How to Cope with Smart City Security Flaws?

This post is also available in: עברית (Hebrew)

The proliferation of IoT technology has resulted in hundreds of thousands of connected systems being embedded in many a city’s critical infrastructures, enabling city managers and urban planners to improve their operations and the daily lives of their citizens in real-time. Security challenges facing cities are reflected in the recent findings from IBM’s report, The Dangers of Smart City Hacking.

For the report, a team set out to learn more about real-world possibilities or the hacking of smart city technology, and see if “supervillain-level” attacks on smart cities were possible.

Here are some key examples of the vulnerabilities the team uncovered:

1.Manipulation of law-enforcement response – Hackers could accomplish “simulta­neous traffic tie-ups on key city roads by taking control of traffic control infrastructure – enough to create gridlock and delay law-enforcement teams from accessing the real scene of a crime.”

2. Disasters, real and fake – “By causing water level gauges, radiation detectors, wind speed sensors, and other disaster detection and alarm systems to report incorrect data, an attacker could potentially cause an evacuation as a distraction. Alternatively, a city could suffer far worse damage as a result of the delayed response to external threats, like radiation.”
3. Agricultural crop manipulation – “Smart farming has become commonplace as farmers use sensors to measure humidity, rainfall, and temperature to efficiently irrigate crops and determine optimal harvest times. Manipulation of this sensor data could result in irreversible crop damage, tar­geting a specific farm or an entire region.”

What is the solution? According to IBM, “there’s no easy way to patch a city, and this maps back to the fact that when it comes to device security, the responsibility is twofold: while it’s the manufacturer’s job to make sure that their products are built securely, it’s the user’s responsibility to make sure they are practicing good security hygiene.”

“Further, there’s a shared responsibility between the manufacturer and the user: with the former issuing software updates for security issues, and the latter actually applying those updates.”

IBM argues that both vendors and smart city leaders need to prioritize security by re-examining the vendors’ security protocols, building proper frameworks for these systems, and developing standard best practices for patching security flaws.

IBM also issued the following guidelines, according to information-age.com:

1. Implement IP address restrictions for who can connect to the smart city devices, especially if networks rely on the public internet.
2. Leverage basic application scanning tools that can help identify vulnerabilities.
3. Use strong network security rules to prevent access to sensitive systems, as well as safer password practices.
4. Disable unnecessary remote administration features and ports.
5. Take advantage of security incident and event management tools to scan network activity and identify suspicious internet traffic.
6. Hire ethical hackers to test systems, such as IBM X-Force Red. These teams are trained to “think like a hacker” and find flaws in systems before the bad guys do.