Are we creating smart but unsafe cities?

As countries around the world rush to build smart cities, we have reasons to believe that these high-tech urban architectures harbor critical digital vulnerabilities. Will these countries be adequately prepared to deal with large-scale cyberattacks going forward?

The Internet of Things (IoT) is revolutionising the way we live. A woman about to leave for work checks her smartphone for the fastest route based on real-time traffic updates. She then clicks on the weather app to decide if she needs an umbrella, while strapping on her Fitbit to record her daily calorie burn.

The IoT is the underlying technology for smart cities, and it can be defined loosely as devices that ‘talk’ to each other via wireless internet connection. This connectivity is vital to a smart city that uses tools, policies and technologies to improve economic efficiency and urban management.

Dangers of the IoT

However, does smart necessarily mean secure? Although there is vast potential for increasing efficiency, being smart also comes with the danger of cyberattacks resulting in service disruption and extensive economic damages.

International cyberattacks such as WannaCry and more recently the Petya ransomware virus have affected a number of countries including the U.S., the U.K. and France. Ukraine was hit the hardest, when within a few hours the government, airport, metro system and private and state banks all reported being attacked.

With cyberattacks becoming more common, what does this mean for the future of smart cities? Teck Boon Tan, a Research Fellow from S. Rajaratnam School of International Studies at the Nanyang Technological University, and Assistant Professor Yu-Min Joo from the Lee Kuan Yew School of Public Policy (LKYSPP) at the National University of Singapore highlighted that no digital system is completely secure during a presentation of their paper on 28 June at the 3rd International Conference on Public Policy, which was held at the LKYSPP. In their paper Mirror, mirror on the wall, who is the smartest of them all? Asian smart cities: urban challenges, digital vulnerabilities and policy re-adjustments, they identified three critical vulnerabilities: hyper-connectivity, an enlarged attack surface and cloud storage.

1. Hyper-connectivity and man-in-the-middle attacks

The main characteristic of a smart city is hyper-connectivity – a digital state where people are connected to their devices all the time. Although hyper-connectivity has enabled city managers to streamline and automate essential public services, it has also increased the risk of security breaches as it is facilitated in most cases, by wireless communications.

Hackers who have the right instruments can easily intercept the constant exchange of data taking place. Apart from being able to receive the transmitted data, cybercriminals can also take control of devices by remotely installing malware or launching denial-of-service attacks to stop them from functioning. The Petya virus has given us a glimpse into how disruptive cyberattacks could be.

2. An ever-increasing attack surface

Although the IoT plays a transformational role in bringing the smart city vision closer to reality, it also increases the architecture’s attack surface, which is the sum of all the points or vectors that hackers can use to try and infiltrate a network or digital environment. It is estimated that there will be a staggering 20.4 billion connected devices by 2020, all of which could potentially be an attack vector.

Some of these devices can be small everyday objects that lack strong antivirus or firewall protections due to their limited memory and low computational power. This makes them vulnerable to highly sophisticated malware such as Mirai.

Additionally, some units such as smart streetlights and CCTVs deployed in remote areas are vulnerable to tampering. Hackers can easily breach these units via an unlocked panel. Tan explained: “Because everything is connected, a breach, no matter how small, has the potential to cascade and find its way to critical systems upstream.”

This is a real threat. Ever since the Stuxnet nuclear plant incident in 2010, there have been numerous attempts at hacking nuclear power facilities. Through a small breach, hackers could potentially gain control of nuclear power plants and cause them to operate in unpredictable ways. The consequences would be deadly, perhaps even apocalyptic.

3. Migration of data to the cloud

One of the fundamental objectives of smart cities is to use the big data generated to improve services ranging from public transport to healthcare. Governments and city planners are increasingly shifting substantial amounts of this data to cloud services in order to store it in a more cost-effective way.

But the responsibility of ensuring digital security has fallen squarely on the cloud service providers. If these cloud servers are not properly secured, a cloud hack, such as the 2016 Dropbox breach, may result in massive data losses. More importantly, sensitive information could be stolen if the data is not encrypted. With increasing amounts of personal information making its way online, it is becoming more critical to ensure that this data cannot be accessed by cybercriminals.

Prevention is better than recovery

Despite the seemingly gloomy outlook, all is not lost for the future of smart cities. Tan offered some solutions to mitigate the effect of cyberattacks.

Enhancing cybersecurity, such as by adding encryption capabilities to sensors, can come with a hefty price tag. Given limited public resources, it is impossible to secure the millions of smart devices and systems out there. Hence, policymakers and officials need to adopt a risk management approach and “prioritise what needs to be secured most”, according to Tan. The more critical a system is, the more resources should be dedicated to securing it.

Governments can also implement and enforce best practices such as keeping up with new technological developments and boosting IT security frameworks in order to minimise the risk of cyberattacks. Employees and contractors should be trained to follow strict guidelines on cybersecurity, such as not using personal USB flash drives on company networks and not opening suspicious emails. New technologies such as blockchain can also be harnessed to ensure data integrity and to prevent fraud.

In Singapore, for example, the government has taken the significant step of creating an air gap by banning internet usage for public servants. Though this seems like a step backwards, it allows for a more secure working environment in the public sector. As mentioned by Tan, there were “no attacks that managed to breach the air gap” during the last WannaCry attack, hence the city-state’s critical infrastructure was not affected.

Cybersecurity should be addressed during the planning and implementation stages and not as an afterthought. Prevention trumps recovery when it comes to cyberattacks, since the latter could take weeks, months or even years.

On an international level, a coherent cyber-defence policy should be implemented. Conviction rates for cybercrime remain low, as cybercriminals are often difficult to track and identify. Creating international laws that enforce harsher penalties on cybercriminals may also help deter them.

Preventing cyberattacks is a mammoth task, hence there is a need for countries to share knowledge about threats in order to strengthen their collective defence. Tan recommended that countries should “conduct joint investigations and prosecutions”, because “standing together as a collective will greatly improve their capacity to deal with the problem”.

Smartness should not only be measured by the rate of new technology adopted, but also by how officials prepare for the myriad challenges that smart cities face. Cyberattacks are unavoidable, but the extent of the damage they cause can certainly be mitigated to ensure the future success of smart cities.

This is an event coverage piece by Prethika Nair.