Smart Cities – future Utopia or inevitable Dystopia?

“Retrofitted and added cybersecurity” is not an option for the Smart Cities concept: risks are too dire to build “seven cities of cyber-Troy” upon each other. Our position here is that cybersecurity should be considered early on, at every possible level.

Smart cities – a brilliant concept of various automata assisting humans in their everyday urban lives –  had been envisioned way before computers emerged, and had been featured in sci-fi fiction both in Utopian and dystopian tones, depending on the author’s goals. Now it is on the brink of becoming an everyday reality. Still, the question lingers: will it be Utopia or Dystopia?

Will it help to solve those countless problems of modern urbanism, or are we going to get used to sudden-to-regular outbursts of cyber-assisted mayhem instead? Both variants are possible for now.

Outrunning the cautions

Technology implementation outrunning cautions and risk estimates is nothing new. Profits and fashion come first, then come “unforeseen consequences” that were actually quite foreseeable, but remained ignored for some reason.

Here’s a somewhat typical cyberpunk plot: a certain tech company manages to get to the right place, right time and mounts a certain trend, releasing a product which soon becomes ubiquitous. It has its problems (namely, substandard security), but rather than fixing the issues the company uses its now-formidable marketing power to mute and/or discredit its critics and competitors, while distracting users’ attention from the apparent problems towards its usefulness and utility, as well as “lifestyle aspects”, “statusness”, etc. Then there is the “everyone makes mistakes” mantra as an ultimate (and hard-to-refute) argument.

Sounds vaguely familiar, does it not? As a matter of fact we’ve seen similar stories in the recent past, when certain software packages have become extremely popular, along with their flaws. Does “Slammer worm” ring a bell?

The “Smart Cities” are a different story however: Ultimately there are lives at stake here, not just comfort and efficient performance of urban utilities. The cities are the critical infrastructure (in every possible sense), and if their computerization is conducted without considering security from day one, the problems may be dire and take place on a much more dramatic scale than today’s often discussed issues of critical infrastructure’s cybersecurity. This question must be addressed early on.

Challenges

What are the primary challenges with Smart Cities’ information systems, in relation to cybersecurity? Four come to mind immediately:

  1. Large number of technologies and practical solutions that have to interoperate and communicate with each other.
  2. Possible uneven quality of different embedded technologies.
  3. Remote and onsite exploitability of Smart City information systems.
  4. Huge amounts of data to analyze and store.

It’s easy to see that the familiar cybersecurity issues are intertwined with each of them. On the most superficial level, interoperability and intercommunication between various systems means that hackers may try to exploit weaknesses in one system to seize control over another, more important one. For instance: exploiting an on-board Wi-Fi system in a modern passenger jet to get a grip on its avionics – then extrapolate this on a city-wide scale. Unless the networks are isolated from each other properly, this is a possibility.

Then there is “uneven quality” – most likely, there is going to be a hotchpotch of technologies belonging to different generations.

We have already seen how it may look: The essential reason there are problems with “modern” industrial/utility critical systems is that those are often anything but modern. At the same time, they are retrofitted with connectivity that wasn’t there when these systems were designed and built. We have written about this before.

The possible hackability of the smart cities systems, by the way, is well illustrated by the recent research of video surveillance systems in a certain city – published at Securelist. The urban CCTV network proved to have a number of weaknesses, from sloppy set up and unprotected labeling of the hardware to unencrypted data transmittance, etc.

The research is definitely worth reading, as it has a number of important insights on how the most unexpected things may undermine security.

Then there is Big Data and its associated security problems to be solved.

And all of these problems, along with many others, should be considered ahead of the “smartening” of every city.

A side-topic: a jet case

…What have I said about hacking a plane? Well, according to Kaspersky Lab’s Andrey Nikishin, Head of Future Technology Projects, avionics data are usually transmitted via an isolated bus, not connected to Wi-Fi and/or onboard entertainment network.

However, the U.S. Federal Aviation Administration reportedly warned Boeing seven years ago that it had a flaw in the Wi-Fi design of Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircrafts, that make them vulnerable to hacking. In April of this year, the FAA reported that Dreamliner may be still hackable.

And a certain cybersecurity consultant going by the name Chris Roberts bragged all over Twitter that he has managed to hack into jet’s control systems. Roberts ended up enjoying the FBI’s hospitality, despite the lack of any actual harm inflicted, and according to court records, he told FBI officers that he had indeed hacked into computer systems aboard airliners up to 20 times and managed to control an aircraft engine during a flight.

Unless Roberts was lying, there is indeed a critical flaw in the plane’s systems. If critical and non-critical networks are indeed separated by a firewall alone (and firewalls are hackable, you know?), these jets are, mildly put, insecure.

Imagine something similar on a city-wide level. Or watch “Live Free or Die Hard” (aka “Die Hard 4.0”), as it really gives a proper picture – except for the fact that a single hero wouldn’t be enough to clean up the resulting mess.

Thinking ahead of trouble

“Retrofitted and added cybersecurity” is not an option for the Smart Cities concept: risks are too dire to build “seven cities of cyber-Troy” upon each other. Our position here is that cybersecurity should be considered early on, at every possible level.

That’s the reason why a number of leading IT security companies, including, of course, Kaspersky Lab, are joining the Securing Smart Cities non-profit global initiative, launched late in May.

The initiative aims to solve the cybersecurity challenges smart cities face through collaboration and information sharing. The group will serve as a communications node for business entities, governments, media outlets, not-for-profit initiatives, and individuals across the world involved in the creation, improvement, and promotion of smart and safe technologies for modern cities. The initiative also aims to solve cyber-problems at every stage of a smart city’s development: from planning to the actual implementation of smart technologies.

Smart Cities are inevitable, and so are problems to be solved. But the number of the issues would be decreased dramatically with a proper “security from the ground up” approach. And that is what the new initiative is all about.

More details about it are available at the official site of the initiative.

Tips

Securing home security

Security companies offer smart technologies — primarily cameras — to protect your home from burglary, fire and other incidents. But what about protecting these security systems themselves from intruders? We fill this gap.