When you think of disaster preparedness, you may think about how you would respond to an earthquake, a flood, or a storm. Now, security researchers want you to think about how to respond to cyber attacks, as well.
Securing Smart Cities (SSC) is a not-for-profit global initiative that hopes to make smart cities more secure and less hackable. So far, they have done so by raising awareness about the vulnerability of smart cities–towns that implement Internet-based technology. These can include apps to help residents find parking, smart street lighting that adapts to weather conditions or time of day, real-time public transportation apps for commuters, smart traffic lights and signals that adapt to car volume and current traffic conditions, and more.
Cesar Cerrudo, chief technology officer at security research firm IOActive Labs, says cities are unprepared for attacks on these systems. A board member for SSC, Cerrudo provides the non-profit with information on smart city security (or lack thereof). “What would commuting look like with non-functioning traffic control systems, no street lights, and no public transportation?” he writes in his 2015 research paper. “How would citizens respond to an inadequate supply of electricity or water, dark streets, and no cameras?”
President Obama signed an executive order two years ago that set voluntary guidelines to help the government and private companies prevent cyber threats, but Cerrudo says cities are still vulnerable. He points out a number of security issues, including wireless devices that aren’t properly encrypted, a lack of computer emergency response teams, and insufficient or nonexistent security features.
Sean Sullivan, a security analyst at F-Secure, said smart cities are “highly hackable,” but he believes pranks are more likely than huge cyber attacks. However, even simple bugs can cause huge problems. In 2012, the Placer County Court in California accidentally summoned 1,200 people to jury duty because of a computer glitch, causing a major traffic jam.
Cyber attacks can have much larger impacts than just frustrated jurors and highway congestion, however. A few months ago, unauthorized individuals gained access to the emails of Beacon Health Systems, exposing private patient information. And just this week, the IRS announced that criminals gained access to information on approximately 100,000 tax accounts, and this data included Social Security information, birth date and street address.
In his paper, Cerrudo outlines some recommendations for making smart cities more secure, including creating city-specific emergency response teams, running regular penetration tests on city networks and systems, and implementing fail-safe and manual overrides on system services. SSC says his research offers “a practical approach to the security of smart cities,” and advises all major cities to be aware of the different security measures that can be taken. To help address these vulnerabilities even further, the SSC project has also called for collaboration between companies, governments, the media, and other non-profit initiatives and individuals. Cerrudo writes: “Much work is needed, but cities can get started using these steps that can make a big difference in the current situation.”