Securing cities in the cyber age
July 2020 by Mike Nelson, VP of IoT Security, DigiCert
It now seems kind of quaint that cybercriminals go after computers. The kind of threats we now expect to have, have a much larger appetite.
A recent Freedom of Information request has revealed that London’s world-famous tourist attractions, such as the National History Museum, Kew Gardens and the Tate art galleries have been attacked over 109 million times in the last few years.
In America, ransomware gangs seem no longer satisfied with office networks and home computers. In fact, the latest trend seems to be attacking cities. In the last few years Akron, Ohio and Del Rio, Texas have both been attacked multiple times by ransomware gangs. In 2018, Atlanta was forced to shut down local government services and take up pen and paper to carry out critical functions. The cleanup costs have totalled in the millions.
In May this year, Baltimore found itself the latest victim of just such an attack - this time in the form of a ransomware family called RobbinHood. The attackers left a note, demanding $76,000 in bitcoin and concluded “We won’t talk more, all we know is MONEY! Hurry up!”
Government services were again paralysed. But so too, were real estate sales when the systems the local government used to assess sellers were locked up. A warning system set up to warn public health officials and drug users that potentially dangerous shipments of drugs were being sold in the area was also caught up in the attack.
City officials have recently reported that the cleanup will cost $18 million. Some will be wishing that they had paid the ransom.
It seems to have gone unnoticed by some that cities are now a target and this is the new normal.
And as with so much in cyber security it’s an area where the attack surface is massively and irreversibly widening.
It’s widening in two ways—the dawn of the smart city and the coming arrival of quantum computing. With smart cities, the metropolis will be woven with a whole galaxy of endpoints which collect, inform and govern the very operation of those cities. Emergency services, traffic lights, waste management and more will all soon be overseen and managed by computers.
Last year, London Mayor Sadiq Khan launched a plan to make London into one of the world’s “smartest cities.” His ambitious roadmap includes plans to commission “a new generation of smart technology” such as lamp posts that can monitor air quality and benches and shelters that could integrate public Wi Fi, cameras, electric vehicle charge points and more.
London is just one. In Barcelona, smart traffic lights mean that ambulances, fire trucks and police cars speed towards emergencies along a route of automated green lights. Amsterdam manages congestion by collecting traffic and parking data. Dubai is planning to fully digitise local government services and aims to provide 5000 public hubs for citizens to access those services. Similar schemes are pushing ahead the world over – some of which take the security of those projects very seriously and some that don’t.
The other major step forward here is a change in computing - the arrival of quantum computing.
The distinction seems simple. Classical computing uses bits, which can be composed of either a 1 or a 0, as its basic unit of information. Quantum uses qubits. Qubits can be composed of multiple values at the same time, allowing a quantum computer to not only solve problems faster, and smarter than any computer yet invented, but also able to solve multiple problems at the same time.
This giant leap forward for computing, also signals a giant leap for motivated actors, who will also be able to deploy quantum computing against their victims. This advance for hackers may seem like a parochial technical issue, which would be the case if it weren’t for the advance of smart cities.
The distinction between the real and digital worlds is becoming increasingly arbitrary. Where a hacker’s reach might have once ended at a computer screen, every year it stretches further into the physical world.
Quantum will not be commercially available for several years yet, and Smart Cities are still maturing, but we are already seeing the kinds of problems that insecurity in these areas might pose.
IoT security has been pitiful for many years. Through insecure implementations, a lack of standards in the industry, and manufacturers who lost focus on making safe products for consumers, IoT security has proven to fail time and again.
We are only just now seeing standards and regulations that could effectively govern IoT security. The UK’s Secure by Design voluntary code of practice, which takes aim at IoT manufacturers and users, will soon be made mandatory. It’s a welcome development, but there’s still a distance to go.
However, none of this is to say that the developments of the future can’t be secured today.
One of the key problems for these kinds of schemes will be to police the untold number of devices, sensors and pieces of operational technology that will make up a smart city as well as the connections between them.
The backbone of a secure smart city will be trust and access. In a smart city that can access a million different kinds of interactions—between citizens and city officials, between IoT devices and control systems, between information endpoints and tourists—any and all of those interactions have to be secure. It’s important that the users, systems and devices that access the various parts of a smart city are properly authenticated and that the data involved is encrypted at rest and in flight. Digital certificates using a public key infrastructure (PKI) system offer a leading solution which provides scalable, automated and interoperable authentication with a frictionless user experience.
The integrity of each of those myriad devices has to be looked after and smart city cyber-specialists will have to ensure that those IoT devices can boot securely. Admins should also use code-signing to secure the software being sent to those devices. Code-signing can ensure that an Over The Air (OTA) update is trustworthy, that it has been written by a trusted actor and that it hasn’t been tampered with en-route.
DigiCert’s State of IoT survey 2018 found that those organisations that plan for scale are much better prepared to deal with IoT security threats. That doesn’t just mean building to accommodate a large IoT network, but building with the knowledge that it will get bigger in the future.
The point here is performance. Service hiccups and outages are annoying in enterprise scenarios but far more serious when it comes to civic infrastructure. The availability of data and systems will be of paramount importance to the smart cities of the future and so will securing this data.
Public Key Infrastructure has been a powerful force in tackling these kinds of problems. Honed over years of service in WEB-PKI, the solution has proved itself worthy of protecting large, multifaceted payment services and networks. It could do the same for smart cities too.
Looking further ahead - Quantum threats to IoT devices are appearing on the horizon, promising to defeat much of modern encryption. Organisations can consider upgrading their keys from 128 bit to 256 bit - which Quantum computing has not yet defeated. In the meantime, Microsoft and ISARA are working with DigiCert to build algorithms which will protect the IoT from Quantum cyber threats.
A fully realised version of the smart city may be some time off, but as we continue to innovate and computerise the real world, rich urban environments and their infrastructures are already being attacked. Fortunately, the solutions that can protect them are here as well.