As cities turn to IoT to address long-standing urban problems, Andrew Lee, ESET Government Affairs Liaison discusses the risks of leaving cybersecurity behind at the planning phase.
You’ve probably heard the term “smart cities” – that is, the idea that extensive use of Information and Communications Technology (ICT) to monitor energy, utilities and transportation infrastructure can lead to cost savings, reduction of environmental impact and faster fault resolution.
The benefits are obvious. If a street lamp fails, and can tell you so, you can replace it more quickly. If you can control traffic more efficiently, you’ll reduce smog and noise, and reduce overall journey times. If you can tie AC/heating to ambient temperature in a fine-grained way, you can reduce power consumption and wastage. If you can track traffic in real time, you can plan the best routes for emergency response vehicles.
Most national governments have committed to the Paris Agreement, and therefore need to reach targets for reduced carbon emissions. These targets necessarily pass down to the regional and municipal levels, and the implementation of smart technologies in urban areas has a large part to play in achieving those goals. However, where there are complex, interconnected, computer-controlled networks of thousands of Internet of Things (IoT) sensors and devices, all sorts of alarm bells start to ring in the minds of cybersecurity practitioners.
ESET researchers have analyzed malware (e.g. here and here) that was most probably used in several attacks against the energy industry and ultimately caused power outages. This sort of disruption has major effects on people’s lives, and intermittent or unreliable power does not take long to cause problems. Foods and medicines start to decay rapidly as refrigeration and freezers start to heat up.
Hospitals must reduce power consumption to the essentials. Petrol pumps don’t work (nor for that matter do smart vehicle charging stations), traffic light systems go down, buildings start to over-heat, or over-cool. Street lighting stops working. Electronic payment doesn’t work, wages may not be paid, ATMs don’t dispense cash. You can’t recharge your phone or your laptop. Your insulin pump won’t charge, your CPAP (continuous positive airway pressure) device won’t work, nor will your remote monitoring systems, your security cameras – or your coffee machine! It doesn’t take much to understand that in these circumstances chaos quickly ensues.
We can also imagine more subtle attacks than total electricity outages. There have been at least two major cases of illicit cryptocurrency-mining software on compromised nuclear power plant control systems. Cryptocurrency mining is incredibly power-intensive, and therefore has a high environmental impact – in addition to the cost and the potential to cause power distribution problems as described above. It’s not just companies that are affected by such attacks. In many (most?) cases, IoT devices are not well secured, and their vulnerabilities can lead to an attack where there is little user-initiated mitigation possible. Last year a large-scale operation was discovered using home internet routers to mine cryptocurrency. Where there is money to be made, and easily – given the vulnerability of the systems – there will be criminal exploitation.
Smart meters are a boon to utility companies as well as consumers and businesses, allowing precise monitoring of utility consumption, but their compromise can enable the theft of power/gas/water. Perhaps worse – such meters can also indicate how much generated power is being put into the grid (think rooftop solar) and the rest of the grid depends on that being accurate to do proper load balancing and generation. As is often the case with failures of security, it’s the unforeseen events that can have the most devastating results.
The European Union (EU) has been very active in implementing smart city technologies, among other IoT-driven projects, with many set up under the aegis of its research and innovation program called Horizon 2020. These projects vary in scope, but many have vast implications for the sectors they affect – smart cites and society, agriculture, healthcare, ocean and water management, food, manufacturing, and many other aspects of lives.
Some of these projects are governed by Mission Boards that serve to guide and advise on the projects’ implementation. (Full disclosure: I was one of 550 applicants to the Mission Board for Climate-Neutral and Smart Cities, but did not obtain a seat, of which there were 15.)
The boards are made up of members working in a diverse range of disciplines, and we should hope that cybersecurity will be foremost in their thoughts, although it is scarcely mentioned in the briefs for the boards.
When all is said and done, there will be tremendous benefits in implementing technologies that can improve lives and reduce environmental impact. On the other hand, we should never forget the risks that come with failing to consider the security of those technologies.