The rapid growth of embedded computing and the “Internet of Things” (IoT) have been felt in many industries and areas, but few organizations and jurisdictions have been affected as quickly and as deeply as cities. The emergence of “smart cities” – those cities that “…integrate cyber-physical technologies and infrastructure to create environmental and economic efficiency while improving the overall quality of life” – have created important increases in the understanding of infrastructure usage, improved efficiency, and better service provision to citizens.
By Brain Nussbaum
The rapid growth
of embedded computing and the “Internet of Things” (IoT) have been felt in many
industries and areas, but few organizations and jurisdictions have been
affected as quickly and as deeply as cities. The emergence of “smart
cities” – those cities that “…integrate cyber-physical
technologies and infrastructure to create environmental and economic efficiency
while improving the overall quality of life” – have created important
increases in the understanding of infrastructure usage, improved efficiency, and
better service provision to citizens. That said, the emergence of smart
cities – and the installation and utilization of vast networks of sensors and
data collection platforms – have also vastly increased the potential “attack
surface” that these urban areas must protect and defend.
(For a good
snapshot of the growing areas included in the IoT and this growing attack
surface, see the
chart on page 6 of the December 2015 Internet Protocol Journal, and
for a snapshot of the security and privacy concerns around the IoT see this
January 2015 Federal
Trade Commission staff report)
Recently the
Chief Information Security Officer (CISO) of San Diego, Gary Hayslip, published
two interesting essays on
what he has learned from his role as a smart city CISO – in San Diego,
California. Hayslip acknowledges some
of the problems that make working as a CISO charged with protecting
city networks challenging:
“City networks
grow over time, they tend to have a collection of technologies and applications
that range from being brand new to being decades old.”
“I come from
working in a military environment where I had always owned the data that
traversed my networks…I started to look at our data through a lens that it belongs
to my neighbors and it is entrusted to me. In essence our data belongs to our
citizens and we are shepherds of that data.”
“Forty
departments with different business requirements… My departments have business
reasons why they want to purchase that new technology or develop that new
application. It’s my job to give them alternatives, to show them the risks
involved with these alternatives and provide recommendations for security
controls to reduce any associated risk.”
Hayslip is right
to point out these challenges, and there are myriad others. The first of
these, the agglomeration of numerous technologies over time and the management
problems that creates, are not unique to cities – in fact the New York State
Chief Information Officer (CIO) recently
gave testimony describing the same challenge at the state level in the
Empire State.
Other
challenges, like the proliferation of sensors from transportation and energy
infrastructure and the privacy challenges of data around that expansion, are
more pronounced in cities than they are in larger jurisdictions like states,
provinces, and at the national level. Some of the many cyber security
challenges facing cities in general, and smart cities in particular, have been
outlined in thoughtful analysis at various recent information security
conferences.
The Information
Security Community Addresses Smart City Cyber Security
Greg Conti (West
Point), Tom Cross (Drawbridge Networks), and David Raymond (Virginia Tech),
delivered a fascinating paper and presentation at
Black Hat last summer called “Pen-Testing a City.” The authors correctly point
out that...
“The information
technology infrastructure of cities is different from other entities. Cities
feature complex interdependencies between agencies and infrastructure that are
a combination of federal, state and local government organizations and private
industry, all working closely together to keep the city as a whole functioning
properly. Preparedness varies widely. Some cities have their act together, but
others are a snarl of individual fiefdoms built upon homegrown technological
houses of cards.”
This draws on a
broader insight that while, in general, the information security community is
good at security risk assessment at the asset and system level, when
aggregating up to the level of a political jurisdiction (city or state), many
of these processes break down. They
argue: “The information security community does a great job of
identifying security vulnerabilities in individual technologies and penetration
testing teams help secure companies. At the next level of scale, however,
things tend to fall apart.” By the way, this is not only a problem in
information security, but is true more broadly as it relates to infrastructure
risk. Risk assessment methods and security measures often don't scale
well from the asset or system to the level of political jurisdictions – see for
example “The
Levels of Analysis Problem with Critical Infrastructure Risk.”
Cesar Cerrudo
also gave a paper and presentation last
year, both of which address the threats of hacking against smart cities.
Cerrudo enumerates both a long series of cyber vulnerabilities that are
common to many large smart cities (from lack of patch deployment capabilities,
to limited cyber incident planning, to weak or no cyber incident response
teams), as well as analyzing a host of potential attack targets and vectors
that could be of particular concern to cities. Cerrudo describes potential
attacks on traffic control systems, street lighting systems, water and waste
water systems, and potential manipulation of smart electrical grids among many
other concerns.
These concerns
about service interuption and physical damage are on top of and beyond the
obvious vulnerabilities that result from the massive collection and storage of
sensor and other data. Data that will often include varieties of
personally identifiable information (PII) and information on the behavior of
citizens. In fact, another California CISO, Jon Walton – of San Francisco
- acknowledged
several years ago that concerns around cyber security in a smart city
will result in important decisions being required on the “Balancing act
between collecting data and keeping personally identifiable information (PII)
secure.”
