Imagine the extent of damage that cybercriminals can cause in a fully connected city. Technically, damage ranges from permanent denial of service (PDOS) attacks, device hijacking and identity theft to disruption of critical services, including building access, emergency networks or sewage treatment facilities. Damage can be a serious violation of human rights, such as the right to privacy, and in extreme cases can lead to mass casualties.
Internet City has many advantages, but as the basis of a series of Internet devices, it also shows its greatest vulnerability. A used sensor can provide an entry point for attackers, which can effectively make the whole system insecure. If a single device lacks sufficient security or its digital certificate has expired, the whole structure may be vulnerable to attack or interruption, thus affecting critical services.
Without proper network security measures, smart city will be vulnerable to malicious invasion and criminal activities. In 2014, for example, researchers were able to invade nearly 100 wireless network traffic lights in Michigan. In this case, by using the default user name and password that can be found on the Internet, researchers can relatively easily penetrate the network. If malicious actors copy this behavior, then there is a real possibility of life loss. In 2018, the city of Atlanta was hit hard by blackmail software attacks against key municipal systems, and at least one-third of the more than 400 software solutions run by the city hall were inoperable.
The challenge of protecting infrastructure requires that every node and endpoint in the network must be secure, which is not an easy task. Therefore, system operators need to fully understand the whole smart city network, and be able to verify and trust each endpoint to ensure that they are legal and have not been tampered with at any stage. This requires the construction of powerful security functions in each device, and the implementation of an automated certificate management system to ensure that each certificate is always up-to-date, so as to prevent (potentially dangerous) interruption or downtime.
Such a standard is crucial not only for interoperability and ensuring the normal operation of all elements in the network, but also for maintaining the security of the system. These standards must not only define how devices will communicate, but also define how to ensure the security of such communication, how to identify devices as legitimate devices, and how to protect the integrity of data generated by these devices.
Three step solution
Privacy and security issues can be solved in three steps. The first is to ensure the security of network and enterprise level infrastructure system. This ensures that only authorized personnel and commands can access these devices, thus preventing external malicious actors from accessing the network. By using the latest network security devices and certificate based authentication for all systems, attacks on network infrastructure can be stopped.
Secondly, it is very important to protect all kinds of connected devices, such as building control system, traffic management system, etc., which constitute the network structure of smart city. Every device must have built-in security to avoid being targeted by hackers. Internet of things devices are increasingly attacked by cyber criminals. They need special embedded security solutions to protect them from the manufacturing point, and then update them throughout the life cycle of the device to cope with the changing threats.
Third, when it comes to privacy and security, it is crucial that system architects continue to focus on traditional IT systems that keep municipal data, employees, websites, and services running. The forward-looking smart city will monitor and protect the surrounding areas, and have visibility to the internal systems that may be attacked.
Safer smart city
Unless manufacturers of smart devices and connected infrastructure in various cities adopt more appropriate security policies, processes and protocols, security and privacy incidents in smart cities will become more frequent. Smart cities that ignore certificates and device authentication will not remain smart for a long time, because cyber criminals can access these devices again and again and write malicious code, thus seriously damaging operations and threatening lives and property.
Planners and system architects must understand this. Only on the premise that each endpoint is secure, can the operational advantages of the Internet city be realized. Crucially, there are ways to continuously monitor security measures. Having a certificate to authenticate the connected device is a step. Actively monitoring and managing the certificate lifecycle is another matter, and it will greatly support any attempt to create a reliable and secure smart city.
As our world becomes more and more complex, our cities, public utilities, buildings and cars become the home of more and more complex computer and data networks, and their vulnerability to bad actors and cyber attacks continues to grow. Malicious attackers know this, and they also know how much damage to our daily lives will be caused by destroying these interwoven systems. Unless municipalities understand the importance of protecting their smart infrastructure, smart cities will never really be able to realize their potential and will become the next frontier for cybercriminals.
Editor in charge: PJ