IoT broadens attack surface of smart cities
- By Karen Epper Hoffman
- Dec 23, 2016
Cybersecurity attacks are scary enough, but what happens when they start coming from unexpected sources to attack the underlying infrastructure of cities?
It may sound like the plot of a Philip K. Dick novel, but headlines in recent months have decried several attacks on public and private websites, mounted and executed through botnets on unsecured devices (not always computers) with internet access. To be sure, the Internet of Things promises more reliable and easy access to myriad industrial and municipal systems. However, as smart cities start investing in smart meters and other devices that could fall prey to attacks engineered by botnets taking advantage of unsecured IoT devices and other IP-connected electronics and systems, there is arguably a much broader threat vector for government agencies.
When the popular InfoSec website KrebsOnSecurity suffered a huge distributed denial of service attack by an IoT-harnessed botnet, Chris Sullivan, general manager of intelligence and analytics at Core Security Inc., said the outage likely resulted “from a new breed of very high volume DDoS that will be difficult to handle with the defenses that most enterprises have in place today.”
“Unlike your PC or your phone, IoT devices don’t have the memory and processing to be secured properly, so they are easily compromised by adversaries, and it’s very difficult to detect when that happens,” Sullivan said. Indeed, the botnets utilized in these attacks can also run off security cameras, printers and digital video recorders.
The malware that propagates these DDoS attacks (like the notorious Mirai that brought down high-profile websites with an attack on Dyn’s managed DNS infrastructure) are typically designed to be self-propagating, making them easy to spread quickly “with as little effort as possible from the malicious actors’ point of view,” said Allison Nixon, director of security research for Flashpoint. However, most of the exploited devices thus far have been unsecured. “Smart cities and the large networks [that support them] are centrally planned, so that is different from what we have seen exploited so far,” Nixon said. “Looking at smart cities, centrally managed systems are typically less vulnerable to attack.”
The risk-benefit balance
The industrial IoT holds a great deal of promise for “modernizing e-government services and creating efficiencies and savings across the board,” CEO of ROMAD Cyber Systems Igor Volovich said. “Many of the services targeted for IoT connectivity have been connected in other ways for a long time -- except not directly to the internet.” He said he believes there are many risks, some still poorly understood, associated with exposing critical infrastructure systems to direct attack by bad actors.
“Municipal governments are not well-equipped to deal with the multitude of security issues inherent in the proposed industrial IoT implementations and must weigh very carefully the risk-benefit balance of such projects,” Volovich said. Indeed, 98 percent of government IT professionals see smart cities as not having any protection from cyberattacks, and 55 percent of them blame the cities for not focusing on cybersecurity resources, according to a survey by cybersecurity solutions provider Tripwire.
There is a broad spectrum of security, Amit Serper, principal security researcher for Cybereason, pointed out. “On one side of the spectrum, there is convenience and a great user experience but very little security. The other side of the spectrum, security can be cranked to the maximum, but the user experience will suffer.” While Serper agreed that smart city technology can be beneficial to the residents and to the municipality itself, “the ramifications of lax security policies could be severe,” as is commonly understood. In fact, he pointed to the video game series “Watch Dogs,” which allows players to control a hacker who breaks into a city's operating system.
It is likely too late to try to rein in the use of internet-connected devices and electronics, said Dan Lohrmann, chief strategist and chief security officer at Security Mentor Inc. “The Internet-of-Things boat has left the dock, and these technologies and new connectivity are becoming the global reality right before our eyes,” Lohrmann said. “Everyone is pushing forward with faster and broader internet connectivity, and overall I think the productivity benefits and convenient opportunities are huge. Opposing these initiatives, or becoming a laggard in these areas is a mistake.”
Moreover, Lohrmann said he believes that “history is repeating itself with initiatives like smart cities, smart meters, smart industrial devices and smart everything.” Over the past decade, virtually all new technology advances have brought new risks, including Wi-Fi, cloud computing, and bring your own device practices, he noted. “Similar challenges are emerging now with standards and implementing security surrounding IoT projects,” he added.
The IoT technology underlying these emerging smart cities may not be that well secured or even that well understood. According to the Tripwire research, smart grids, one smart city service, were seen by 38 percent of respondents to be more exposed to cyber risks than others, while 26 percent considered transportation systems to be more vulnerable. Other vulnerable services include surveillance cameras and wastewater treatment.
“Smart city initiatives are pushing the technological envelope for urban infrastructure management, and it’s clear from the survey results that cybersecurity is being left out of the conversation,” Tripwire’s Director for Security and IT risk Strategist Tim Erlin said in the release on the research. This is most likely due to budgeting issues or political interference, according to the government IT professionals surveyed.
What’s the smart agency to do?
Government IT teams, it would seem, must resign themselves to transitional period where IoT is taking hold, but all is not secure. With that in mind, what potential threat vectors should they target to best mitigate risk? Like many InfoSec experts, Volovich acknowledged that “the massive scale of IoT adoption brings widespread commoditization and thorny supply-chain concerns,” which necessitates looking more closely at third parties. The recent Mirai DDoS attacks demonstrated the danger, he said, because “the culprits were IP camera management systems manufactured by multiple vendors.” Those device manufacturers were all customers of a single Chinese supplier, “whose system turned out to be readily exploitable, leading to the massive attack affecting the entire eastern seaboard of the United States and taking down major online services.”
“It is imperative that IoT users perform adequate due diligence on their vendors and their products and services in order to understand the origin and risk factors affecting their IoT products,” Volovich said. “Naturally, these are good ideas for all environments, but for IoT in critical infrastructure networks the stakes are decidedly higher -- up to and including life safety.”
According to Sullivan, more analytical technology in place might help municipalities better understand the risk now that the IoT genie is out of the bottle. “Companies should move immediately to get control of this situation both to protect themselves and because, in the wake of these new high-profile events, it’s likely to be mandated by new law,” he said. “What is required now is the deployment of systems that don’t try to control the IoT devices but rather watch and learn how they behave so that we can identify malicious activity and isolate them when necessary.”
Lohrmann suggested that there are “many steps that governments can take as they deploy smart technologies.” First, he said, InfoSec professionals should do their homework on currently installed IoT devices and those under consideration. He also suggested they ask questions of IT peers and managers: What security protections are in place? Is the manufacturer taking security seriously and taking steps to keep their products up-to-date with code fixes from known vulnerabilities?
Security leaders should also make sure that default passwords are not being used and that security features that are available are enabled on all devices and electronics. “Don’t buy devices that have known security weaknesses just because they offer a low-cost, quick answer,” Lohrmann advised. He also recommended that state and local governments that have or are developing smart-city infrastructures have regular penetration tests conducted against IoT systems and devices to verify their security from end to end. Also, some cities may want to consider implementing a coordinated vulnerability disclosure program, or “bug bounty” program, as many technology vendors do, for finding holes these networks or systems.