Are smart cities safe?
Are we building smart cities that are potentially unsafe? That was the question we set out to answer in our recently published research article.
Fast rising across the globe, smart cities are touted as the holy grail to a complex set of policy problems associated with rapid urbanization. In 1950, just 746 million people lived in cities; today that figure is close to four billion. With more than three million people flooding into urban areas every week, many of our over-crowded cities are now heavily-polluted and have become a hotbed for diseases, violence and crime. If only we could automate and streamline core city functions and services – with the help of cutting-edge digital and computing technology – then many of these urban challenges would disappear. But is that confidence misplaced?
Broadly defined, smart cities are urban conurbations that harness the power of cutting-edge digital and computing technology – the Internet-of-Things, mobile apps, cloud computing, big data and so forth – to monitor and manage the urban environment. In these high-tech urban conurbations, digital and computing technology drives almost every aspect of urban life. Practically everything from power plants to office buildings to household appliances to personal devices are digitally connected to help improve the urban experience. Decked out in the latest technology, smart cities aim to be efficient, clean and safe.
But there is just one problem with this techno-utopian vision: there is no computer system in this world right now that cannot be hacked. With enough persistence and resources, computer hackers – whether they are state-sponsored or operating on their own – can breach any computer in use today. Given how almost every facet of smart cities are powered by digital and computing technology, and the many cyber threats (e.g., malwares, zero-day exploits, ransomwares and advanced persistence threats) that are being discovered almost daily, there are good reasons to believe that smart cities are highly vulnerable to malicious hackers that can wreak substantial digital and physical damages. As city governments around the world embrace smart city technology as the panacea to their urban woes, they could well be opening up a new era of insecurity – one that could possibly undercut, rather than enhance, the urban experience.
Despite the magnitude of the problem, systematic study into the digital insecurity of smart cities remains lacking primarily because smart cities are a relatively recent phenomenon. Prompted by the dearth of research in this vitally important area, we set about identifying some of the most serious cyber threats to these high-tech conurbations in the hope that going forward, we will see the building of more smart cities that are also digitally secure.
Of all the major cyber threats facing smart cities at the moment, the most serious one is arguably how easy it is to hack smart infrastructures and make them operate in an unpredictable and dangerous manner. Forming the backbone of smart cities, smart infrastructures are those cyber-physical systems that can be remotely operated by city officials over cyberspace. Examples of these Internet-connected systems include the newer generation of power plants, intelligent traffic and streetlights, and automated waste disposal systems. Considering that cyber-attacks on critical infrastructures surged from 200 incidents to 300 between 2012 and 2015, the risk of smart infrastructures being subverted by malicious hackers is definitely there even though the automation, convenience and efficiency that come with these systems are apparent.
Secondly, our research also found that smart cities are chockfull of so-called resource constrained devices – digital products that do not come with security applications such as encryption, authentication protocols, antiviruses and firewalls. As a general rule, we install security applications into our personal computers, smartphones and tablets to keep hackers out. Yet, the countless number of resource-constrained devices in use today do not have such applications for the simple reason that they come with limited computing, memory and power resources. Every one of these devices can be easily hacked, and there are literally millions of them out there right now in smart cities around the world. Worse still, once an attack vector has been identified, hackers will be able to replicate the attack on identical devices anywhere. This will render smart cities across the globe unsafe.
The third issue we discovered arises from the pervasiveness of wireless communications. Synonymous with 4G, Wi-Fi, Bluetooth, Near Field Communications (NFC) and so on, wireless communications allow smart cities to expand their networks and connect digital devices without having to dramatically ramp up their physical IT infrastructures. Unfortunately, while facilitating rapid network expansion and connectivity, wireless communications also expose smart devices to so-called man-in-the-middle (MitM) attacks. In particular, because digital data are transmitted over the air between devices, a hacker armed with a special interception apparatus can technically capture every bit of information flowing in between them. More significantly, the threat goes beyond information theft in that malicious hackers can turn compromised devices into platforms for launching DDoS or Distributed Denial-of-Service attacks – a type of cyber-attack that causes affected devices to send repeated queries to websites and services, crashing them as a result.
Lastly, the move by smart cities worldwide to harness the cloud for data storage has created a major pathway for malicious hackers to gain unauthorized access to sensitive city and personal data. With millions of smart sensors, devices and systems in place, smart cities generate a massive amount of information. As this data trove swells, city managers have turned to the cloud for on-demand storage. Unfortunately, this mass migration of data to the cloud also violates one of the most fundamental principles of data security: isolation. One does not link multiple systems together for the simple reason that it becomes possible for one malicious virtual system to peer into other contiguous systems. This isolation principle is lost in cloud-based systems. In a rush to reap the benefits of cloud-based data storage, smart city governments appear to have overlooked this security vulnerability and, as a result of which, have created a major attack vector for malicious hackers.
Although the four cyber threats identified in our article are definitely not the only ones out there, they are potentially the most serious. If these digital vulnerabilities were to be exploited by malicious actors, they are likely to lead to critical damages – both digital and physical – rendering the smart cities’ promise of better urban living moot. In light of the rapid global diffusion of smart cities today, the question of how governments can cope with an ever growing cyber threat is a pressing one. Indeed, dealing with cyber-attacks may no longer be a matter of choice for policymakers but rather a necessity.