Get My Score

The Too-Smart City

Smart City Security - NIST CSF

Our Rush to Automate Our Cites 

In “The ‘Too-Smart’ Home – Uninvited Guests,” I look at unintentional threats due to insecure internet-connected devices. Do we face some of the same issues with our rush to automate our smart cities, where spending is expected to grow from $80 billion in 2018 to over $158 billion by 2021? As reported numerous times over the past year, the answer is a resounding yes, with Industrial Internet of Things (IIoT) devices harboring an unknown number of vulnerabilities. The New York Times even recently reported on the potential threat, citing that cities, in the rush to publicize their ‘smart creds’, many times don’t understand the privacy, security, and financial implications of their deployments. These deployments are many times proposed by technology vendors, not always taking into account the readiness of the city to properly manage them. However, not all is lost!

Smart City threats - NIST CSF 

Attack Vectors

As with the home, it is not only the infrastructure that may be compromised, but the data gathered as well.  But in contrast with the home, both outcomes may be much more damaging, if not fatal.  One good measure of potential vulnerabilities is to map a typical smart city to the 16 DHS critical infrastructure sectors

 

NIST CSF

 

Relevant areas of concern include communications, emergency services, government, and commercial facilities, information technology, transportation systems, water and wastewater, and in many cases, energy, healthcare, and dams. Instead of each of these separately managed and secured, under a smart city initiative, one or more may very well be under the control of a single, interconnected operations platform, where a single breach may impact multiple sectors simultaneously.  Highlighting concerns, a recent ISACA survey identified energy, communications, and transportation as the three sectors (71%/70%/64%) that will benefit most from a smart cities initiative but are also the most susceptible to breach.

Attacks can come from multiple sources, including malware/ransomware as well as denial of service, with both nation-states (67%) and hacktivists (63%) likely culprits.  And, with more smart infrastructures in place, hackers have a larger attack surface, with pre-existing vulnerabilities more likely to be found and exploited.  Research from Threatcare and IBM X-Force Red, lends credence to this, having uncovered multiple zero-day vulnerabilities across different IIoT vendors. Security gaps identified include the use of default passwords, authentication bypass flaws, SQL injection vulnerabilities, and even open ports where control is possible from across the internet.  And the threat has only increased, with a recent Gemalto study finding that almost half of all businesses can’t detect if an IoT device has been breached.  There are even websites such as Censys and Shodan (among others) that make an attempt at tracking IoT devices.  And, more sophisticated attacks could take place against RF-controlled devices that may find their way into smart city architectures.  For example, Trend Micro recently identified security gaps in many commercial products, vulnerable from hardware-based rogue RF controller man-in-the-middle attacks.

 

The Threat Landscape

Moving from the general to the more specific, what are the types of IIoT devices one may encounter, and what specific actions are most effective and that one or more of the sectors described earlier?

Sector

Function / Use

Description

 Facilities

 

 

 

Structural monitoring

Monitoring of vibrations and material conditions in buildings, bridges and historical monuments.

 

Noise monitoring

Sound monitoring in bar areas and centric zones in real time.

 Transportation

 

 

 

Smart roads

Intelligent Highways with warning messages and diversions according to climate conditions and unexpected events like accidents or traffic jams.

 

Smart lighting

Intelligent and weather adaptive lighting in street lights.

 

Smart parking

Monitoring of parking spaces available in the city.

 

Traffic congestion

Monitoring of vehicles and pedestrian levels to optimize driving and walking routes.

 Emergency

 

 

 

Forest fire detection

Monitoring of combustion gases and preemptive fire conditions to define alert zones.

 

Air pollution monitoring

Control of CO2 emissions of factories, pollution emitted by cars and toxic gases generated in farms.

 

Snow level monitoring

Snow level measurement to know in real time the quality of ski tracks and allow security corps avalanche prevention.

 

Landslide and avalanche protection

Monitoring of soil moisture, vibrations and earth density to detect dangerous patterns in land conditions.

 

Earthquake early detection

Distributed control in specific places of tremors.

 

Perimeter access control and geofencing

Access and communications control to restricted areas and detection of people in non-authorized areas.

 

Liquid presence monitoring

Liquid detection in data centers, warehouses and sensitive building grounds to prevent breakdowns and corrosion.

 

Radiation levels

Distributed measurement of radiation levels in nuclear power stations surroundings to generate leakage alerts.

 

Explosive and hazardous gases

Detection of gas levels and leakages in industrial environments, surroundings of chemical factories and inside mines.

 

Crime noise monitoring

Gunshot monitoring in real time.

 Water and Wastewater

 

 

 

Potable water monitoring

Monitor the quality of tap water in cities.

 

Chemical leakage detection

Detect leakages and wastes of factories in bodies of water.

 

Water leakages

Detection of liquid presence outside tanks and pressure variations along pipes.

 

River floods

Monitoring of water level variations in rivers, dams, and reservoirs.

 

Pollution levels

Control real-time leakages and wastes in bodies of water.

 

Water flow

Measurement of water pressure in water transportation systems.

 Energy

 

 

 

Smart grid

Energy consumption monitoring and management.

 

Tank level monitoring

Monitoring of water, oil and gas levels in storage tanks and cisterns.

 

Photovoltaic installations

Monitoring and optimization of performance in solar energy plants.

