Smart cities are rapidly becoming a reality all around the globe. Like all revolutionising innovations, smart cities are developing their own unique challenges alongside of their perks. Among the benefits of Smart cities lies a slew of security nightmares that are unmatched by any other technological development. Such large, interconnected networks of gadgets and people are bound to generate issues ranging from social surveillance to pollution to even physical security threats. Let`s get prepared to countermeasures well before towards building the resilient cities of tomorrow.
The challenges that are clouding the smart cities excitement
Man-in-the-middle: An attacker breaches, interrupts or spoofs communications between two systems.
Data & identity theft: Personal information of inhabitants may lie in the hands of cyber attacks for fraudulent transactions and identity theft as large amount data are being generated in automated system such as parking garages, EV charging stations and surveillance
Device hijacking: Smart apparatus such smart meters can be hijacked by attackers without altering its functioning. Thus without any difficulty virus like ransomware can be launched to hamper Energy Management Systems (EMS) or stealthily siphon energy from a municipality.
Distributed Denial of Service (DDoS): This is typically achieved by flooding the target with superfluous requests to prevent legitimate requests from being fulfilled. In the case of a distributed denial-of-service attack (DDoS attack), incoming traffic flooding a target originates from multiple sources, making it difficult to stop the cyber offensive by simply blocking a single source. Within smart cities, a plethora of devices, such as parking meters, can be breached and forced to join a botnet programmed to overwhelm a system by requesting a service simultaneously.
Permanent Denial of Service (PDoS): Permanent denial- of-service attacks (PDoS), also known loosely as phlashing,is an attack that damages the device so badly that it requires replacement or reinstallation of hardware. In a smart city scenario, a hijacked parking meter could also fall victim to sabotage and would have to be replaced.
Countermeasures towards building resilient cities of the future
Connected smart city devices should be protected by a comprehensive IoT security solution that does not disrupt profitability or time to market.
Firmware integrity and secure boot- Secure boot utilizes cryptographic code signing techniques, ensuring that a device only executes code generated by the device OEM or another trusted party. Use of secure boot technology prevents hackers from replacing firmware with malicious versions, thereby preventing attacks. Unfortunately, not all IoT chipsets are equipped with secure boot capabilities. In such a scenario, it is important to ensure that the IoT device can only communicate with authorized services to avoid the risk of replacing firmware with malicious instruction sets.
Mutual authentication–Every time a smart city device connects to the network it should be authenticated prior to receiving or transmitting data. This ensures that the data originates from a legitimate device and not a fraudulent source. Secure, mutual authentication— where two entities (device and service) must prove their identity to each other—helps protect against malicious attacks.
Security monitoring and analysis–Captures data on the overall state of the system, including endpoint devices and connectivity traffic. This data is then analyzed to detect possible security violations or potential system threats. Once detected, a broad range of actions formulated in the context of an overall system security policy should be executed, such as quarantining devices based on anomalous behavior
Security lifecycle management–The lifecycle management feature allows service providers and OEMs to control the security aspects of IoT devices when in operation. Rapid over the air (OTA) device key(s) replacement during cyber disaster recovery ensures minimal service disruption. In addition, secure device decommissioning ensures that scrapped devices will not be repurposed and exploited to connect to a service without authorization.