Securing the Smart City

Smart City technology is an attractive prospect to councils and utilities, but with large distributed networks with unique technologies, how can we keep them secure?

Introducing the Smart City

In 2007 IBM teamed up with Singapore’s Land Transport Authority (LTA) to produce a system that would not only give the LTA real time reports as to the flow of traffic, but also predict the state of traffic thirty minutes in to the future. The £10 million dollar system exceeded expectations, predicting traffic with an accuracy of over 85%. The LTA used this information to manage the flow of traffic and better avoid congestion.

Smart Cities aren’t just limited to improving traffic management. New solutions are being developed and implemented that cover everything from detecting gun crime through acoustic sensors, to more efficient garbage collection by sensing which dumpsters are full and which are empty and can be skipped. In essence if enough data can be collected about a resource, its management can be made more efficient. In a typical smart city hundreds of sensors are positioned around a city which report back to a control system. This collects and analyses the data before displaying conclusions and in some cases updating controllers. With the conservation of energy and reduction in pollution becoming high priorities for modern cities, the smart city is an apparent utopia for governments.

As more and more cities invest large amounts of money into smart city solutions, major manufacturers are lining up to demonstrate that they should be the ones who can be build, install and run these solutions. In 2013, the UK department for Business, Innovation and Skills (BIS) released a report stating that the global smart cities industry would be valued at $400 billion by 2020. Given their level of investment, major international corporations agree with this estimate. IBM, Cisco, Schneider and Siemens are just a few who have been singled out as major leaders in investment and innovation in smart cities.

Several smart cities have already been created across the world in an attempt to capitalise on the new field. But not all technologies have been welcomed by the inhabitants. In 2013 200 smart bins were installed in London. Their goal was not to lower pollution or reduce energy usage, but to show adverts. These adverts would be produced depending on the unique identifier of the pedestrian’s smart phone. According to their manufacturer, they would use “cookies for the real world”, letting advertisers better target their adverts. Perhaps unsurprisingly when London’s public found out about how these bins worked, there were calls for them to be removed. The City of London took seriously enough to pull the devices from the streets. According to The City of London Corporation:

“We have already asked the firm concerned to stop this data collection immediately. We have also taken the issue to the Information Commissioner’s Office. Irrespective of what’s technically possible, anything that happens like this on the streets needs to be done carefully, with the backing of an informed public.”

It could be argued that this particular instance of city wide data collection could have been successful if the public was better informed. There is another factor that all smart city vendors and implementers should also be concerned with. And if they are in a rush to be first to market, it could be far more costly.

How can we keep Smart Cities secure?

During Christmas 2014, the newspapers were dominated with the Sony hacking story, but another story came out around the same time that deserved far more attention that it gained. A report detailing a Turkey pipeline explosion found that the culprit was not a simple malfunction as had been initially thought, but a deliberate and well-planned cyber attack. The attack first disabled security cameras and alarms, then pressurised the pipeline until it caused the pipeline to explode. After a lengthy investigation, it was found that the attackers had broken into the network via the remote surveillance cameras that ran the length of the pipeline.

Smart cities also need to rely on this distributed layout of components, often using low powered sensors transmitting their data wirelessly back to the controller. Smart city vendors and users must keep one fact in mind when building their network: It might be their devices, but they can not be trusted. Most people in the security field should be comfortable with the idea of trust boundaries, but the traditional model blurs when components are outside of physical boundaries, but inside encrypted channels.

Tools are becoming more available and affordable to anyone who wishes to investigate and reverse engineer smart city components. Security needs to be thought about at inception of smart cities so that they are safe throughout their many years in the field. Companies should build systems that are resilient to attack, have methods for detecting attacks when the attacker finally gets in, and have plans in place to deal with an attack that bypasses their detection. Smart Cities are a major target and should be built with security measures to match.

So is the risk of an attacker turning off the lights too much? Does the risk of smart cities outweigh their benefits? Saying no already isn’t an option. Smart cities are already here. From Boston to Santander to Stockholm, cities around the world are already implementing the technology to help them better manage their infrastructure and resources. And their effect is impressive. Santander, the EU’s designated test bed for smart city technology reduced energy costs “by as much as 25 percent”. It’s an incredible incentive for other cities to follow suit. However it must be done at a pace that keeps the public informed, and security considerations included in every stage of the process.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.