Check Point IoT Blog Series: Smart Cities Need Smart Security

The second in our Check Point IoT series, read our first post about securing IoT devices in healthcare here

The smart city is sparking the imagination of planners, developers, governments, businesses and citizens all over the world. Smart cities combine pervasive web connectivity, smart IoT devices, artificial intelligence and machine learning. They collect and analyze, in real-time, multiple forms of data in order to create an interconnected fabric of devices that drive efficiencies across services critical to the city’s infrastructure such as utilities, transport, healthcare and emergency services.

We’ve already seen smart cities improving citizens’ lives while realizing efficiencies and cost savings. Smart regulation systems have helped the city of Songdo, South Korea, reduce water and energy usage to levels 30% below cities of similar sizes. Barcelona claims that IoT technology has helped it save $35 million annually on water. In addition to that, other potential examples of smart city applications include:

  • Intelligent traffic management systems, which regulate traffic flows according to real-time volumes and incidents;
  • Sensors that can manage energy usage to reduce consumption;
  • Water pipes with sensors which can regulate flow and instantly alert maintenance engineers to leaks;
  • Health centers that incorporate IoT powered services like intelligent medication dispensers.

It’s no wonder that Gartner estimates that 2.3 billion connected things will be used in smart cities this year.

But developing smart cities isn’t without its risks. Services that depend on digital data, by extension, depend on the security and integrity of that data. Much like preparing for natural disasters, urban planners and governments now need to prepare for digital disasters in a similar manner.

Smart cities disrupted

According to a report by Kaspersky Labs, over the second half of 2016, up to 40% of all industrial control systems (which manage physical infrastructure) were infected with malware.

Cyber criminals know that the infrastructure underpinning smart cities can be very vulnerable, due to a combination of software and devices that are not security-hardened. Whether it’s by hacking into systems – perhaps exploiting weak passwords or a similar vulnerability – or by using malware to infect networks and gain remote access to, and control over systems, smart cities are ripe for cyber-attacks. For example, last year, hackers were able to infiltrate the Bowman Avenue Dam in Rye Brook, New York, enabling them to manipulate the dam’s controls, causing a threat to flood hundreds of homes in the area.

Transportation systems are also vulnerable. In September 2016, it was revealed that almost 25% of the networks used by the San Francisco Municipal Transportation Agency (SFMTA) had been infected with ransomware. The malware caused the barriers to open, giving free rides to passengers over the Thanksgiving weekend – while generating a lot of goodwill, it spurred  substantial financial losses for the city. In 2016, hackers demonstrated vulnerabilities in traffic monitoring and data systems: road sensors in Moscow were targeted with a Bluetooth-enabled device, enabling a security researcher to hack into roadside sensors, siphon data from the sensors and modify the data to manipulate traffic signals.

Even then, it’s not always about money. Some cyber criminals are just digital vandals, causing disruption for disruption’s sake. Just a few months ago, the Dallas city warning system was hacked. All 156 emergency sirens started blaring, waking citizens up and overwhelming 911 operators. This sort of attack isn’t just a nuisance – it can genuinely endanger lives by scrambling emergency services and taking up unnecessary resources.

Securing the smart city

In this dynamic and complex risk landscape, cyber security and data protection needs to be central to smart cities’ strategies from day one. It is standard practice for urban planners to physically protect and control critical infrastructure – the same level of robust protection also needs to be applied to the digital infrastructure.

Digital protection for the smart city would be built around four key principles: device discovery and access management, intelligent network segmentation, threat prevention, and data integrity.

Device discovery and access management gives the ability to uniquely identify and strongly authenticate an IoT device on the network. One of the security weaknesses inherent in IoT devices is that they usually have minimal, if any, built-in security. So if a device cannot be uniquely identified, it can be easily ‘spoofed’ and imitated, enabling an attacker to penetrate the network. Having strong device authentication mitigates this risk, and helps ensure data integrity and effective threat prevention.

Network segmentation enhances IoT security by mitigating the risk of one part of the network having the ability to influence other parts of the network. It quarantines potential threats, limiting their ability to propagate laterally across a wider infrastructure. With proper network segmentation, a threat which infiltrates a smart city’s CCTV systems, for example, would not be able to spread to, say, the city’s traffic management systems. It makes handling of any breaches or security incidents more manageable, as the affected network segment is isolated from its neighbors.

Threat prevention means blocking any attack before it enters the network rather than mitigating the risk after an attack was discovered. It provides business continuity — crucial for the daily operation of a smart city.

Encrypting data communications and flows across the smart city infrastructure helps to eliminate potential attacks like man in the middle attacks, where the integrity and validity of the information provided to and from devices on the network is compromised.

As we’ve seen over the past 20 years, criminals and hackers will look to exploit any vulnerability they can find in emerging systems. As cities get smarter, those interconnected networks and devices need security built in from the start, not as an afterthought – to protect both the cities and their citizens.