San Francisco’s muni fare system was recently hacked, and it turns out that intruders installed ransomware on the system, and demanded money to undo the hack.
Some might ask why, despite being located amid a hub of the best brains in cyberspace, didn’t San Francisco muni foresee this coming? But as the saying goes, hindsight is 20/20.
A better question to ask is, why are smart cities around the world so prone to such smart attacks? And, what risks can they reasonably foresee, and how do they plan for them?
Global Growth and Skewed Statistics
According to McKinsey, the top 100 cities in the world will account for 36% of global growth, and top 600 cities will account for 65% of global growth. To survive this pace of growth, these expanding cities will have to compete with each other to attract necessary resources. City planners and administrators will therefore try to one-up each other with advanced incentives and services to make their cities more attractive. When cities are attractive and vibrant, businesses expand, infrastructure grows, and in turn, citizens thrive.
Smart city projects are being developed in these growing cities around the globe for just this reason. Smart cities can improve the quality of life of their citizens through such things as smart transportation, smart utilities, smart communications, smart health, smart security, etc. This intelligence is continually enhanced through state-of-the-art connectedness and dynamic analytics. When developed and implemented properly, these can make a difference in the management of the connected resources, and ensure that they are delivered and controlled in most optimum and efficient way.
Global Race for Smart Cities
In US, the top seven smart cities listed include Austin, Texas; Columbus, Ohio; Denver, Colorado; Kansas City, Missouri; Pittsburgh, Pennsylvania; Portland, Oregon; and San Francisco, California.
But it is not just in the US where smart cities are being planned. Other countries are funding major initiatives for developing and delivering smart cities.
India, for example, has a big push for smart cities. They have selected 20 cities in the first round of their Smart Cities Mission, with another 32 planned for their second and third rounds of funding.
And China currently has 300 smart cities on the drawing board.
Singapore, meanwhile, is planning a smart nation. Some representative projects there include drones for building inspection for structural issues where it is difficult and unsafe for human inspectors to go.
Taiwan has initiated a $625 Million venture fund with a focus on IoT.
In Korea, Seoul is being pushed as the model city for the technology development. One example of changing life for working and busy citizens there is via smart shopping by the grocery chain Tesco.
In Australia, “30 minute cities” are being planned, where anyone can commute to essential services such as school, hospital, work etc. within 30 minutes.
Other countries such as Denmark are coming up with their own priorities and roadmaps for the development.
Budgets and Moneys
These projects are flush with budgets to support these are pioneering schemes. For example, the US Department of Transportation has pledged up to $40 million to one city to help it define what it means to be a “Smart City” and become the country’s first municipality to fully integrate innovative technologies – self-driving cars, connected vehicles, and smart sensors – into their transportation network. India has budgeted around $466 M in the 2016 general budget.
And Tokyo is investing between $5 and $6 billion dollars to create the most advanced smart city in the world, including a smart utilities grid and robots to help guide visitors, to be unveiled in time for the 2020 Summer Olympics.
Cumulative market, according to Frost and Sullivan, is expected to be $1.565 trillion by 2020.
Of course, wherever there is money there are crooks. For every new technology developed, there is an anti-technology initiative that evolves which continuously searches for vulnerabilities to exploit. In the case of Smart Cities, criminals have a lot to gain, as the potential impact is enormous. Think of a whole city coming to a grinding halt, or with frozen utilities or healthcare services taken offline. Those sorts of high profile, high impact events can make city administrators very prone to making ransom payments.
As a result, Smart Cities need to not only invest in connected infrastructure, but in an up-to-date IT security infrastructure as well.
Vulnerable Smart Cities
When systems, and the people who handle these systems, are vulnerable, many possibilities for risk exist:
- Ransomware can be installed and services disrupted, such as happened to SFMTA or the Presbyterian Medical Center.
- City information can be tampered with.
- A large botnet can create an Inbound Distributed Denial of Service (DDoS) attack against the system, or direct such an attack outbound from compromised devices within the system. Such threats for unleashing DDoS are going to become common.
- Cybercriminals can also threaten to release potentially damaging data to the public from the Smart City’s databases.
- And critical infrastructure can be disabled, causing panic and harm to the city’s residents.
I have described many such vulnerabilities in my earlier blog.
Smart Steps to Smart City Security
To deal with these potential attacks, it is important to protect the critical Smart City infrastructure systems before issues occur, and to have a plan to respond immediately as soon as they inevitably occur. Here are a few suggestions that city planners and administrators need to consider:
End-user training for all users, combined with enhanced Physical Security for all resources is important. People and devices are the weakest link in any security strategy. Public campaigns encouraging security awareness about such things as phishing and similar attacks are a primary first step.
End-point protection on all servers is the next important step. And that includes keeping servers patched and backed up.
Many ransomware attacks originate via email. Email security on email servers and clients is a next important step. Ideally, this solution should automatically block phishing emails and malware attachments.
Segmentation of network traffic – with strong user, device, application and protocol controls is key to network security. This would avoid any secondary and tertiary damage even if the ransomware is active despite the email security.
Data loss prevention systems need to be put in place to prevent the loss of data at rest, in motion, and in-use. This step can help ensure that unauthorized data loss does not take place in order to avoid future misuse or liability.
Bidirectional DDoS attack mitigation is needed to take care of both inbound and outbound DDoS attacks for the Internet facing properties of smart cities.
The time to act, building in stronger security measures and protecting smart infrastructure (and the people who depend on it) is now.