Smart cities will be built on zero trust
As we travel further along the road to digital transformation, cities are turning to smart technologies to address quality-of-life issues and lower operating costs in times of tight budgets. However, with new technology coming online, civic leaders are beginning to recognize that while smart technologies bring many benefits, they also come with a high risk.
Recent high-profile cyberattacks have exposed vulnerabilities in American cities’ cybersecurity policies and safeguards. Perhaps most important, such attacks have shed light on the consequences that breaches could have if attackers turn their attention away from City Hall’s email inboxes and toward the connected systems at the epicenter of municipalities’ digital transformation.
If an attack targeted a system on which a city depends, such as a transportation management platform or the electrical grid, the result will be much more damaging than a data breach; it could create a rippling effect that could cripple a entire city’s operations. And with more cities turning to smart technologies, the likelihood of such an attack is increasing.
Smart technologies benefit cities and urban areas
According to the United Nations, nearly 70% of the world’s population will live in cities by 2050. To accommodate urban growth in the U.S., most major cities are now using some type of smart technology platform to improve city services – such as traffic management and crime prevention -- and to reduce costs. For example, in New York City, automated meter reading units give the city better data on water consumption and in turn enable more accurately resident billing. And Pittsburgh is using AI algorithms and smart traffic lights to reduce congestion by timing lights to make traffic flow most efficiently.
Deployment and integration of these data-rich technologies are expected to rapidly expand in the coming years as cities seek better metrics to inform planning and policy. As cities' face increasing budget and resources pressures, the value proposition to integrate smart technologies and automation will grow even greater. In fact, cities are forecast to spend more than $41 trillion in the next 20 years upgrading their infrastructure with internet-of-things devices, according to SmartAmerica Challenge.
Smart technologies increase attack surface and cyber risks
Recent high-profile attacks have demonstrated the evolving risks urban areas are facing – even without the addition of smart technologies to their infrastructures. In March 2018, Atlanta was hit with a ransomware attack that impacted half of the city’s departments for weeks. Hackers also struck Baltimore in May 2019 with a ransomware attack that held the city’s digital content hostage for a $100,000 ransom. Such attacks are on the rise, and a report from Barracuda found more than 50 cities or towns were victims of ransomware in the first half of 2019.
Add on the transition to smart cities, and these attacks may only be the tip of the iceberg because the proliferation of technologies creates a larger attack surface. Even smart technologies like sensors can be a vector for cyberattacks, causing cities to lose control of their systems especially as data processing moves further to the edge.
In fact, PwC notes that smart cities can be susceptible to signal jamming, remote execution as well as data manipulation, malware and distributed denial of service attacks. Unfortunately, the scale of these attacks has the potential to not only cost cities money and degrade the quality of life, but to even put lives at risk. And as interconnected systems are only as strong as their weakest link, just one compromised connection can impact the entire network.
Establishing a zero trust cyber policy
Ultimately, at a time when threats can come from anywhere, smart city leaders must question the security of their technology, software solutions and systems. They must establish what is called a “zero-trust” cyber policy that verifies the stability and security of every file and every device.
A zero-trust mentality means every file and every device – including data and technology associated with smart cities – pose a threat that must be authenticated at all times. Only such a singular focus on threat prevention and process creation will mitigate risks.
Today, many cities struggle with IoT security because there aren’t any widely accepted security standards or processes to follow. The National Institute of Standards and Technology recently established an IoT-enabled smart cities framework to address cybersecurity, data sharing and integration, and New York City is preparing to publish best practice IoT guidelines in 2020. But these are suggested standards, not requirements for implementing smart-city technology.
One thing that is clear is that traditional cybersecurity strategies will not protect smart cities. Simple password protection and anti-virus solutions cannot stand against advanced attacks on municipalities' underlying technology infrastructure. Instead, city leaders must integrate a high level of security consciousness into their operational culture and think differently about protecting their city systems.
In smart cities with a zero-trust mindset, everyone is understands a suspicious email is only one of thousands of possible attack vectors. A zero-trust culture requires universal understanding and acceptance of "trust no file and trust no device."
Recent attacks have shown how vulnerable our cities can be, and if steps aren’t taken prior to further advances in IoT and smart cities, vital infrastructure could be put at risk, ultimately affecting communities and their residents. As city leaders and workers form the front lines of defense, they must ensure that a zero-trust mentality forms the foundation for the transition to our smarter, more secure future.
Taeil Goh is CTO of OPSWAT, a critical infrastructure protection firm.