IoT broadens smart cities attack surface

IoT broadens attack surface of smart cities

Cybersecurity attacks are scary enough, but what happens when they start coming from unexpected sources to attack the underlying infrastructure of cities?

It may sound like the plot of a Philip K. Dick novel, but headlines in recent months have decried several attacks on public and private websites, mounted and executed through botnets on unsecured devices (not always computers) with internet access. To be sure, the Internet of Things promises more reliable and easy access to myriad industrial and municipal systems. However, as smart cities start investing in smart meters and other devices that could fall prey to attacks engineered by botnets taking advantage of unsecured IoT devices and other IP-connected electronics and systems, there is arguably a much broader threat vector for government agencies.

When the popular InfoSec website KrebsOnSecurity suffered a huge distributed denial of service attack by an IoT-harnessed botnet, Chris Sullivan, general manager of intelligence and analytics at Core Security Inc.,  said the outage likely resulted “from a new breed of very high volume DDoS that will be difficult to handle with the defenses that most enterprises have in place today.”

“Unlike your PC or your phone, IoT devices don’t have the memory and processing to be secured properly, so they are easily compromised by adversaries, and it’s very difficult to detect when that happens,” Sullivan said. Indeed, the botnets utilized in these attacks can also run off security cameras, printers and digital video recorders.

The malware that propagates these DDoS attacks (like the notorious Mirai that brought down high-profile websites with an attack on Dyn’s managed DNS infrastructure) are typically designed to be self-propagating, making them easy to spread quickly “with as little effort as possible from the malicious actors’ point of view,” said Allison Nixon, director of security research for Flashpoint. However, most of the exploited devices thus far have been unsecured. “Smart cities and the large networks [that support them] are centrally planned, so that is different from what we have seen exploited so far,” Nixon said. “Looking at smart cities, centrally managed systems are typically less vulnerable to attack.”

The risk-benefit balance

The industrial IoT holds a great deal of promise for “modernizing e-government services and creating efficiencies and savings across the board,” CEO of ROMAD Cyber Systems Igor Volovich said. “Many of the services targeted for IoT connectivity have been connected in other ways for a long time — except not directly to the internet.” He said he believes there are many risks, some still poorly understood, associated with exposing critical infrastructure systems to direct attack by bad actors.

“Municipal governments are not well-equipped to deal with the multitude of security issues inherent in the proposed industrial IoT implementations and must weigh very carefully the risk-benefit balance of such projects,” Volovich said. Indeed, 98 percent of government IT professionals see smart cities as not having any protection from cyberattacks, and 55 percent of them blame the cities for not focusing on cybersecurity resources, according to a survey by cybersecurity solutions provider Tripwire.

There is a broad spectrum of security, Amit Serper, principal security researcher for Cybereason, pointed out.  “On one side of the spectrum, there is convenience and a great user experience but very little security. The other side of the spectrum, security can be cranked to the maximum, but the user experience will suffer.” While Serper agreed that smart city technology can be beneficial to the residents and to the municipality itself, “the ramifications of lax security policies could be severe,” as is commonly understood. In fact, he pointed to the video game series “Watch Dogs,” which allows players to control a hacker who breaks into a city’s operating system.

It is likely too late to try to rein in the use of internet-connected devices and electronics, said Dan Lohrmann, chief strategist and chief security officer at Security Mentor Inc. “The Internet-of-Things boat has left the dock, and these technologies and new connectivity are becoming the global reality right before our eyes,” Lohrmann said. “Everyone is pushing forward with faster and broader internet connectivity, and overall I think the productivity benefits and convenient opportunities are huge. Opposing these initiatives, or becoming a laggard in these areas is a mistake.”

Moreover, Lohrmann said he believes that “history is repeating itself with initiatives like smart cities, smart meters, smart industrial devices and smart everything.” Over the past decade, virtually all new technology advances have brought new risks, including Wi-Fi, cloud computing, and bring your own device practices, he noted. “Similar challenges are emerging now with standards and implementing security surrounding IoT projects,” he added. 

The IoT technology underlying these emerging smart cities may not be that well secured or even that well understood. According to the Tripwire research, smart grids, one smart city service, were seen by 38 percent of respondents to be more exposed to cyber risks than others, while 26 percent considered transportation systems to be more vulnerable. Other vulnerable services include surveillance cameras and wastewater treatment.

“Smart city initiatives are pushing the technological envelope for urban infrastructure management, and it’s clear from the survey results that cybersecurity is being left out of the conversation,” Tripwire’s Director for Security and IT risk Strategist Tim Erlin said in the release on the research. This is most likely due to budgeting issues or political interference, according to the government IT professionals surveyed.