Who is responsible when the smart city crashes?
Society is becoming ever-more connected on a daily basis. Consumers are able to check email from virtually anywhere, including the home, other’s homes, work, when getting coffee, when driving, etc. The portals (Wi Fi) are present in the person’s homes, office building, grocery stores, coffees shops, vehicles, and many other types of locations. This rather not exhaustive list does not even include the person’s smart phones. In another facet of connective-ness, vehicles are significantly connected with GPS, blue tooth, internet, and many other services. As an extension, autonomous vehicles are being tested now on the public streets with passengers. These are planned to be in place on certain levels within the next few years. These advances are fantastic for our society. The mass communication and knowledge flow with this are much faster and efficient than prior methods. This increase in convenience as the equipment takes over our tasks
An aspect of this nouveau way of life and culture has not been researched or architected sufficiently. Information Security is the facet that underlies and is the baseline for these connected items and equipment. Without a firm application of security throughout the development process, there tends to be significant issues at the end of the project, when security is consulted and treated as a bolted on addition to the massive project. Granted these new programs presently provide and will continue to provide a substantial benefit, however InfoSec still needs to be applied. Too often though this is viewed as an inconvenience or a speed bump in progress in comparison to a necessity to keep people safe. This view has created issues across industries.
What brought this idea to light was a quote from Dr. Simon Moores, as he presented at a IFSEC International conference. Dr. Moores has been credited with stating “Who’s responsible when a smart city crashes?” This is an interesting topic, yet in its full application, a bit harrowing. The smart city, in its full application, would integrate every aspect of a person’s experience possible to an automated state. This would not only include public Wi Fi, but the traffic lights monitoring the traffic flows along with pedestrian foot traffic. The system would optimize the traffic and pedestrian flows so the efficiency is realized with the vehicles and better the pedestrian safety. The other aspects would also be fully integrated so enrich the user experience. If the InfoSec is not thoroughly applied throughout the system and endpoints, the issues in theory could provide for numerous dangerous situations for the people and the interaction with vehicles. The system could be attacked with the end goal of directing the traffic lights at select times to authorize the users to walk into the traffic three seconds prior to the vehicle receiving their green light.
This may be done through the wireless communication channels. This may present a secured method for the nodes and module endpoints to communicate, however this may not be as secure as the standards recommended. The network structure may also not be appropriate for the use case. These sources and others may inadvertently create attack points that may or may not be easily compromised.
With systems like this that will be utilized, there are a myriad of potential vulnerabilities. If a group were to be substantially industrial and wanted to provide the rather large list, the group would need to check the network in various manners to understand if there are issues in the various network areas, Wi Fi, monitoring devices, and the other pieces of hardware deployed throughout the city. The maintenance on the entirety of these systems would require a regular program. Any maintenance issues with the equipment potentially would create a dangerous situation for the vehicles and pedestrians, along with additional attack points for the system.
If, due to a compromise or other condition, the network were to cease operating or operating at a severely reduced level, there would also be significant problem with finding the issue and fixing this such that the system would be completely operating at 100%. This has the distinct potential to be a massive job for the group tasked with it. During the time spent to find the issue and correct it, the city would be not operating, or in the least operating at a significantly reduced level. With the chaos that erupts through this period, people would be at in harm’s way. There are many examples of what could happen during this time.
InfoSec needs to be developed alongside the protocols, network, and system. With incorporating these from the beginning, the end product clearly would have a greater level of security in comparison to other products.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.