TL; DR: Securing Smart Cities is an initiative aimed at creating safer urban environments from a digital perspective. The nonprofit works to solve existing and future digital threats around the world through collaborations between companies, governments, security professionals, and media outlets. With a focus on engaging the community through industry events, Securing Smart Cities aims to educate cities and providers on the importance of building modern cities the safe way.
We’ve all heard predictions that humans will wage future wars on digital battlegrounds — a prospect that becomes more believable with each new digital attack. Today, foreign entities have the potential to strike entire cities without ever leaving their computers.
The city of Atlanta knows this all too well. In March 2018, Iranian hackers used SamSam Ransomware to encrypt government files, demanding $51,000 in Bitcoin to restore access. The attack devastated the city, crippling multiple municipal services, including databases and wifi, and destroying decades of data. Atlanta initially spent $2.7 million in the recovery effort and proposed an additional $9.5 million after developing a clearer view of the damage.
Atlanta has faced harsh criticism for leaving multiple vulnerabilities open to attack, but building and maintaining smart cities is no easy task, especially when it comes to IT security. To help keep these urban areas safe, Securing Smart Cities provides a wealth of information and expertise on security issues, including how they can be addressed or avoided altogether.
Cesar Cerrudo is CTO of IOActive Labs and a Securing Smart Cities Board Member. In his experience, smart city security measures often follow a reactionary model. Unlike tangible improvements, Cesar said digital security is invisible — making for a harder sell to politicians.
“If politicians spend $10 million to build two bridges in the city, enabling people to travel more quickly from work to home each day, that’s a visible benefit that citizens can easily perceive,” Cesar said. “It’s very different from cybersecurity, where people don’t feel incentivized to spend money unless there’s already a problem, such as what happened in Atlanta.”
Securing Smart Cities is working with companies, governments, security professionals, and media outlets to educate cities and providers on the importance of building modern cities the safe way. Whether the nonprofit is raising awareness on industry threats or solving the most pressing security problems, its goal is to protect modern cities worldwide.
Raising Awareness of the Cost Benefits of Security Measures
In addition to city management systems, a number of smart city technologies may be exposed to security vulnerabilities. For example, hackers could disrupt smart traffic control systems to change traffic lights, turn street lights on and off at will, manipulate smart meters to black out power in large areas, or display incorrect information on smart public transportation systems to cause confusion and delays.
According to the UN, 68% of the world’s population will live in urban areas by 2050, leading everyone from engineers to political leaders to concentrate on smart city initiatives. In this respect, Securing Smart Cities has entered the market early. Four years ago, when Cesar wrote his white paper, “An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks,” he warned that cities needed to take defensive security steps immediately.
Yet today, despite the attack on Atlanta, there still hasn’t been much traction when it comes to safeguarding smart cities. “Sooner or later, cybersecurity will become a very important topic,” Cesar said. “Sadly, until cities start suffering from regular attacks, the government probably will not pay attention to the topic.”
Cesar said his main goal is to raise awareness of security-related issues in cities by providing useful resources. By useful, he means easy to understand, digestible reports that do not require specialized knowledge.
“In this way, I think we can provide good value to government workers because they can easily read a five or 10-page report and find something they can apply in their regular job to make cities more secure,” he said.
A Persistent and Ongoing Threat: Common Vulnerabilities
The current attack surface for complex and interdependent cities is wide, leaving some of the most populated areas especially vulnerable via a large number of security holes that hackers readily exploit.
For example, cities frequently implement new technology without first testing security protocols. It happens across the globe: In 2014, Cesar identified approximately 200,000 vulnerable traffic control sensors in cities worldwide, including London, Melbourne, New York, Seattle, and San Francisco.
In his 2015 whitepaper, Cesar stated that research at IOActive Labs continually indicates that cities rigorously test systems for functionality, but fail to take measures to ensure top-notch security. Many new wireless devices, such as traffic and surveillance cameras, smart meters, street lights, traffic lights, smart pipes, and sensors, are easy to implement but also susceptible to hacking if not properly encrypted.
When attacks do occur, Cesar said cities and states are rarely equipped with proper Computer Emergency Response Teams (CERTs). Patch deployment and system update issues are common, and, according to the whitepaper, cities often use vulnerable devices and systems because patchers are costly, vendors are often too slow to release them, or they are not available.
In addition, big cities with hundreds of intertwined systems and devices can be taken down by a simple software bug. On November 22, 2013, for example, a software glitch shut down the San Francisco Bay Area Rapid Transit. In all, 19 trains and approximately 1,000 passengers were affected, with citizens trapped from midnight until the early morning.
Building Partnerships Between Governments and Security Professionals
To help government officials prepare and react to such events, Securing Smart Cities has prepared several resources. The group recently released an infographic to offer a visual representation of what’s at stake when securing a smart city.
The intuitive graphic provides an overview of current smart city technologies, security problems, attacks and threats, and a breakdown of concerns by city. “We’re trying to describe the main threats and problems using a communication tool that is easy to digest for the general public but still contains key information,” Cesar said.
To help with strategic planning, Securing Smart Cities also offers articles, whitepapers, and other materials that offer a practical approach to security and cover a range of topics.
In February 2018, the organization released “Securing the Smart City Olympics.” The extensive use of technology at these events often attract the attention of malicious hackers who wish to cause chaos. To help ensure the safety of both attendees and participants, the organization’s newest whitepaper clearly outlines challenges and preventative measures to eliminate weak points and make systems impenetrable.
Securing Smart Cities also holds webinars intended to familiarize attendees with the ever-evolving risks associated with digital transformation within cities. In April, Cesar hosted an IOActive-sponsored presentation, where he explored current smart city vulnerabilities, potential attack scenarios, real-world examples, and ways to improve security posture.
Engaging the Community Through Industry Events
Cesar said the organization’s long-term plan is to gather like-minded individuals from across the globe for networking and professional development opportunities.
“We’ve been talking about hosting a conference event specifically on cybersecurity for smart cities for a long time,” he said.
By attending such events, individuals would gain fresh perspectives, insightful information, and the motivation to take new ideas home with them for the betterment of their cities.
“Conferences would help us achieve some of our main goals: to drive awareness and engage in conversations with different people from the private and the public sector,” Cesar said.