from their grip.
A malware infection can spread. The traffic communication system could be hacked by a hacked traffic light in the intertwined maze of internet-connected "things.". The traffic communication system could be hacked by a hacked traffic light in the intertwined maze of internet-connected "things.". In the intertwined net of internet-connected "things," the traffic communication system could be hacked by a hacked traffic light. From there, it could spread to the emergency and first responder systems of the city. Thereafter, a smart city's entire systems could be crippled.
So how do we protect the smart city?
The first step is securing networked and enterprise level infrastructure systems so that only approved people and commands can access these systems. Attacks on network infrastructure can be limited by using the latest network security appliances and certificate-based authentication on all systems.
Additionally, we should be securing the many connected devices that people use on a daily basis, such as smartphones, smart watches, laptops, tablets, and notebooks, as well as IoT devices such as fitness and health monitors, building control systems, or traffic management systems. To avoid becoming a hacker target, each device must have security built in. Laptops, smartphones, and tablets have security solutions, but IoT devices require specialized embedded security solutions. They are too small to run traditional security solutions. These devices require specialized security solutions designed for IoT devices, such as secure boot, secure firmware updates, secure communication protocols, and strong authentication systems based on digital certificates.
What about autonomous vehicles and cars? The modern automobile is basically a network on wheels. Many of these vehicles do not provide adequate protection for their networks, sensors, and electronic control units (ECUs). As vehicles become more sophisticated and autonomous, they will be even more susceptible to attacks.
In order to protect the car's data, control systems, and communication, embedded security solutions can be implemented to secure the car's brain (the ECUs).
As a final point, we should not neglect the traditional IT systems that keep municipal data, employees, web sites, and services operational. In order to breach this type of infrastructure, would-be attackers already posses a full kit of tools and techniques. It is important for IT departments to implement the best and most current security practices and solutions to prevent the damage that can arise from compromising their traditional architecture.
Due to the increasing complexity of computer and data networks in our cities, utilities, buildings, and cars, their vulnerability to bad actors and cyberattacks is increasing as well.
Managers of cities and networks can mitigate these risks now with proven steps. It is possible to inoculate connected devices against cyberattacks both now and in the future by implementing protocols and technologies. We must make security a priority throughout the entire manufacturing process, from the assembly line to the deployment and management of systems. Our technology leaders, engineers, and designers, along with our STEM training universities must master the latest security best practices and technologies.