Smart cities on hackers’ radar

A recent study on cybersecurity aspects of smart cities painted a pretty grim picture. The study said it was exceptionally easy for hackers to hack into environmental sensors, traffic management systems and other smart systems to create confusion, chaos and loss of revenue and productivity in smart cities.

The report, which attracted the attention of government bodies and smart city solution vendors and other stakeholders, barely received a passing mention in India. So, does that mean we are well-protected or that we are confident in our ability to ward off these hackers? Or are we ignoring the obvious, lured into complacency by the belief that no one would want to target us?

The reasons are many. A hacker or a group may want to target such cities for the sake of attention, a common incentive. They might also be pursuing ransom, data or a desire to create chaos on a large scale. There is a geopolitical angle as well. Attacks on smart cities can be used as a means of settling geopolitical scores by countries with adversarial intentions.

Last year, some cities were hacked into by crypto-miners who placed crypto-mining malware in core systems to hijack the gargantuan processing capacities residing in the command and control centres at the heart of smart cities.

We are clearly witnessing an era of increasing sophistication and determination in the modus operandi adopted by hackers. Hackers are now patient and wait for months or even years to strike after inserting latent malware. In the last two years, hackers have started exchanging data and information on inherent vulnerabilities in the core and peripheral systems of smart city projects through the ‘Dark Web’ with alarming frequency. This data is then used by other hackers to build and weaponize malware and even lend it to other hackers.

Video surveillance systems and street lighting systems are among the most vulnerable parts of a smart city. Across the smart city tech ecosystem, the difficulty in updating the firmware of hardware components presents a unique challenge. Also, in many systems, operators rarely change the default password, turning them into ripe targets for hackers. The problem is so bad that this month, the Japanese government asked its National Institute of Information and Communications Technology (NICT) to hack into people’s IoT devices using default passwords and password dictionaries. Citizens whose devices were easily hacked were informed and advised to change their passwords.

Once a smart city becomes operational, it carries rivers of information aggregating into data lakes residing within the command and control facility. This data will have all forms of information, including financial data, data concerning utilities, healthcare and other sensitive information which could cause problems for the citizen if it ends up in the wrong hands.

Embracing the opportunity

Smart city projects in India are chugging along. Many cities are already running smart solutions managed through command and control infrastructure. When it comes to cybersecurity, however, we have our work cut out. Keeping these IoT solution deployments within layers of tough-to-crack security and using a multi-pronged security strategy are aspects still under discussion.

A single cyberattack could set a smart city back by at least a couple of years while curtailing its ability to spend money on other aspects such as infrastructure, environment and even citizen welfare. With a sense of monetary comfort taken away, cities become vulnerable to urban decay as lack of fund infusion could impair improvements in and maintenance of infrastructure. The very foundation of an effort to shape smart cities into innovation hubs that promote excellence, investments, technology and drive GDP could be rattled if we are not able to defend these cities.

Security technologies are improving by the day. Today, there are a range of options available from secure credential management system to multi-layer data protection. A combination of these should be deployed and various layers modified frequently to ensure the highest level of protection. Data decoys such as honeypots can also be set up to deflect attacks and confuse hackers. Finally, citizens can be recruited as cybersecurity partners to report deviant or disruptive activities that they may have encountered.

Smart grids and other critical infrastructure should be guarded by cybersecurity teams who can also double up as security certification entities. A national smart city security roadmap should be drawn up with adequate emphasis on awareness, deployment of solutions and real-time threat assessment and analysis. India also needs to invest in skill upgradation to ensure that our skill requirements are met locally. Finally, periodic disaster readiness and internal and external security drills and audits can be conducted to ensure stakeholders retain cybersecurity as a priority.

Through such measures, India can secure its smart cities and use this model to secure other critical infrastructure. A joint effort and willingness to address the problem is urgently required. A series of determined steps can go a long way in securing our collective digital future.

(The writer is Head of IoT at a multinational company)