Académique Documents
Professionnel Documents
Culture Documents
using technology to transform how their citizens access services, such as energy,
transport and telecoms. These changes are being enabled by rapid improvements in logic
controllers, sensors and networks, as well as data analysis and artificial intelligence.
Many more cities will start to undergo a similar transformation, which will provide
businesses with unprecedented opportunities. However, cyber threat actors – whether
criminals, activists or nation states – will also be presented with an unprecedented attack
surface in smart cities because of a significant increase in the number of interconnected
devices.
Potential threats range from malware designed to spread across smart cities’ networks
and steal sensitive information, to ransomware designed to lock the city out of access to
its smart services unless a significant ransom is paid, to attacks on energy grids intended
to cause physical destruction.
Securing smart cities needs to be a joint project involving local administrations and
private sector organizations with an immediate stake in the city’s stable functioning.
Ensuring that these cities are cyber-secure will require identifying and prioritizing critical
assets, introducing behaviour-based security and securely segmenting critical private
assets from the city’s network. This will involve establishing a benchmark for the normal
operation of critical assets, while continuously ensuring that all parts of the city adhere
to that benchmark, as well as rapidly replacing components if they are compromised or
fail.
SMART CITIES
The first question is what is meant by a ‘smart city’. The answer is, there is no universally
accepted definition of a smart city. It means different things to different people. The
conceptualisation of Smart City, therefore, varies from city to city and country to country,
depending on the level of development, willingness to change and reform, resources and
aspirations of the city residents. A smart city would have a different connotation in India
than, say, Europe. Even in India, there is no one way of defining a smart city.
Faced with rapid urbanization, city planners are turning to technology to solve a wide range
of problems associated with modern cities. Smart cities are the outcome of this deepening
integration of technology with new or existing urban landscapes. They are set to change
how we experience and what we come to expect from the cities around us.
In practical terms, these transformative effects will arise from the combination of three
pieces of technology: inexpensive logic controllers, millions of sensors connected to devices
dispersed across a city, and a network that connects all of these nodes together and enables
real-time communication.
Such connectivity will enable a better and more efficient provision of urban services.
However, increased connectivity carries potentially severe cyber security risks, which have
yet to be fully revealed and, in many cases, mitigated.
Some typical features of comprehensive development in Smart Cities are described below.
1. Promoting mixed land use in area based developments–planning for ‘unplanned areas’
containing a range of compatible activities and land uses close to one another in order to
make land use more efficient. The States will enable some flexibility in land use and
building bye-laws to adapt to change;
2. Housing and inclusiveness - expand housing opportunities for all;
3. Creating walkable localities –reduce congestion, air pollution and resource depletion,
boost local economy, promote interactions and ensure security. The road network is
created or refurbished not only for vehicles and public transport, but also for pedestrians
and cyclists, and necessary administrative services are offered within walking or cycling
distance;
4. Preserving and developing open spaces - parks, playgrounds, and recreational spaces in
order to enhance the quality of life of citizens, reduce the urban heat effects in Areas and
generally promote eco-balance;
5. Promoting a variety of transport options - Transit Oriented Development (TOD), public
transport and last mile para-transport connectivity;
6. Making governance citizen-friendly and cost effective - increasingly rely on online
services to bring about accountability and transparency, especially using mobiles to
reduce cost of services and providing services without having to go to municipal offices.
Forming e-groups to listen to people and obtain feedback and use online monitoring of
programs and activities with the aid of cyber tour of worksites;
7. Giving an identity to the city - based on its main economic activity, such as local cuisine,
health, education, arts and craft, culture, sports goods, furniture, hosiery, textile, dairy,
etc;
8. Applying Smart Solutions to infrastructure and services in area-based development in
order to make them better. For example, making Areas less vulnerable to disasters, using
fewer resources, and providing cheaper services.
Cybercriminals
As we have described above, smart cities will be composed of thousands – if not millions –
of interconnected devices. Such a structure is a boon to criminal actors who are able to
create or purchase then deploy self-propagating malware, variants of which have been
known to proliferate across multiple connected networks. These ‘worms’ could be used to
acquire easily commoditized information, such as healthcare records, social security
numbers and banking credentials, or even to take control of a significant number of
systems.
If attackers were able to successfully hijack these systems, they could then be used for
extremely powerful distributed denial of service (DDoS) attacks or to hold an entire city to
ransom in extortion attacks. Ransomware variants could be designed to encrypt and cripple
an entire city’s grid, with ransom demands likely to be considerable in such a scenario.
These tactics could be highly profitable for cybercriminals and represent a natural evolution
of trends that we have observed in the current cybercriminal community. Responding to
such incidents will become increasingly difficult if they are city-wide. Private sector
organizations and municipal authorities will share ownership of systems and the
responsibility for their security. Beyond adding legal and financial costs for the private
sector, this will create the need for highly complex pre-planned incident response schemes
involving multiple parties.
Cyberactivists
As cyberactivist groups grow increasingly capable, and in some cases more radical, smart
cities will provide them with an attack surface enabling a broad range of attacks. These will
range from those akin to nuisances, such as defacements of a city’s billboards, to the more
extreme targeting of a smart city’s energy grid with the aim of physical destruction.
In addition, many cyberactivist groups are supporting physical protesters by launching
cyberattacks. This practice in a smart city environment could allow cyberactivists to take a
leading role in coercing governments and private sector organizations into meeting their
demands.
The potential destructiveness of a cyberattack on smart cities is such that even the threat of
compromising the city’s systems is likely to be treated by governments and businesses as an
existential one. When threat actors such as cyber activists – who arguably lack the self-
control of other groups – have the possibility of causing serious physical damage, the
security of smart cities becomes essential to those cities’ survival.
Nation states
The underlying network of a smart city will encompass most aspects of life within that city; if
that network were to be compromised by an attacker, they would gain unfettered access to
a target individual or organization. For instance, state-owned competitors could
compromise a smart city’s infrastructure to gather intelligence on a large number of rival
private sector firms. This information could include movements of their executives within
the city, private and commercial communications grabbed from the ubiquitous presence of
‘free Wi-Fi hotspots’ managed by the city, and much more.
Moreover, the networks of organizations operating in the city are likely to overlap to some
extent with the city’s own network, or, at the very least, to have frequent data transfers
from their networks to that of the city. This would enable highly advanced threat actors,
such as nation states, to exploit weaknesses within a city’s infrastructure to reach a target
organization and compromise the confidentiality of its network.
Prioritize the security of critical assets: Contemporary networks are already impossible to
protect in their entirety, a problem that will apply equally to smart cities. Some components
of the system will have to be made more secure than others. Public and private sector
organizations will need to work together to identify the city’s critical assets and oversee the
implementation of appropriate security measures.
Institute behaviour-based security: Auditing millions of separate devices for signs of
malware is simply not feasible. A more workable approach would be to evaluate the
behaviour of smart cities’ components and systems against an established baseline of
normal functionality or network behaviour. Any significant derivation from the norm, above
a determined threshold, would trigger an investigation into the possible presence of
malware on the subcomponents.
Rapidly replace components: Given the potential for component failure or attacks
compromising these components, an automated replacement system will enhance the
security of the whole system. Although difficult to apply to critical components without full
redundancy, such measures would be suitable for low-level, relatively isolated components.
Segment critical assets of private organizations from the city’s network: Paramount to the
security of organizations in the smart city environment is the segmentation of their critical
assets from the city’s network. Although costly, as well as potentially reducing the
effectiveness of those organizations, this policy will enable them to contain and mitigate the
potential for any threat actors, who are exploiting vulnerabilities in the smart city network,
to reach their assets.