With a growing reliance on connected systems within our smart cities and places, how do we build in cyber resilience?

In 1990, hackers penetrated Washington Dulles International Airport’s air traffic control systems, severing communications with planes and deactivating the runway lights, leaving the airport powerless to land aircrafts.

In 2007, hackers took control of transportation grids, the stock market, and also infiltrated the national media network, causing city chaos fear amongst citizens. Of course, these were fictional events, and enthralling entertainment to the Die Hard fans out there. Yet, within our ever-growing hyperconnected cities, with cybercrime and nation-state cyberattacks increasing, this may not be far from reality today.

What happens if hackers break into our cars’ computerised systems because it has weak security controls? What if the supporting critical traffic infrastructure is compromised because of deficiencies in our governance models?

The threats within smart cities and places

One of the most common form of cyber incident is a Denial-of-Service (DoS) event, where the systems or resources are sufficiently disrupted or depleted to prevent the system from operating correctly. Requiring a low level of skill to perform a DoS attack, it is often the result of an accidental change or misconfiguration.

More troubling is where hackers exploit weak Internet of Things (IoT) device security using small programs called worms or botnets to take control of these vulnerable devices and weaponise them against larger targets leading to a Distributed Denial-of-Service (DDoS) attack

In March 2018, a massive ransomware cyberattack engulfed the city of Atlanta, Georgia, affecting up to 6 million people. Many city services and programs were affected, including utility, parking and court services, and led the city to shut down other digital services as a precaution, including its airport’s WiFi network.

Worryingly, IT company Datto reports that the rate of ransomware attacks against Small-to-Medium Sized Businesses (SMBs) has increased over 200 percent between 2018 and 2019.

Ransomware is a DoS attack that locks a computer or its data preventing access and demanding a ransom to release it back to the owner. Criminal organisations use ransomware as a way to extort money, and events like those seen in Atlanta, Georgia demonstrates the real consequences of cyberattacks on digital systems.

Making smart cities resilient

Our cities have become a hyperconnected web of technology, industries and people. With the rapid adoption of new devices and this growing reliance on connected systems, we need to ask how do we build cyber resilience in our smart cities and places? How can we minimise disruptions when cyberattacks occur? And who is responsible for developing and maintaining governance? To answer some of these questions we should look towards existing Operational Technology (OT) strategies to find some answers.

Critical infrastructure in our cities today is controlled by computerised systems that operate in inherently hostile environments. They work safely to help protect people, communities, equipment and the environment while providing essential services like water, electricity, traffic signalling and environmental controls.

A key consideration in safety system design is the acknowledgement that faults will happen. This has led to safety standards and governance models to evolve, incorporating technical and procedural controls to minimise the impact of any single dangerous fault. When considering cybersecurity, we should also assume that a compromise is also going to occur and it may have negative consequences.

Our modern digital cities will need to layer cybersecurity controls and build diversity into the infrastructure to maintain levels of availability when attacked. The governance frameworks need to focus on openness, awareness, flexibility and scalability to support innovation in IoT while providing risk-based safety and security countermeasures. These represent cybersecurity defence-in-depth for our connected infrastructure and it needs to apply evenly across technology, processes and people.

Changing our perspective

With a large number of stakeholders and rapidly changing technology, existing information security governance models are falling behind. The speed of change is not competing with changes in the digital landscape, leaving gaps in our management of cyber risks.

We need to move beyond applying information security only to critical IoT assets. Information security is essential, but the safety of citizens that have come to rely on the availability and convenience of these services is even more crucial, driving the need to change our perspective.

As we continue to evolve smart cities and places, all stakeholders, including industry, service providers, government and citizens need to take responsibility for their contributions towards cybersecurity and its governance.

There needs to be a clear focus on creating an efficient, open and engaging environment in which to work and play while maintaining an atmosphere of collaboration to build the next generation of smart cities and places.

Our aim is to ‘live free’ and enjoy the safety, efficiency and experience these smart cities and places can bring.

Image: Seagate blog

As a senior cybersecurity consultant at GHD Digital, Peter Clissold is focused on reducing cybersecurity risks for critical infrastructure operators, OT and IoT asset owners. He has more than 24 years of experience in industrial automation, information management, industrial networking and OT cybersecurity.