Five Ways to Protect a Smart City from Cyberattacks
by: Grant Snowden, Critical Start DFIR Engineer and Jaccari Standifer, Critical Start DFIR Analyst
Picture this: It’s rush hour on a typical morning in Smart City, USA. Suddenly, traffic lights begin to malfunction, causing chaos in the streets; emergency systems come to a standstill, litter overflows; water mains burst. This may sound like the plot of the latest superhero movie, but it could easily happen in your city.
The need for smart city cybersecurity has never been greater. Whether you realize it or not, smart technologies are already infiltrating many state, local, tribal, and territorial (SLTT) infrastructures. Using smart grids to improve the communication, automation, and connectivity of an electric power network and bringing 5G and Internet of Things (IoT)-enabled technologies to bear on waste, energy, water, and transportation systems are not scary concepts. They can help make a city run more smoothly. The scary part is that SLTT governments are procuring these technologies on their own from foreign sources because they are not standardized, and US production sources are scarce. This leaves SLTT’s immature, unsecured attack vectors vulnerable to cyberattacks.
Atlanta: A City Under Siege
A SamSam ransomware attack caught Atlanta off guard in March 2018, infecting the city’s networks and encrypting at least one-third of its applications. For over a week, the city suffered serious digital disruptions in five of its 13 local government departments, crippling its court system, preventing residents from paying their water bills, limiting vital communications such as sewer infrastructure requests, and forcing the Atlanta Police Department to file paper reports for days. The cost: $2.6 million—far more costly than the original ransomware demand of roughly $50,000 in bitcoin.
Some would argue that the city should have just paid the ransom, but Lily Hay Newman of WIRED notes, “Paying the ransom up front might have saved the City of Atlanta time and money—and on paper would have cost several orders of magnitude less than the eventual cure—but it’s not quite as simple a call as it seems. City officials had no guarantee that attackers would actually release their systems upon payment. Or even if the hackers did decrypt the infected devices, the city’s digital infrastructure could still be weakened by the attack. There is also evidence that Atlanta was behind on addressing known vulnerabilities in its networks, so seizing the ransomware attack as an opportunity to invest in proper defense may offer more assurance that things have improved than simply paying a ransom and continuing to put off substantive upgrades.” 1
Albert is Here to Help—But It’s Not Enough
In an effort to enhance smart city cybersecurity and close the security gaps that plague SLTTs, the Center for Internet Security (CIS) offers security monitoring and management services through a cost-effective solution referred to as Albert. This Intrusion Detection System (IDS) is combined with the CIS 24×7 Security Operations Center (SOC) to provide enhanced monitoring capabilities and notifications when malicious activity occurs.
Let’s take a look at other steps smart cities can take to bolster their security posture.
- Zero Trust/Data Encryption
One limitation of Albert is that it uses a signature-based IDS, which is effective at identifying known indicators of compromise (IOCs) but is unable to detect unknown attacks. Therefore, Albert’s ability to rapidly detect threats is inferior to zero-trust Managed Detection and Response (MDR) solutions that triage and resolve every alert.
The next best thing to having a zero-trust MDR platform is using cryptographic measures, including encryption and compression of your data – both in your system and as it moves between systems, to ensure you are covering all potential attack vectors. The quick win here involves upgrading to wireless networking hardware that employs WPA3 security protocols A more in-depth approach is to implement end-to-end encryption (E2EE) solutions for data in motion. Keep in mind that encrypting data at rest can often be rendered ineffective if the attacker compromises user credentials of an account that has privileged access to such resources.
- Third-Party Risk Management
Third-party risk management can be a huge concern for certain industries in the public sector. The federal government imposes strict guidelines for vendors with whom it is considering doing business, subjecting them to vetting and assessing how they source their parts, as well as ensuring that they have no history of breaches. At the SLTT level, however, third-party risk management may need special attention. Ross Willams’ recent blog article offers tips on how to minimize exposure to risks from using outside vendors.
