Hacking Risks In a ‘Smarter’ World

The very nature of the smart city presents an enormous security challenge that many experts worry is susceptible to cyber-attack.

That’s because it’s a highly complex network of connected infrastructure, wireless sensors and numerous other platforms, users and components. According to an August 20th ABI Research report, digital security in connected infrastructure is severely lacking, while past attacks and increasing network complexity indicate a future threat landscape both broader and deeper.

Dimitrios Pavlakis, an industry analyst at ABI and author of the report, told TU-Automotive that a comprehensive approach to smart city security encompasses a staggering multitude of fronts: regulatory compliance with security standards, data protection for the consumer, defense against remote attacks, identity protection systems and so on. “A key issue many governments overlook is regulatory frameworks. A lot of legacy protocols were designed when security was not even an issue,” he said. “Smart cities are not one entity. It’s a multitude of verticals connected by various platforms.” He said development of security platforms capable of handling such a volatile ecosystem should be a top priority and, based on the current trends and the increasing number and sophistication of attacks, he think there are going to be “a lot” more attacks in the future.

Another issue affecting the security of smart city components is alert fatigue. With so many sensors and points of entry for malicious actors there isn’t enough firepower on the defensive side to deal with all of them, so a lot of these potential red flags fall through the cracks. “I’m not saying if someone hacks a traffic light they can reach the Pentagon but if different verticals are connected in their own way, then we are just dealing with an insecure environment where information can be hacked in different ways,” he said.

That’s a point of view shared by Deloitte cyber emerging solutions leader Sean Peasley, who said a “significantly expanding” threat surface with billions of connected devices is going to make smart city security issues much more complex and difficult to deal with. “There’s going to be a lot of additional entry points for attackers to try and compromise those systems,” he explained. “We also have to look at the interoperability of legacy system and the new systems. They don’t have the necessary security capabilities, and it’s such a huge cost to replace all that.”

Coordination between various municipal departments and agencies, most of which don’t have automated processes at the moment, is going to be critical and, because all the data collected by those departments are siloed, the development of smart cities will require them to come together and think of cyber security as a big part of that development. “We’re not looking at a greenfield approach, we need to come up with overlay solutions and try to help get it to a point where we feel comfortable with the cyber risk factor,” Peasley said. “We need to consider the security of all those components and go through a thorough process of what happens if one of those components is taken over by an adversary. That’s fundamental.”


Cesar Cerrudo, chief technology officer for IOActive and Securing Smart Cities founder, pointed out that one of the main problems threatening smart city technology is lack of cyber-security awareness in general. “People don’t know about cyber-security and why it’s very important, which means bad decisions are made,” he said. “Another problem is the supply chain. The parties acquiring technology are blindly trusting the providers, there is almost no security testing being done.”

He warned the numerous connected infrastructure and vehicle technologies currently in use are being deployed without anyone really knowing how secure they are, thereby, creating a growing attack surface exposing the weaknesses to possible attackers. “We are already seen many cyber-attacks, mostly ransomware, which is growing in scale and in sophistication,” he said. “This won’t stop it will just get worse. Cyber criminals do it for money and state actors do it for political reasons but also for money to fund their operations.”

Pointing to the responsibilities from automakers to ensure they are providing encrypted communications and other necessary security measures, Cerrudo said they should not only secure their own technology but also make sure to have a secure supply chain by security testing all the third-party components they use. “Just trusting an insecure component compromises all other related technology, as interdependence of components and systems weakens all of them,” he said.

Peasley said municipalities are going to have to start with more pilot programs and learn about the use cases and what could go wrong, in addition to developing higher standards in terms of the security management systems. “It’s going to take a lot of work and we need to say now that cyber has to be considered from the outset, that secure design principles have to be built into the system from the start,” he said. “That needs to be the future.”

Leave a comment

Your email address will not be published. Required fields are marked *