Smart Cities: New Threats and Opportunities

With the rise of smart cities, modern technologies are helping to improve the quality of urban services. However, this development also brings new challenges. In particular, new types of vulnerabilities are emerging that require constant monitoring and mitigation, as their exploitation could disrupt vital city services.

Introduction

The concept of a “smart city” is not new and has evolved over time. The British Standards Institution (BSI) describes a smart city as “the effective integration of physical, digital, and human systems in a built environment to deliver a sustainable, prosperous, and inclusive future for its citizens.”

From the very beginning, security experts have recognized the importance of ensuring the safe operation of such cities. Specialists from major companies like Kaspersky Lab, IOActive, Bastille, and the Cloud Security Alliance have joined forces and shared expertise through the international nonprofit initiative Securing Smart Cities, aimed at addressing information security issues in modern cities.

The smart city concept has been widely discussed for years, with many experts working on technologies to make cities more energy-efficient, comfortable, environmentally friendly, and physically safe.

Unfortunately, information security issues in such cities often remain a lower priority. If protection is not considered in advance, solving potential problems later will be much more difficult and costly, and the city could become vulnerable to cybercriminals.

Cyber Threats to Smart Cities

According to ISACA, the energy sector is the most critical part of critical information infrastructure (CII) and the most susceptible to cyberattacks (71%), followed by communications systems (70%) and financial services (64%). Interestingly, energy and communications are among the top three CII sectors expected to benefit most from smart cities, with transportation services being the third.

Research shows that ransomware and DoS attacks are the two most common types of cyberattacks on smart city infrastructure. Experts also note that such attacks are mainly carried out by nation-states (67%) and hacktivists (63%).

Despite the many threats smart cities face, some experts believe their infrastructure is capable of withstanding cyberattacks, though most agree that government resources are better suited for this fight.

“Before we can call our cities ‘smart,’ we must first take a smart approach to implementing and managing new technologies and systems,” says Robert E. Stroud, Chief Product Officer at XebiaLabs. “Cities have many potentially attractive targets for attackers, so it’s crucial that they invest in well-trained information security professionals and in modernizing their IT and technology infrastructure.”

Most researchers believe it’s important to implement new tools and methods—such as artificial intelligence and smart power grids—to ensure cybersecurity, but less than half are confident this will happen in the next five years.

There is also a clear need for better communication with residents of developing smart cities. Most experts believe that municipal authorities do not sufficiently inform citizens about the benefits of living in smart cities. Using these technologies to improve parking systems, identification systems, and other city services can increase efficiency and reduce congestion.

“Cities that modernize their IT and technology infrastructure, invest in well-trained technical specialists, and partner with the private sector to fill gaps will be well-positioned to address the pressing challenges of urbanization and to combat cyber threats,” says Rob Clyde, Managing Director at Clyde Consulting LLC.

The Future of Smart Cities

Experts have identified six main trends that are already emerging, giving us a glimpse of what smart cities may look like in the near future:

• By 2050, 66% of the world’s population will live in cities. Urbanization may lead to energy shortages, transportation gridlock, environmental pollution, and more. Both the public and private sectors are actively investing in smart city technologies to address social, economic, and environmental challenges.
• Global investment in smart cities is expected to grow from $36.8 billion in 2016 to $88.7 billion by 2025.
• Motivations for attackers targeting smart cities include testing their hacking skills, stealing money and personal or corporate data, espionage, or organizing hacktivist campaigns.
• Hackers’ goals when attacking critical smart city infrastructure include intentionally causing traffic accidents, disrupting power supplies, stealing personal information or electricity, taking control of devices and systems, disrupting transportation, and more.
• An attack on a smart city typically involves four stages: statistical analysis (analyzing devices and systems for exploitable vulnerabilities), scanning (identifying targets and entry points), information gathering (obtaining access data through phishing, etc.), and carrying out the cyberattack itself.
• Vulnerabilities in smart cities can also result from improper use of smart technologies. Public online platforms, such as app stores, can be compromised if not properly protected, and devices with open ports or backdoors can be easily discovered and exploited.

Conclusions

As you can see, cybersecurity in smart cities is a highly relevant issue today. Information security experts constantly warn that neglecting this aspect can lead to serious problems, as the proper functioning of city services is crucial for the health and safety of residents.

Overall, experts highlight ten key steps that should be taken to ensure the security of a smart city:

1. Conduct regular quality control and penetration testing of the system.
2. Pay special attention to security in service level agreements with all vendors and providers.
3. Create a municipal Computer Emergency Response Team (CERT) or a Computer Security Incident Response Team (CSIRT).
4. Ensure stable and secure software updates.
5. Consider the lifespan of smart infrastructure.
6. Organize data processing in compliance with cybersecurity requirements.
7. Encrypt, authenticate, and regulate public communication channels.
8. Set up manual control functions.
9. Develop a fault-tolerant system.