In this article, Galina Antova, co-founder and chief business development officer of Claroty ,talks about OT security in smart cities and the challenges faced around securing the technology associated with running them.
Civic leaders around the world are looking to automate the infrastructures that make their cities run in a drive to reduce costs and cope with rising populations. From transit networks and utilities through to refuse collection and streetlighting, connecting services to the internet is proving an appealing prospect for those in charge of cities and large towns.
In fact, Frost and Sullivan predict that by 2025 there will be at least 26 fully-fledged smart cities globally.
However, in their rush to automate their cities, civic managers need to ensure that they also build in cyber security that will protect them from threat actors wishing to create chaos for their own nefarious ends.
The severity of the threat
Looking to connect any of the infrastructure under their jurisdiction will be an unknown territory for many civic leaders. In order to understand the types and scale of threat their newly connected networks could be facing, city managers should look at what has happened elsewhere.
For example, threat actors are attacking the IT networks of local authorities in the UK at a rate of 800 hits every hour. This should be of a concern as it doesn’t take long once a threat actor is in an IT network to move laterally into the operational technology (OT) that a smart city runs on if there is not proper segmentation between the two.
This is a lesson that other sectors have learned to their cost. For instance, WannaCry and NotPetya were able to disrupt the production networks of the likes of Merck and Renault, after having initially spread from their IT systems.
However, even if they are aware of these risks, civic leaders have a major hurdle to jump in that much of the technology they would use to create smart cities have been built with maximum connectivity in mind and security researchers are expositing a lot of vulnerabilities in those IoT connected devices.
Once these devices are active, they often run on operating systems that have significant vulnerabilities that are in many cases challenging to patch or no longer supported. For instance, IPnet is still an integral part of the operating systems of smart devices used in connected cities, despite having not been supported since 2006.
When combined with the reality that there are likely to be hundreds of thousands of these devices connecting to an OT network, that presents a huge, exposed attack surface for threat actors to exploit. The situation is likely to be exacerbated by 5G, as it not only provides a better way for devices to connect to the OT network, but also cybercriminals.
What might be attacked?
More or less anything that is under the jurisdiction of civic managers can be made more efficient and cost effective through automation and connectivity. However, with each service that is brought online, smart cities are exposing themselves and their citizens to the potential risk of catastrophic events that could have a devastating and long-lasting impact.
Take streetlighting for example. Many UK local authorities now remotely control the streetlights throughout their areas, enabling them to be turned off and on when necessary via a central operations centre. Streetlighting is vital for towns and cities as it helps enhance quality of life, improve public safety, and reduce traffic accidents.
For instance, studies show that in areas where streetlighting has been improved, road collisions fall by 30 percent and the severity of injuries is reduced by a factor of three. Therefore, in the event of a cyber-attack knocking out the streetlighting system, the wellbeing, or even the lives, of residents and commuters could be in danger.
There is also the reality that alongside the potential to cause chaos across a city, cybercriminals are likely to want to break into these systems to steal the significant amount of data, including personally identifiable information, on which they run.
While connectivity and automation have the potential to drastically change how cities are managed, and people’s experience of living and working there, these advantages can be wiped out by a single cyber-attack. As such, civic managers must make cyber security a priority when looking to make any infrastructure “smart”.
However, local authorities in the UK have a notorious lack of cyber security expertise, with researchers from Coventry University finding that they could infiltrate one council’s IT systems through simple social engineering. Some 650 members of staff willingly gave up their login credentials for what they believed was a chance to win an iPad.
If they want to create smart cities, local authorities must as a matter of urgency ensure existing staff are trained to be “cyber aware”, so that their actions don’t endanger the security of its networks. They must also recruit or train a cyber security team that is able to understand the difference between managing and protecting IT and OT networks.
The other piece of the puzzle is to invest in technology that provides detailed oversight into everything that is on a city’s IT and OT networks. Knowing granular details such as a device’s make, model, OS and IP address through to risk level and update schedule, the IT security team will be able identify and mitigate any vulnerabilities on their networks. As IoT and OT environments use unique communication protocols this requires specialised solutions that are able to recognise them.
Once they know what is running on the network, security professionals also need to know how assets should be running so that they can detect any anomalies. This requires continuous automated monitoring that can present contextualised alerts ranked by level of severity, providing security teams with all the information they need to tackle potential risks in priority order.
Such solutions also help to reduce the amount of time wasted dealing with false positives and low risk alerts. When building physical infrastructures, a key consideration for civic managers and leaders has always been safety and security. The same now has to be true when building OT infrastructures. In this way, smart cities can be created that provide all the advantages to its citizens rather than to cybercriminals.