IoT broadens attack surface of smart cities

 

Connecting state and local government leaders

As smart cities start investing in connected devices, there is arguably a much broader threat vector from botnets taking advantage of the unsecured Internet of Things.

Cybersecurity attacks are scary enough, but what happens when they start coming from unexpected sources to attack the underlying infrastructure of cities?

It may sound like the plot of a Philip K. Dick novel, but headlines in recent months have decried several attacks on public and private websites, mounted and executed through botnets on unsecured devices (not always computers) with internet access. To be sure, the Internet of Things promises more reliable and easy access to myriad industrial and municipal systems. However, as smart cities start investing in smart meters and other devices that could fall prey to attacks engineered by botnets taking advantage of unsecured IoT devices and other IP-connected electronics and systems, there is arguably a much broader threat vector for government agencies.

When the popular InfoSec website KrebsOnSecurity suffered a huge distributed denial of service attack by an IoT-harnessed botnet, Chris Sullivan, general manager of intelligence and analytics at Core Security Inc.,  said the outage likely resulted “from a new breed of very high volume DDoS that will be difficult to handle with the defenses that most enterprises have in place today.”

“Unlike your PC or your phone, IoT devices don’t have the memory and processing to be secured properly, so they are easily compromised by adversaries, and it’s very difficult to detect when that happens,” Sullivan said. Indeed, the botnets utilized in these attacks can also run off security cameras, printers and digital video recorders.

The malware that propagates these DDoS attacks (like the notorious Mirai that brought down high-profile websites with an attack on Dyn’s managed DNS infrastructure) are typically designed to be self-propagating, making them easy to spread quickly “with as little effort as possible from the malicious actors’ point of view,” said Allison Nixon, director of security research for Flashpoint. However, most of the exploited devices thus far have been unsecured. “Smart cities and the large networks [that support them] are centrally planned, so that is different from what we have seen exploited so far,” Nixon said. “Looking at smart cities, centrally managed systems are typically less vulnerable to attack.”

The risk-benefit balance

The industrial IoT holds a great deal of promise for “modernizing e-government services and creating efficiencies and savings across the board,” CEO of ROMAD Cyber Systems Igor Volovich said. “Many of the services targeted for IoT connectivity have been connected in other ways for a long time -- except not directly to the internet.” He said he believes there are many risks, some still poorly understood, associated with exposing critical infrastructure systems to direct attack by bad actors.

“Municipal governments are not well-equipped to deal with the multitude of security issues inherent in the proposed industrial IoT implementations and must weigh very carefully the risk-benefit balance of such projects,” Volovich said. Indeed, 98 percent of government IT professionals see smart cities as not having any protection from cyberattacks, and 55 percent of them blame the cities for not focusing on cybersecurity resources, according to a survey by cybersecurity solutions provider Tripwire.

There is a broad spectrum of security, Amit Serper, principal security researcher for Cybereason, pointed out.  “On one side of the spectrum, there is convenience and a great user experience but very little security. The other side of the spectrum, security can be cranked to the maximum, but the user experience will suffer.” While Serper agreed that smart city technology can be beneficial to the residents and to the municipality itself, “the ramifications of lax security policies could be severe,” as is commonly understood. In fact, he pointed to the video game series “Watch Dogs,” which allows players to control a hacker who breaks into a city's operating system.

It is likely too late to try to rein in the use of internet-connected devices and electronics, said Dan Lohrmann, chief strategist and chief security officer at Security Mentor Inc. “The Internet-of-Things boat has left the dock, and these technologies and new connectivity are becoming the global reality right before our eyes,” Lohrmann said. “Everyone is pushing forward with faster and broader internet connectivity, and overall I think the productivity benefits and convenient opportunities are huge. Opposing these initiatives, or becoming a laggard in these areas is a mistake.”

Moreover, Lohrmann said he believes that “history is repeating itself with initiatives like smart cities, smart meters, smart industrial devices and smart everything.” Over the past decade, virtually all new technology advances have brought new risks, including Wi-Fi, cloud computing, and bring your own device practices, he noted. “Similar challenges are emerging now with standards and implementing security surrounding IoT projects,” he added. 

The IoT technology underlying these emerging smart cities may not be that well secured or even that well understood. According to the Tripwire research, smart grids, one smart city service, were seen by 38 percent of respondents to be more exposed to cyber risks than others, while 26 percent considered transportation systems to be more vulnerable. Other vulnerable services include surveillance cameras and wastewater treatment.

“Smart city initiatives are pushing the technological envelope for urban infrastructure management, and it’s clear from the survey results that cybersecurity is being left out of the conversation,” Tripwire’s Director for Security and IT risk Strategist Tim Erlin said in the release on the research. This is most likely due to budgeting issues or political interference, according to the government IT professionals surveyed.

What’s the smart agency to do?

Government IT teams, it would seem, must resign themselves to transitional period where IoT is taking hold, but all is not secure. With that in mind, what potential threat vectors should they target to best mitigate risk? Like many InfoSec experts, Volovich acknowledged that “the massive scale of IoT adoption brings widespread commoditization and thorny supply-chain concerns,” which necessitates looking more closely at third parties. The recent Mirai DDoS attacks demonstrated the danger, he said, because “the culprits were IP camera management systems manufactured by multiple vendors.” Those device manufacturers were all customers of a single Chinese supplier, “whose system turned out to be readily exploitable, leading to the massive attack affecting the entire eastern seaboard of the United States and taking down major online services.”

“It is imperative that IoT users perform adequate due diligence on their vendors and their products and services in order to understand the origin and risk factors affecting their IoT products,” Volovich said. “Naturally, these are good ideas for all environments, but for IoT in critical infrastructure networks the stakes are decidedly higher -- up to and including life safety.”

According to Sullivan, more analytical technology in place might help municipalities better understand the risk now that the IoT genie is out of the bottle. “Companies should move immediately to get control of this situation both to protect themselves and because, in the wake of these new high-profile events, it’s likely to be mandated by new law,” he said. “What is required now is the deployment of systems that don’t try to control the IoT devices but rather watch and learn how they behave so that we can identify malicious activity and isolate them when necessary.”

Lohrmann suggested that there are “many steps that governments can take as they deploy smart technologies.” First, he said, InfoSec professionals should do their homework on currently installed IoT devices and those under consideration. He also suggested they ask questions of IT peers and managers: What security protections are in place? Is the manufacturer taking security seriously and taking steps to keep their products up-to-date with code fixes from known vulnerabilities? 

Security leaders should also make sure that default passwords are not being used and that security features that are available are enabled on all devices and electronics. “Don’t buy devices that have known security weaknesses just because they offer a low-cost, quick answer,” Lohrmann advised. He also recommended that state and local governments that have or are developing smart-city infrastructures have regular penetration tests conducted against IoT systems and devices to verify their security from end to end. Also, some cities may want to consider implementing a coordinated vulnerability disclosure program, or “bug bounty” program, as many technology vendors do, for finding holes these networks or systems. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.