India is moving towards Smart Cities and has developed a design and budget to build them. No doubt, a network of smart cities in any country can boost the national economy and improve the lives of citizens.
A key point to be considered at the stage of designing IoT blueprint is the security of the IoT devices – how can we secure the increased amount of data produced? What’s concerning is India’s IoT policy, developed by the Ministry of Electronics & Information Technology, is still in its draft stage. When you have millions of IoT devices – which could be your connected smartphone, car, home, street lamps, smart grid, water or waste management, the bus you use for daily commute or eGov services – they will share an unimaginable amount of data amongst themselves. While sharing real-time information will help to optimize the use of resources, the increased volume of data can be prone to cyber-attacks, which can wreak havoc on a city or an individual.
By 2020, there will be more than 50 Billion Internet-connected devices that will transform the way we live and work. As per Tripwire Survey: Cyber Attacks Against Smart City Services May Pose Public Safety Threat:
- 81 percent of the respondents believe a cyber-attack targeting critical city infrastructure could cause physical damage.
- 83 percent of the respondents are worried about cyber-attacks that target smart city transportation initiatives.
- Only three percent of the respondents believed there would not be a cyber-attack against smart city services this year.
However, at what point and how do you secure the IoT? The answer may sound simple: “End-to-End IoT Security”, but it actually takes very meticulous planning and use of state-of-the-art technology.
Let’s explain what we mean, using the example of a Connected Car.
- Data in the connected car (in device): Your connected car will have its own digital identity through which it will communicate with other devices under IoT. This identity resides within the device which needs to be kept secure using parts of the IoT application like eSIM and secure communication modules.
- Data in transit (sent to/ from cloud server): The car’s identity data and information collected by it is exchanged between the device and a cloud server through a communication medium like cellular network (2G, 3G or 4G/ LTE). This also needs to be kept secure, and can be achieved through the encryption of data in motion.
- Data at cloud server: Once the data reaches the cloud server, it needs to be kept secure using encryption keys. To make it more secure, these encryption keys can further be secured and encrypted using master encryption keys. For further security, we can have HSM (hardware security modules) for management of these encryption keys.
- Access level: The huge data collected through IoT network will need to be accessed by various people for different types of work. It’s why we must maintain multiple secure access levels, depending on the requirements of different stakeholders, so they can access only the data they need to. This can be done using Identity Access management solutions, while public key infrastructure (PKI) smart cards or one-time-password generator devices, or even digital signature devices can be provided.
Vulnerabilities of Smart Cities
Internet of Things (IoT) based Smart devices as the enabler for effectively converting the city to be a smart city. These are extensively utilized in traffic and surveillance cameras, meters, street lights, traffic lights, smart pipes and sensors are easy to implement.
Every new technology and innovation brings in new Risks and Vulnerabilities. These vulnerabilities would impact the city administration, residents, businesses and other organizations alike that conduct business there.
As the cities become smarter with implementation of IoT technologies, consider as to what could happen if one or more technology-reliant services fails to function.
- What would commuting look like with non-functioning traffic control systems, no streetlights, and no public transportation?
- How would citizens respond to an inadequate supply of electricity or water, or to dark streets, and no cameras?
- What if garbage collection is interrupted in the summertime and the smell of refuse stinks up the streets?
To anybody’s guess that it would probably cause a lot of chaos in any city and inconvenience, it does not take long before these issues create major concerns.
Smart IoT devices create huge potential for cyber-attacks due numerous vulnerabilities, making the future of smart cities more vulnerable than today’s computers and smartphones. People residing in such a city might face a panic attack when they are made slaves of their “cyber masters/criminals for Ransom.” This scenario might not be as unlikely as you think.
Cyber Attacks on Smart Cities
Simple vulnerabilities if not addressed can cause big problems and have big impact, whether it’s a water barrage or power grids, financial institutions, water systems or online networks, all these infrastructures are going to be at risk and would be under threat like never before, and we need to do more to safeguard these critical infrastructures. Technologies used by smart cities would pose a major cyber security threat and open the door for several possible cyber-attacks. Each new city technology or system creates a new opportunity for cyber attackers. Some of the key technologies and systems that together make up the smart city’s complex attack surface are:
- City Surveillance: Traffic and surveillance cameras are the eyes of the city and by attacking them with DoS attacks, attackers can make cities blind.
- Smart Street Lighting Systems:Wireless street lighting systems are being deployed in many cities around the world. Most systems use wireless communications and have hardly any strong encryption. Attacks on smart street lighting systems are not complex and can have big impact by causing street blackouts in large areas.
- Traffic Control Systems:Traffic control systems could be easily hacked as some of the IoT and sensor devices used are without any encrypted communication between traffic control systems and traffic lights, traffic controllers, and so on, allowing an attacker to intrude and change traffic lights.
- Location-based Services. With many services going location-based, which means GPS spoofing and other attacks are possible. People get real-time location information, and if the location is wrong, then people will make decisions based on incorrect information. The nature of the impact depends on the extent to which a city relies on the services affected.
- Public Transportation. By just by displaying incorrect information by manipulating public transportation information systems, it’s possible to influence people’s behavior to cause delays, overcrowding, and so on.
- City Management Systems.Every city has hundreds of systems to manage different services and tasks. Hacking these systems would give an attacker a lot of options to cause harm. Just as simple software bugs can create significant harm, manipulating simple information could also have a seemingly over sized security effect.
- Cloud Infrastructure. City servers and cloud infrastructure are exposed to common Distributed Denial of Services (DDoS) attacks. Servers and cloud infrastructure are cheaper targets for cyber criminals or cyber terrorists.
- Smart Power and Water Grid. Attacks on a smart grid and water could be devastating, causing millions of dollars in losses and even loss of life.
Securing Smart Cities
Some of the vulnerabilities of smart cities should be plugged incorporating security from the design stage itself, while working out policies and procedures, risk framework and architecture to make stakeholders accountable. It should follow a holistic approach, with key indicators to secure smart cities:
- Legal , regulatory and compliance frameworks for the organizations
- Implementation any networks /systems and IoT devices with proper periodic Vulnerability assessment and penetration testing.
- Fixation of security issues in the network as soon as they are discovered. A city can continuously be under attack if issues are not fixed as soon as possible.
- Capacity building – developing standards, manpower; developing professional certification and agency certification.
- Cooperation between intra-state, intra-agency, public-private partnerships and international players.
- Creation of Centre of Excellence in Cyber Security that can handle incidents, vulnerability reporting and patching, coordination, information sharing, etc.
Smart Cities should adopt Smart thinking to become proactive in Cyber Defense before it got penetrated. What do you Think?
Tags: IoT, Smart City
Categorised in: Security
This post was written by Prime Research Team