Conventional wisdom states that the top 5 things that go together and are inseparable are bread and butter, salt and pepper, bow and arrow, needle and thread and peanut butter and jelly. However, this list needs to be revised with the incoming of the latest addition which is smart cities and cyber-attacks. And the probability of cyber-attacks being able to bring down the entire world is nowhere near zero. Which in fact, is terrifying.
How smart are smart cities?
The Internet of Things (IoT) is transforming how governments are dealing with urban areas, creating what are known as “smart cities.” These cities utilise technology to connect and remotely monitor various aspects of city life such as transportation, healthcare, security, water supply, energy consumption, community involvement, economic growth, housing, and waste management. Once connectivity as such is established, it enables cities to provide better options to residents’ needs and ameliorate the efficiency of the services provided.
Smart cities rely on a three-tier infrastructure. The first layer is the compilation of a network of sensors, communication systems, and smartphones connected through high-speed networks. The task assigned to this tier is to collect data on energy usage, traffic patterns, pollution levels, and more. The second layer ups the functionality by a notch, by using applications to analyse the continuous flow of raw data, making predictions and issuing alerts, insights, or recommendations based on the recorded patterns of usage. The third layer is mainly about connectivity where it emphasises public engagement, encouraging citizens and businesses to contribute more data, thus creating an open-access system that allows them to utilise information for their own purposes.
Even though smart cities are currently in the initial phases of adopting IoT, it is projected to expand into a market worth US$30 billion by 2030. A growth as such is predicted due to the steady rise in its adoption in areas like public services, safety measures, and transportation. Therefore, it is evident that smart cities will continue to grow.
Are cyber-threats outsmarting smart cities?
Implementing smart cities bestow a range of advantages for both governing bodies and residents. However, it’s crucial not to overlook the cybersecurity vulnerabilities that come with these advancements.
While cities like Singapore, Dubai, and New York City have already integrated numerous smart technologies, the vast network of interconnected devices is susceptible to a significant security risk, because of the very same reason that these cities are made smarter. These networks become favourite targets of cybercriminals and other malicious actors who are looking forward to manipulating the system for financial gain. Therefore, despite the benefits, the potential cybersecurity risks associated with smart cities should not be underestimated or dismissed.
Clearly, smart cities are every illegal hacker’s dream. A smart city that is attacked by a hacker would be labelled as being brought down by a ‘man-in-the-middle-attack’. In a man-in-the-middle attack, a hacker infiltrates, disrupts, or impersonates communications between two systems. An incident like this occurred in Israel in 2020, where hackers pounced upon a commercial irrigation system. The attackers succeeded to remotely control the irrigation system, enabling them to manipulate the flow of water. This had the potential to drain a water reservoir overnight, leading to the disruption of an entire town’s water supply. Undoubtedly, this incident was inconvenient and came with financial costs. However, things could have gotten much worse if a similar attack was ever landed on a wastewater system within a smart city. The aftermath will be so severe that, such an attack might trigger a hazardous spill of biological contaminants, posing a serious health risk to citizens in the affected area. And this is merely one out of a hundred series of unfortunate events that cyberattacks can cause.
Similar to the previous issue, within a smart city’s complex network of millions of devices, attackers often aim to take control of a device. And because they don’t change the device’s function, users may not realise that their device is compromised. Once control is seized, attackers can exploit other devices on the network. For instance, they could use compromised smart metres to launch ransomware attacks on a city’s energy management system or steal energy without payment.
Another risk originates from the information and communication technology supply chain, including the companies that supply hardware and software components. Malicious actors can exploit vulnerabilities in this supply chain to steal valuable information, create disturbances in operations, or undermine trust in the reliability and security of these systems. In essence, supply chain vulnerabilities can be manipulated by threat actors to achieve objectives like data theft, disruption, or eroding confidence in the integrity of these technologies.
Cybersecurity guidance as put forth by the ‘Five Eyes Agency’
It goes without saying that the widespread use of interconnected devices in smart cities creates multiple entry-points for cyber-attacks. The aftermath of a successful cyber-attack can encompass a spectrum of consequences, ranging from the interruption of vital services to the violation of citizens’ privacy and safety and even the shutting down of an entire city. And once smart cities shut down, no amount of putting it in rice bags will help us revive them, unlike your trusty mobile phone.
To mitigate these risks, smart cities must take proactive steps in recognizing and mitigating vulnerabilities. This includes implementing strong cybersecurity measures like encryption protocols, secure methods of authentication, and consistent security evaluations to identify and rectify potential weaknesses. By adopting such practices, smart cities can enhance their ability to protect against cyber threats and strengthen the overall security of their systems and citizens. Owing to such concerns the members in the Five Eyes Agency : US agencies CISA, NSA and FBI, the UK’s National Cyber Security Centre, Canada’s centre for Cyber Security, the Australian Cyber Security Centre, and NewZealand’s National Cyber Security Centre put together a manual in April 2023 that can help combat potential threats, nip most of them in the bud and create a very much needed cyber resilience.
The 13-page guidebook underscores the fact that as cities accommodate a mutlitude of technological advancements such as environmental monitoring systems, automated infrastructure processes, the expansion of 5G wireless networks, and the integration of artificial intelligence and other emerging software tools, they are inadvertently expanding the potential points of entry that malicious actors can exploit.
The manual’s recommendations for “smart city” technologies align with established cybersecurity advice for various sectors. This includes measures like setting up multi-factor authentication, limiting user network privileges, implementing zero-trust architecture (zero trust is a cybersecurity strategy that focuses on verifying each step of a digital interaction instead of assuming trust from the start. It doesn’t take trust for granted and constantly validates actions for security), and regularly updating and patching systems. By doing this, it will leave less space for attackers to assume patterns or bring down safety nets.
Moreover, the guide encourages officials to take extra steps, such as investing in tools that prioritise security from the initial development stages. This approach, known as “secure by design,” integrates security measures into software development from the very start. Notably, the U.S. Cybersecurity and Infrastructure Security Agency, alongside cyber authorities from countries like the Five Eyes nations, Germany, and the Netherlands, recently published a set of design principles aimed at enhancing security in software development.
The coming of age of smart cities is happening faster than we can keep track of. Therefore, the infrastructure needs to be built in a way that adheres to cyber-security and risk-management approaches to minimise the vulnerabilities of the city as a whole. In addition, it is vital that the general public is made aware of all the base-level risks and how they can be combated in the absence of professional help. However, this does not mean that all information is disclosed without a reservation. Full transparency is inadvisable when it comes to smart cities, especially because you don’t want everyone having access to all the titbits of information. The key to withstanding any form of cyberattacks is building a security wall that is impenetrable. To realise the potential of smart cities, it is important that a balance between risk management and growth is struck. Not only do you have to be smart, but also proactive.
(Sandunlekha Ekanayake)