- The integration of technology into city infrastructure is also widening the ways in which municipal security can be compromised.
- Hacks on infrastructure are not unheard of and there’s a very real risk of a crisis occurring.
- Businesses often have cyber security response protocols in place – but the framework for a citywide response is absent.
With urban populations set to increase by 60 million annually¹, it’s inevitable that authorities worldwide will seek to deploy the next generation of solutions to help accommodate their burgeoning cities.
The technology to support this will often comprise the internet of things (IoT): a network of internet enabled devices and sensors that can gather and communicate information.
Such IoT enabled components can range from solar powered waste bins that alert rubbish collectors when the bin is full², to more essential utilities such as smart power grids and smart energy meters that monitor and provision energy usage. Critical infrastructure systems also rapidly becoming ‘smart’ include water management, wastewater disposal, and transportation.
Greater urban innovation, growing vulnerability
This technological enablement of a city is just one of the elements that go into making it smart. In its 2016 Smart Cities Plan³, the Australian federal government set out its intentions to take advantage of disruptive new technologies in areas such as transport, communication and energy efficiency in order to drive sustainability and innovation.
The collection of real-time data enables timely reactions by municipal authorities as significant changes are reported as they happen, which also helps to limit the extent of any damage in case of an incident.
However, the rapid integration of technology into infrastructure is also widening the ways in which municipal security can be compromised (what’s known as an increase in its ‘attack surface’). This is because as more services, devices and systems become interconnected, there are more elements hooked into a network that could potentially be compromised by outside sources.
Ultimately, rogue access and deliberate or inadvertent abuse of this technology could bring a busy commercial centre to a halt – or worse.
Getting under the city’s skin
In November 2016, the San Francisco municipal railway was hit by a ransomware attack4, which took all fare systems offline for an entire Saturday. The hackers unsuccessfully attempted to extort tens of thousands of dollars from the railway agency.
That same month, the heating systems of two apartment blocks in Finland were shut down through a Distributed Denial of Service (DDoS) attack (in such attacks, the system is overwhelmed and ultimately taken offline after being bombarded by large volumes of traffic). The attack lasted for a week over winter, during which the building’s central heating and hot water systems were out of service. And in early April this year, all 156 of Dallas city’s emergency sirens went off simultaneously after its tornado warning systems were hacked5.
The potential for a coordinated attack
The examples above are attacks on different aspects of the modern city. Consider, then, a series of coordinated incidents. There is the potential for trains, traffic control systems, mobile phone networks and power supplies, for example, to be shut down simultaneously.
There’s no shortage of motives for accessing the critical infrastructure of cities, either, from a desire for political advantage to a plan to exfiltrate a competitor’s intellectual property.
The consequences of such an attack affect everyone: from city residents, to targeted businesses and their service providers and supply chain partners, right through to state and federal authorities.
Existing response protocols for cyber attacks
Presently, individual companies have incident response plans and procedures, but these only cover their own data and systems.
Meanwhile, the Australian government, through the Australian Signals Directorate (ASD)6, provides cyber incident reporting and response assistance to government departments. The Computer Emergency Response Team, CERT Australia7, provides technical guidance, incident response coordination and cyber architecture advice for businesses.
However, beyond the ASD and CERT protocols, a cyber response framework that covers major incidents or crises that simultaneously target city infrastructure, services and businesses, doesn’t appear to be in place.
Planning for a secure smart city
We may not have such a framework, but it’s increasingly important that we have one.
There are three elements that should be included:
- A methodical definition of what constitutes a smart city cyber crisis.
- Agreement on the parties that would be responsible, consulted or informed during the response period.
- A response plan or approach, which is routinely tested to monitor effectiveness.
Australia wouldn’t necessarily have to start from scratch, either. In July 2016, the US government issued the United States Cyber Incident Coordination directive, which sought to provide a more integrated and structured response to cyber incidents affecting US national security interests, foreign relations, or its economy. Why not use such a directive as a basis for our own crisis response framework?
Who leads the effort?
The coordination required to effectively manage and contain a cyber crisis affecting an entire city is far more complex than managing that of a business. It requires the cooperation of a diverse range of stakeholders, from technology makers, to contractors that install and maintain the technology, representatives of organisations affected by the crisis, local or state departments, and federal agencies.
As such, any response will demand a coordinating agency, whose role would be to manage a crisis, liaise with stakeholders and organise necessary response activities such as emergency services.
Tackling the smart city security issue early on
If we all have a part to play in ensuring the safety of our cities, then enacting a cyber response framework is one thing. But there’s another crucial element that needs to be addressed.
The value of the global smart city technology market is estimated to grow to over US$3.3 trillion by 20258. Manufacturers and vendors are producing smart technology and IoT connected devices at an incredible – and increasing – pace.
To keep up with demand, often the security aspects of the technology will either be deprioritised or inadvertently ignored during design or deployment. More devices, with weaker security controls, means a network that can be compromised more easily.
From ensuring each link in the chain is secure, to building a robust response plan that minimises the harm to business, property and life, there is still a lot of action that needs to be taken to protect our cities. After all, if we let security fall by the wayside, our cities – no matter how much technology they implement – can hardly be deemed ‘smart’ at all.
This article is by Omaru Maruatona, a manager in PwC Australia’s Cyber Security and Forensics team.