Smart cities are the future. It won’t be long before we’ll all be living in areas where we can’t survive without technology, specifically the Internet of Things (IoT). But with privacy and cybersecurity issues plaguing the minds of would-be smart city dwellers, can developers push through?
Behind the Curtain of Smart Cities
While smart cities provide tons of benefits, primarily more efficient asset and resource management and service delivery, we can’t deny that they pose a particular threat to their dwellers’ privacy. To make good on their promise, smart city developers need to collect and analyze personal data. That includes information collected from citizens, devices, buildings, and other assets so developers can manage traffic, transportation systems, power plants, utilities, water supply networks, waste collection and disposal services, crime detection, and other community services. Without cameras and sensors that some may consider obtrusive scattered throughout smart cities, life as they know it won’t improve.
And because smart cities rely on IoT, we can’t dismiss the importance of cybersecurity. The amount of personal data they collect is bound to make them lucrative cyber attack targets. Imagine how devastating it would be if hackers successfully breach a smart city’s connected infrastructure. While we haven’t seen actual attacks, researchers have presented likely scenarios that don’t paint a pretty picture.
Potential Smart City Cyber Attacks
Much like any Internet-connected device, smart city systems are prone to various cyber attacks, such as:
Man-in-the-middle (MitM) attacks
Attackers can breach, interrupt, or spoof communications between two systems. An example would be hacking into a wastewater system smart valve to cause a biohazard spill.
Data and identity theft
Threat actors can steal the data collected by unprotected devices, such as parking meters, electric vehicle charging stations, and surveillance cameras that they can then use for fraudulent transactions and identify theft.
Attackers can hijack and effectively take full control of unprotected devices. They can exploit a vulnerability in smart meters, for instance, to launch a ransomware attack on the city’s energy management system (EMS) or secretly siphon energy.
Distributed denial-of-service (DDoS) attacks
Threat actors can also render machines or network resources unavailable by disrupting a connected host’s service. They can flood a target system with invalid requests from tons of sources to stop it from fulfilling legitimate requests. DDoS attacks work because traffic comes from thousands or even millions of sources. All connected devices in a smart city can be breached and forced to join a botnet to overwhelm a system.
Permanent DoS (PDoS) attacks
Also known as “phlashing,” these can damage a target device so severely that it will require replacement or hardware reinstallation. Attackers can target all of a smart city’s traffic sensors, for instance, effectively bringing transportation to a standstill.
How to Ensure Smart City Cybersecurity
The National Institute of Standards and Technology (NIST) recently established an IoT-enabled smart cities framework. It aims to address cybersecurity, data integration, and sharing issues. But these standards are merely recommendations for now. Until their implementation, here are some best practices for smart cities:
Create data privacy and usage policies
IoT users often focus on the benefits but pay very little attention to risks. IoT policies to support data privacy and usage from the get-go can assure users that their personal information will remain protected against cyber attacks and won’t be misused.
Always secure user identities
Credential management is critical in securing connected systems. Every computer or device has its way of providing security, and some may be weaker than others. Smart city administrators can use a means to strengthen access security, such as multifactor authentication (MFA), to eliminate weak points.
Encrypt sensitive data
Before a system goes live, smart city managers must know the extent of data collection and how that information will be used. They need to encrypt all data that can quickly identify users coming from their devices to management systems and vice versa. Doing that can help smart city administrators avoid costly forensic and mitigation efforts down the road.
Control who has administrative access
Not all smart city managers need to know everything related to their jurisdiction. It is thus ideal to set up protocols and options for access to create boundaries while still providing transparency and ease of use for effective connected infrastructure use. Those who have administrative access can be held accountable should problems arise. Information users can also be readily identified.
Know the law
While repercussions for committing cybercrimes remain limited and ill-defined to date, it would still do smart city administrators well to know what they are. If they can help the government define sanctions, fines, prison sentences, and possible modifications to the U.S. code to reflect the realities in an interconnected world, they should do so.
Living in a smart city sure sounds blissful.
Traffic congestions are a thing of the past. Keeping track of your utility bills is a breeze. Smart cities undoubtedly provide tons of benefits but will convenience come at a price? Without the right protocols and policies in place, a seeming boon can quickly turn into a bane.