More and more cities are employing “smart” technologies to improve communication with the public and reduce the burden on government services, but these technologies also open those cities to security and privacy dangers, according to a Trend Micro article released on Tuesday.
“Smart cities are redefining the way we live and work. Blending cutting edge IoT (Internet of Things) technologies with virtualization, big data, cloud and more, they represent an urgent and ongoing attempt to overcome the challenges associated with rapid urbanization,” Ed Cabrera, chief cybersecurity officer at Trend Micro, wrote in a blog post. “There’s just one problem. These vast, interconnected technology systems also raise serious privacy and security concerns.”
According to Martin Roesler, director of threat research for Trend Micro’s Forward Looking Threat Research team, cities are particularly threatened by future IoT attacks because they pose an attractively visible target for hackers looking for maximum impact.
“So far, we don’t really see attacks directed at smart homes. But, there is a business model for attacking cities. Criminals want to spread fear, and they do this by being seen,” Roesler said. “Maximum visibility is not generated by attacking an individual home, but by poisoning the water supply in a major city or crashing a train in another. What makes these cities attractive to sabotage (by a foreign state or political enemy) is the big impact.”
Cabrera cites the hacks on the Ukrainian power grid over the past few years as an example of the damage that can be caused by an Internet-connected city. In the United States, highly populated and technologically dependent cities like Las Vegas could see particularly devastating effects after a hack on smart infrastructure.
“Assume that a city like Las Vegas goes dark due to power outage. You have hundred thousands of guests in hotels, while power goes off and does not come back–no gas stations, no airport, no air conditioning or food,” Roesler said. “Smart cities want to offer services, even vital services, like transportation, or workplaces, via modern Internet technology, but the question ‘what if this technology fails’ is unanswered.”
Roesler added that, since smart city technologies can have life spans of 50-100 years, vulnerabilities that exist today will continue to exist or get worse in the future.
“So vulnerabilities of today’s world will be a risk for much longer,” Roesler said. “Even worse, due to technological developments, even systems that we assume are safe today might be insecure or obsolete 10 years from now.”
According to Cabrera, smart cities technologies should be designed with cybersecurity as a core component, rather than something added on after an incident.
“It’s vital that we incorporate security and privacy-by-design into these systems as they’re developed. The cost of bolting on security after the event is always significantly higher, and the end result less effective,” Cabrera wrote. “But we must also be aware of the scale of the task. Smart cities represent a large and complex attack surface, where vulnerabilities in cloud servers, mobile app ecosystems, data transfers and more could all have serious repercussions for end users and smart city providers.”
Roesler added that states should also employ the strongest encryption possible, conduct regular security testing, and always assume the worst-case scenarios when employing smart city technologies.
The article is the first in a series by Trend Micro that will cover the security concerns surrounding smart city initiatives.