 

High voltage line monitoring

Monitoring of line issues due to severe weather.

From Iibelium
 

Threat

Countermeasure

Example

Privacy, data, and identity theft

Authentication, encryption, and access control

Electric car charging stations,

Device hijacking

Device identification and access control, security lifecycle management

Traffic lights, robotics

Permanent and Application Level Denial of Service

Authentication, encryption, access control, application level DDoS protection, security monitoring, and analysis

Electric grids, monitoring systems

Man-in-the-middle attacks

Authentication and encryption, security lifecycle management

Water supply

From:  Rambus

 

Solutions 

One way to look at a solution is to first consider a set of universal security hygiene actions, and then look at specific requirements sector-by-sector.  An analysis by Microsoft looked at the properties of highly secure devices, and came up with the following recommendations:

Property

Examples and Questions to Prove the Property

Hardware-based Root of Trust

Unforgeable cryptographic keys generated and protected by hardware. Physical countermeasures resist side-channel attacks.

Does the device have a unique, unforgeable identity that is inseparable from the hardware?

Small Trusted Computing Base

Private keys stored in a hardware-protected vault, inaccessible to software. Division of software into self-protecting layers.

Is most of the device’s software outside the device’s trusted computing base?

Defense in Depth

Multiple mitigations applied against each threat. Countermeasures mitigate the consequences of a successful attack on any one vector.

Is the device still protected if the security of one layer of device software is breached?

Compartmentalization

Hardware-enforced barriers between software components prevent a breach in one from propagating to others.

Does a failure in one component of the device require a reboot of the entire device to return to operation?

Certificate-based Authentication

Signed certificate, proven by unforgeable cryptographic key, proves the device identity and authenticity.

Does the device use certificates instead of passwords for authentication?

Renewable Security

Renewal brings the device forward to a secure state and revokes compromised assets for known vulnerabilities or security breaches.

Is the device’s software updated automatically?

Failure Reporting

A software failure, such as a buffer overrun induced by an attacker probing security, is reported to a cloud-based failure analysis system.

Does the device report failures to its manufacturer?

From: Microsoft Research, The Seven Properties of Highly Secure Devices

 

IBM’s recommendations, based on the identified vulnerabilities described earlier, and more focused on software and processes, include: 

  • Implementing IP address restrictions for who can connect to the smart city devices, especially if networks rely on the public internet.
  • Leveraging basic application scanning tools that can help identify vulnerabilities.
  • Using strong network security rules to prevent access to sensitive systems, as well as safer password practices.
  • Disabling unnecessary remote administration features and ports.
  • Taking advantage of security incident and event management tools to scan network activity and identify suspicious internet traffic.
  • Hiring ethical hackers to test systems, such as IBM X-Force Red. These teams are trained to “think like a hacker” and find flaws in systems before the bad guys do.

From:  IBM, The Dangers of Smart City Hacking

And remember that these recommendations also apply to 3rd parties, an environment known to be especially vulnerable, and one where a breach may lead to disastrous consequences in the context of a smart city.  

In essence, develop a comprehensive architecture for proposed smart city services and applications, planning head vs creating a bolt-on architecture where every new sector becomes an exception or custom integration.  This planning is also critical in defining a least-privilege architecture where only those systems that must communicate with one another are actually able to do so.  Sure, a single screen depicting power, water, and roadways may look good and not disappoint Hollywood, but this may not be the most secure implementation. As with enterprises, leverage best practices such as the NIST-CSF, CIS, SOC2, and others, as a baseline to evaluate one’s security posture. 

To draw an analogy from the public cloud, the cities and their vendors share responsibility for the secure deployment, operation, and updates of any hardware and software deployed.  And, as opposed to deployments where detailed lifecycle security plan may be a ‘nice-to-have,’ here it is critical.  This is doubly true for devices whose data is made available to the public-at-large, such as the City of Santa Clara, CA traffic cameras.  In support of this, the government will step in to push the industry along, as with California’s recent IoT legislation.  Though only a beginning and not by any means comprehensive, it does imply that IIoT security has gained awareness.

 

Divergent Views – The East and the West

 Are there different priorities and approaches between smart city deployments in London and Shanghai, for example?  The answer is yes.  Though much of the technology will be the same, approaches to individual privacy differ.  There is less reluctance to gather PII from multiple sources and then correlate it, and many of the views track debates concerning just how to open the internet should be and to what data citizens should have access.  Already, many deployments include facial recognition to target individuals, and these use cases are spreading to the US.  On the positive side, there is probably a greater emphasis on centrally planning and securing any deployment.

 

The Future

As I noted earlier, there is still time to properly secure the IIoT with many of the suggestions listed above.  Looking to the future, a few initiatives are in play to better secure the various devices deployed.  As an example, the major public cloud providers, with their interests in the IoT space, have proposed and deployed architectures to better secure their services and devices.  Examples include Google’s Titan, Microsoft Azure Sphere/Pluton, and AWS’s IoT Device Defender.   One would hope that the various players reach consensus on a single, interoperable approach, but in any case, it will take years for these more secure devices to be deployed, and existing devices will still present vulnerabilities.

Check out our Leveraging NIST CSF Playbook, for more information on securing our critical infrastructure. 

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.