- Network Segmentation/Microsegmentation
Network segmentation, or dividing your network into subnets of related components, is an effective way to limit the damage breaches can cause and streamline mitigation activities. Traditional segmentation works best on client-server interactions that cross the security perimeter, but today’s hybrid cloud architectures have diminished the importance of the perimeter because most traffic flows from server to server between applications. An abundance of virtual machines also means a single server can host hundreds of workloads that each have their own security requirements. Microsegmentation provides these environments with more granular security, right down to the workload level, to reduce the attack service, improve breach containment, strengthen compliance posture, and streamline policy management. Software-defined networking (SDN) is the up-and-coming enabler that scales readily and quickly. If Wi-Fi is a must-have, we strongly recommend using only WiFi6 (802.11ax) devices, which coincidentally are enablers of the WPA3 protocol recommended in Step 1 above.
- Supply Chain Management
The massive gap in the technology supply chain adds to the risk smart cities must face. China remains the leading provider of user-grade hardware, and industry experts note that smart city platforms sourced from China may pose security risks for users.
According to The Cybersecurity & Infrastructure Security Agency (CISA), “The cyber threat from foreign adversaries, hackers, and criminals presents new and significant risks to government and industry. Constant, targeted, and well-funded attacks by malicious actors threaten government and industry alike by way of their contractors, sub-contractors, and suppliers at all tiers of the supply chain. Sophisticated threat actors exploit vulnerabilities deep in the information and communications technology (ICT) supply chain as a beachhead from which they can gain access to sensitive and proprietary information further along the chain.” 2
In response to these realities, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has established the ICT Supply Chain Risk Management Task Force to identify and develop consensus strategies that enhance ICT supply chain security. You can find a variety of helpful resources for supply chain risk management in CISA’s ICT Supply Chain Risk Management Toolkit, including processes and criteria for threat-based evaluation of ICT suppliers, products, and services.
Oftentimes, the human element is the weakest point in any system. Phishing is still one of the top threat actions, according to the 2020 Verizon Data Breach Investigations Report. With this in mind, smart cities need to not only focus on the big issues previously mentioned, but also pay close attention to identity governance.
Implementing password managers that generate randomized passwords and requiring multi-factor authentication can help, but most importantly, you need to focus on a shift in culture and behavior for both workers and residents in your community. Implement security awareness and training programs, in consultation with experts in smart cities and cyber security, who can help you ensure the right measures are taken, the right training is in place, and the right recovery plans are ready for action.
Smart City Pilot in St. Louis
If Atlanta’s experience is a cautionary tale, another U.S. city is positioning itself to be a success story. Last year, a Smart City Interoperability Reference Architecture (SCIRA) pilot in St. Louis brought together tech providers and public-safety stakeholders in a first-of-its-kind exercise that involved five emergency scenarios. “The St. Louis pilot was not a ‘fully dynamic operational exercise,’ but more a series of tabletop exercises and operational scenarios, a first step in seeing how smart city tech could be deployed while a complex scenario unfolded throughout the city. The objective was to test and prove smart city capabilities in five major areas: (1) situational awareness for emergency managers, (2) Computer Aided Dispatch (CAD) for emergency response, (3) dynamic routing for emergency response around obstructions, (4) agility for workforce mobility tasking/re-tasking and (5) in-building navigation for first responders.” 3
The SCIRA framework allows city managers and public officials greater real-time situational awareness by standardizing how individual smart city technologies can be integrated and complement each other. The result is the ability to make better, more informed, and more efficient decisions that can save lives.
Learn more about how we can address your challenges and request a free assessment.
The results of the St. Louis pilot seem promising and will hopefully lead to adoption of the SCIRA framework across other SLTTs.
You might also be interested in:
Critical Start Ransomware Protection Guide
Case Study: Manufacturer Stops Breach Cold, Thanks to Critical Start Incident Response Services
1 Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare, WIRED magazine, April 23, 2018.
2 Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force
3 OGC SCIRA Pilot Engineering Report, May 5, 2020, Open Geospatial Consortium
You may also be interested in…
- Consumer Education(40)
- Consumer Stories(2)
- Cybersecurity Consulting(7)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(2)
- MDR Services(71)
- Press Release(65)
- Research Report(10)
- Security Assessments(4)
- Thought Leadership(18)
- Threat Hunting(3)
- Vulnerability Disclosure(1)