A Cyber View Of Smart Cities
By Ken Tola
There are innumerable definitions of smart cities with a large number of geopolitical connotations that leverage different foci on people, technology and capabilities. These various, often disparate, definitions result in a smart city terminology that appears vast and daunting.
While many people attest to the fact that smart cities are the future and will eventually supersede all planning efforts, nobody can clearly define this future in any persistent manner. As spending on these cities expands into the $100 billion-plus range, it is obvious that more concrete definitions are needed.
From a cybersecurity perspective, there already exists a concrete definition in that smart cities are massive aggregations and utilizations of disparate types of information. When all of the features, options, dreams and other drapery is removed, the reality is that a smart city is a massive collection of devices that are communicating in new and, quite often, unprotected ways.
The IoT Nightmare
In order to understand the major challenges, it is important to fully understand the major underlying issues, which are not really new at all: devices and communications.
In smart cities, devices are generally referred to as the internet of things (IoT), and those devices remain unsecure and open to hacking attempts. The list of IoT vulnerabilities and exploits is long and increases each year with no true solutions in sight. In fact, smart city efforts are going to merge OT (operational technology) and IT systems together and vastly increase the number of devices and vendors being exposed to potential adversaries.
The main issue to this end is that mixing together various disparate vendors is only going to increase the threat profile. Since these devices do not communicate together, bridges and intermediates will be used to glue everything in place. This approach results in more isolated systems, more holes between system A and system B and more room for hackers to roam.
Compounding this challenge is the reality that none of our current cybersecurity approaches can handle the sheer volume of this new IoT world. Predictions reveal that IoT devices will soon number in the billions, which is a far cry from the current enterprise systems that number in the hundreds. At a few hundred devices, while difficult, the current manual intervention options provided by cybersecurity tools can somewhat keep up. Even at these levels, however, IT groups are being overwhelmed — but there are just not sufficient resources to handle millions of devices.
Imagine an issue, similar to the Mirai attack in 2016, that impacts a million devices. Suppose it only takes an hour to gain access to each device and repair it. That translates into roughly 481 years of labor for one exploit, not even at the scale of most smart cities. Now realize that the isolated, fragmented world of smart cities, as constructed today, will significantly increase that time per device, and it is apparent that manual interventions are a nonstarter.
No single cybersecurity solution on the market today provides automated remediation, and while options such as SOAR attempt to orchestrate responses, the reality is that most are simple isolation and reactive patching routines. While cyber vendors tout machine learning and AI systems, those efforts are focused on cleaning out noise from incoming information and attempting to find anomalies. None provides any level of remediation that does not require a human to directly run that effort. Not only are these cybersecurity tools not providing automated remediation, but they are also architected in such a way that they disrupt when they make changes and are unable to move into a full remediation capability down the road.
For modern cybersecurity, smart cities are a zero-sum game that will never reach the levels of protection that will be required. The final insult is the future wherein AI, already much faster than humans, will be used to attack these already improperly protected smart cities.
5G: Connecting Hackers Better Than Ever Before
While 6G is already being discussed, the main mode of communication envisioned for smart cities is 5G and, as with the devices, its safety is increasingly in doubt. Unlike previous types of communication, 5G will mesh together the IT systems that are used for communications and OT systems that actually control smart city options such as the lights, gas, water and most smart devices. This connectivity will expose very important OT systems to hackers over poorly protected lines of communication with dire consequences. Moreover, 5G is much more pervasive and will be everywhere in every aspect of a smart city, which enables more devastating attacks with greater real-world consequences. It is one thing to steal people’s data (IT) and another to explode a power plant (OT).
5G security suffers from complex challenges as it transmits over multiple types of connections such as Bluetooth, Wi-Fi, internet and even radio. While security solutions exist for specific types of connections, there are no cybersecurity solutions that work across all types of communications, although unified communication services are starting to at least unify the core protocols. This limitation results in siloed solutions that hand off data blindly to another type of connection and open the door for hackers to gain entry.
As with devices, these cybersecurity systems sit too far up in a device and cannot readily handle different types of physical communications. As more and more types of connections start to impact smart cities, this problem will only get worse: The threats will increase exponentially, and 5G security will fail completely.
The Future Of Smart Security
While technology can certainly adapt to overcome many of these challenges, and there are efforts underway to unify both device and communications protection, the truth is that governments have to push new standards. Manufacturers simply will not add in protection unless forced to do so, and many telco providers will not properly lock down 5G until it becomes an issue. Smart cities need a combined effort of better cybersecurity tools as well as cultural changes within governments to force AI-driven, unified remediation across types of communications and devices before it is too late.