Need for a cyber resilient smart city

Sanjay Rohatgi

Until a decade or two ago, ‘Hack’ was a term relevant only to PCs or laptops. Little did we know then, that we would reach a point where it would spread its arms to watches, TVs, refrigerators and more. The internet today is everywhere, with ‘dumb devices’ getting smarter and more connected than ever before- we are living in the era of ‘Internet of Things’ (IoT). Take industrial control systems (ICS) for example, they are now being connected to the internet on a massive scale, with IoT bringing greater acceleration of connectivity, not only in the production process and supply chain, but also right across all business processes. In the drive to be globally competitive and gain a greater foothold in their market sectors, organizations are increasingly embracing these innovations and moving towards improved interconnectivity.

This success has fueled the idea of leveraging the benefits of the IoT, often referred to as the Internet of everything in other areas of our lives- including our cities. This interconnected scenario in the cities and a digitally equipped city infrastructure together forms the crux of a ‘Smart City’. Various devices like sensors, gateways, communication infrastructure and servers will collectively form a part of it and will be critical in shaping the future of smart cities. Such cities have been gaining relevance across the globe and the concept was recently introduced in India with the new government’s ambitious ‘Digital India’ initiative.

CRITICAL INFRASTRUCTURE- A CYBERCRIMINAL’S PLAYGROUND?

Primarily, smart city deployments will come with multiple features and state-of-the-art technologies like critical and complex Information and Communications Technology (ICT) implementations and will comprise of diverse ecosystem of technology providers. Various devices like sensors, gateways, communication infrastructure and servers will collectively form the ‘Internet of Things’ and will be critical in shaping future of smart cities. In this scenario of overlapping functions, the process and information exchange in the city will be interconnected and contextualized in a common middleware.

This growth in the interconnected environment has also made it more vulnerable to cybercriminals. Well-orchestrated, new-age targeted and cyber-espionage attacks are not a new phenomenon in today’s environment. In 2010, the Stuxnet worm woke India and the world up to the threat to critical infrastructure. It marked a watershed in virtual warfare, as it directly infected the critical infrastructure, putting the heavily guarded machinery completely out of control. It was known to have reportedly destroyed roughly one-fifth of Iran's nuclear centrifuges by causing them to spin out of control.

Adding to the trend in recent times, the Dragonfly group attacked more than 1000 firms crippling critical infrastructure in multiple countries. While the main purpose of these ‘infections’ was to gain a foothold in the networks of targeted companies, the attacks also revealed that the Dragonfly group now had the capability to strike vital infrastructure if it chose to. According to Symantec’s research, this well-resourced attack group that has been functional since 2011, initially targeted defense and aviation companies in US and Canada, before shifting focus to other firms in US and Europe in early 2013. Groups like these had the motive of gaining foothold in the networks of companies- revealing their capability to strike the critical infrastructure any moment. More recently, Regin- a new piece of malware uncovered by Symantec conducted targeted attacks at numerous international organizations since 2008, including governments, infrastructure operators, businesses, academics and private individuals. Interestingly, around 5% of these infections were confirmed to be in India. Regin’s developers put considerable effort into making it highly inconspicuous. Its low key nature means it can potentially be used in espionage campaigns lasting several years. Even when its presence is detected, it is very difficult to ascertain what it is doing.

Cyber-attacks of this scale and nature send can send any organization back into the pre-computer era, trickling down to many aspects of their operations. In this scenario, the time is now for government administrators to think security while crafting the blueprint for smart cities.

WOULD SMART CITIES OPEN LUCRATIVE INROADS FOR CYBER CRIMINALS?

As India gears up for the vision of 100 smart cities- a major step towards Digital India, it becomes important to understand the impact of attacks on critical infrastructure and what they can mean to the nation and its citizens. The critical infrastructure systems comprising of smart energy grids, dams, energy and petroleum supplies, transport systems, along with connected IT infrastructure i.e. sensors, cameras, wireless devices, data centers, wireless hotspots etc., would play a vital role in the making of the smart cities. These will be controlled and monitored remotely to ensure efficient management and conservation of resources. No doubt all this will provide a simplified, digitized and connected life and bring innumerable benefits to the citizens through smartly designed transportation, connected healthcare etc. but at the same time it could emerge as a hotbed for cybercriminals.

To highlight in depth a few specific verticals/ categories and the vulnerabilities they may garner, we look in to the following;

An intelligent/ smart transportation system if installed, would help in improving public travel by providing traffic information and predictions in real time. However, despite being such a big boon, there is a possibility that it will bring along its share of vulnerabilities. The news of a teenager in Europe effortlessly breaking into the complex infrastructure virtually to derail a tram by forcing it into a sudden turn at high speed and cause a traffic disruption made headlines. He was successful in causing this pandemonium with a mere modified TV remote.

Along with the smart transportation an advanced energy grid technology that would comprise of smart meters- to help record and report accurate energy consumption in homes and commercial establishment, it will also enable regulated or reduced energy consumption. At the same time it is imperative to be aware of lurking dangers, as cybercriminals could look for duping the smart meters for reporting false information, indulging in power theft and causing revenue loss. These are wake up calls to highlight the importance of securing the critical infrastructure and our smart cities.

CREATING A RESILIENT SMART CITY OF THE FUTURE

Smart cities can securely thrive and prosper if cybersecurity and information security are fundamental components of the services they provide to their users. To achieve this goal, city planners shouldn’t delay the adoption of measures like:

Establishing a governance framework – This will help identify and engage key stakeholders

Ensure governance, risk and compliance (GRC) – This will make sure IT departments are able to monitor their environment and meet compliance regulations

Enabling service continuity – Cities aspiring to be “smart” must learn to secure and manage diverse environments. There is no alternative to deploying up-to-date solutions for security, backup, data loss prevention, archiving and disaster recovery

Protecting information proactively – People responsible for modeling the city’s information backbone must embrace an information-centric approach, which includes using content-aware information tools that consider users’ context before sharing information with them

Authenticating users – By ensuring the true identity of a smart device, system or application, strong authentication techniques can ensure protection for an organization’s public-facing assets

Balancing traditional v. cloud delivery – All the smart services mentioned so far can be accessed along the traditional client-server route or as a cloud-based “pay as you go” services; smart cities must work toward achieving a happy balance between the two models

Managing security services – Cities should seriously consider outsourcing cybersecurity services to minimize security disruption and data loss

Protecting infrastructure – Top priorities for IT administrators in smart cities include securing endpoints, messaging and web environments, and critical internal servers as well as providing for improved data backup and faster recovery

Ensuring 24x7 availability of critical infrastructure – There is need to ensure resilience in case of an incident by way of adequate backup and recovery software or appliances, policies, processes and tools

Developing an information management strategy – This will include information retention plans and policies, and implementation of deduplication techniques in as many places as possible to free up resources. A full-featured archive, an eDiscovery system and data loss prevention technologies would be the other components of this strategy.

Working with seasoned partners for security and information protection – On the security front, cities can’t dilly-dally for too long., City planners must tap expertise from external partners with worldwide visibility of cyber threats and attacks.

With some of the recent revelations around state-sponsored espionage and sabotage the government of India will look at developing an end-to-end architecture designed to manage critical infrastructure, promote compliance, mitigate fraud and protect privacy to successfully build the smart city of tomorrow.

The author is the president – sales, India, Symantec