Smart City Cyber
Security is a National Security Concern
Authorities at
the national level – in numerous countries – have also begun to take the
threats to smart cities seriously.
The Department
of Homeland Security’s Office of Cyber and Infrastructure Analysis (OCIA)
recently released a document entitled The
Future of Smart Cities: Cyber-Physical Infrastructure Risk. The paper
is designed to summarize “…the
insights from a technology-informed futures analysis” meaning that
OCIA worked with subject matter experts on cyber risk to analyze – as Cesar
Cerrudo did – the possible attack types and consequences that could result from
them. The purpose is “…to
help Federal, State and local analysts and planners incorporate anticipatory
thinking into Smart City design and continued critical infrastructure
protection efforts relating to this new technology.”
In Ireland, the
Data Protection Unit of the Department of the Taoiseach (the office of the
Prime Minister) recently published a paper called Getting
Smarter About Smart Cities: Improving Data Privacy and Data Security.
This paper frames the tradeoffs between speed of adoption and risk minimization
thusly “The challenge is to rollout smart city solutions and gain the
benefits of their deployment while maintaining infrastructure and system
security and systematically minimising any pernicious effects and harms.”
This paper
focuses more on the data protection and data privacy concerns around smart
cities as opposed to the potential for attacks on cyber-physical systems.
It also benefits from a “case study” and examples from a real city (Dublin),
and offers “a
number of suggestions for addressing trepidations about and ills arising from
data privacy, protection and security issues.” The suggestions
vary pretty widely… “…it
advocates a multipronged approach that uses a suite of solutions, some of which
are market driven, some more technical in nature…others more policy, regulatory
and legally focused… and some more governance and management orientated…”
Taken together,
the DHS
OCIA paper (focused on the vulnerability of cyber-physical systems)
and the Taoiseach
Data Protection Unit paper (focused on the privacy and data
protection) provide a holistic look at the broad series of concerns and risks
that come along with the many valuable advantages that arise from the emergence
of ever smarter cities. In conjunction with the analysis by researchers
like Conti, Cross, Raymond and Cerrudo, it is possible to begin to get a sense
of the increasingly complex landscape of smart city cyber security.
The national
security concerns around the broader IoT – as opposed to the narrower world of
smart cities – are potentially even more profound. In his recent
testimony on the “Worldwide
Threat Assessment of the Intelligence Community,” Director of National
Intelligence James Clapper listed Cyber and Technology as the first major area
of concern – before terrorism, proliferation or counterintelligence among
others – and specifically called out concerns around the rapidly expanding
“internet of things.” He said “…security
industry analysts have demonstrated that many of these new systems can threaten
data privacy, data integrity, or continuity of services.”
This is true,
but the potential national security implications are even broader and
deeper. He goes on to suggest that “In the future, intelligence
services might use the IoT for identification, surveillance, monitoring,
location tracking, and targeting for recruitment, or to gain access to networks
or user credentials.” This important insight was neatly played
upon in computer scientist Nicholas Weaver’s tweet that “The
NSA thanks all foreign intelligence targets who decide to install a Nest
Camera.”
Ultimately, the
security questions around smart cities are like most security questions - a
series of tradeoffs about risk and reward. Luckily, the information
security community, the community focused on urban affairs, the national
security community, and numerous others are beginning to have a much more
lively dialogue about these risks – it cannot come quickly enough.
As Gregory
Hayslip notes, “In
the end, technology will eventually change cities for the better. From
improvements in productivity and operations, to innovation in services that
enhance the lives of citizens, the promise of smart cities is filled with
benefits and rewards. The responsibility of laying the digital groundwork for
smart cities falls squarely on the shoulders of cybersecurity professionals.” Indeed.
About The Author:
Brian Nussbaum
is an assistant professor in the Department of Public Administration and Policy
at the Rockefeller College of Public Affairs at the State University of New
York at Albany. His research and teaching focuses on cyber threats, terrorism,
homeland security, risk and intelligence analysis, and critical infrastructure
protection.
Dr. Nussbaum formerly served as Senior Intelligence Analyst with
the New York State Office of Counter Terrorism (OCT), a part of the New York
State Division of Homeland Security and Emergency Services (DHSES). He oversaw
both terrorism and cyber threat analysis efforts at New York's designated state
fusion center, the New York State Intelligence Center (NYSIC). Dr. Nussbaum
served as a subject matter expert on international terrorism, and helped to
create NYSIC's Cyber Analysis Unit (CAU). Additionally, Dr. Nussbaum served as
the first-ever Visiting Professor of Homeland Defense at the United States Army
War College in Carlisle, PA (2012-2013), where he worked with the Homeland
Defense and Security Issues (HDSI) group in the Strategic Wargaming Division of
the Center for Strategic Leadership and Development (CSLD). Dr. Nussbaum
received his PhD and MA in Political Science from the University at Albany and
BA in Political Science from Binghamton University. His work has appeared in
numerous books and journals including Studies in Conflict and Terrorism, Global
Crime, and the Journal of Applied Security Research.
This article was originally published at CIS Blog on February 09, 2016