Smart cities need even smarter security
By Matt Caffrey, Senior Solutions Architect at Barracuda Networks
Tuesday, 17 October, 2023
The smart city movement in Australia has been gathering momentum for at least a decade and many people living in Australia’s largest cities already benefit from this. Parramatta, in Sydney, developed its first smart city masterplan in 2015. In 2016 the Turnbull government set out a federal Smart Cities Plan, promising to embrace disruptive new technology and real-time, open data-driven solutions across the country.
Smart city technology is leveraging sensors, cameras and data to — among other things — improve transportation, energy use, public safety, health care and waste management. A prime example is the provision of real-time bus and train information to commuters on their smartphones.
However, any system that relies on connected digital technologies and devices to function is also susceptible to cyber attack. The risks are particularly high for critical services such as health care and traffic management. The protection of connected systems and the data they store and share is imperative.
Earlier this year the Australian Cyber Security Centre in collaboration with similar bodies in the US, UK, Canada and New Zealand issued a guide: Cybersecurity Best Practices for Smart Cities.
It identifies multiple cyber risks that the widespread adoption of smart city technologies can introduce. For example, smart cities depend heavily on operational technology (OT), such as sensors, for monitoring the physical environment and remotely controlling devices in facilities. The sheer volume and distribution of these devices, combined with the fact they are now all connected to the internet, increases the attack surface and heightens the potential spread and impact of successful attacks.
For example, in 2021 a hacker remotely gained access to sensors controlling the water supply to the city of Oldsmar in Florida and attempted to poison citizens by increasing the quantity of sodium hydroxide in the water.
Smart city technology can also create opportunities for threat actors to exploit a vulnerability — often in a low-cost and insecure device — to gain initial access, and then move laterally across networks to disrupt operations in other more important areas.
In one such incident, hackers gained access to the core systems of a US casino by hacking a smart thermometer being used to monitor the temperature in their aquarium.
To add to the problem, much of the technology used across smart cities is from different vendors and is owned and operated by different companies. This may hinder effective visibility, collaboration and communication, which is necessary for ensuring robust security.
Any compromise of smart city systems carries potentially severe consequences, including substantial disruption to city operations, financial losses, potential breaches of personal data and, in the worst-case scenario, significant damage to infrastructure and the risk of injury or loss of life.
Other security challenges facing smart cities include data protection and privacy breaches, particularly if data and applications are stored in the cloud.
Best practices for securing smart cities
Effective security in a smart city requires a holistic approach, regardless of the individual security level of a product or solution. National, regional and local authorities need to prioritise the careful and secure integration of new technologies into the existing infrastructure, employing secure connectivity measures.
While there are specific security challenges unique to smart cities, governments should first adhere to widely accepted standard approaches such as the Essential Eight, outlined in the ACSC’s Strategies to Mitigate Cyber Security Incidents.
For example, across all systems, user access should adhere to the principle of least privilege. This principle dictates that users should only be given access to the resources/networks that are vital to perform their jobs. The implementation of a zero trust approach, such as Zero Trust Network Access (ZTNA), including multifactor authentication, is well suited to this — and agile enough to adapt quickly to changing security scenarios, such as an active attack.
It is also essential that those responsible for the devices and applications that are being implemented in smart city systems understand the environment into which they will be deployed. For example, the security posture of devices they will be installed on or connected to, and how they will integrate with existing systems or applications. They must also be alert for any new points of weakness that emerge following the implementation and ensure appropriate security controls are applied.
A typical smart city has an ever-expanding attack surface, using thousands of different devices from many different vendors. Software vulnerabilities are likely to be discovered on a regular basis and these will need patching. This is a formidable but essential task to uphold smart city security.
The Cybersecurity Best Practices for Smart Cities guide also contains recommendations covering secure planning and design, proactive supply chain risk management and operational resilience for communities and organisations looking to implement smart city technologies.
Lastly, in the event of system failure stemming from an attack or malfunction, it’s crucial to have a well-prepared response plan at the ready. This involves comprehensive contingency planning to ensure the most critical aspects of a city’s functioning, such as transport networks, can remain operational in the face of disruption.
More and more cities are embracing smart technologies, and those already leading the way are expanding their portfolio of technologies, fostering innovation and continually enhancing existing offerings to enhance overall ‘smartness’. Therefore, it is paramount that national, regional and local governments build strong security policies into the planning process for any new services or improvements to existing ones.
Simultaneously, every partner organisation deploying or managing smart city technology should maintain a constant state of vigilance and stay abreast of the evolving threat landscape to assess how each new threat could impact their smart city systems.
What myGov's move to passwordless authentication means for public sector organisations.
As criminals start using AI and other emerging technology, a well-conceived and executed...
Organisations focused on the future will be those that have the correct protocols, policies and...