Here comes the NY Times with yet another security warning that — sadly — many cities will ignore.
It makes a simple point: The more smart devices you have, the more vulnerable you are to hackers. Solutions are available, but only if cities spend the necessary time and money.
Many don't. As you'll read, the city of San Francisco still hasn't plugged a security hole that was identified a year ago. That oversight could come back to haunt them if a cyberattacker exploits that weakness to cause economic or even physical harm. An angry litigant could seek damages by claiming the city knew about the problem and failed to take action.
The Smart Cities Readiness Guide contains 27 foundational principles. Of those, 17 are "universal" principles that apply to any and every department. Perhaps the most important of all is the advice to have a citywide cybersecurity policy in place. — Jesse Berst
If you knew the locks on the front door to your house were faulty — a burglar with even the slightest skill could easily get past them — would you replace them? Of course, right? Yet a report shows some big cities that have been warned security is lax or even nonexistent around their smart cities infrastructure have done nothing to address the problem.
Failing to take action could result in everything from impenetrable traffic jams to serious injuries. But cities are failing to act, even though they have plenty of ready-to-deploy options to plug the security holes.
Out-of-control traffic control
The New York Times tells a troubling story about traffic control sensors used in some of the world’s largest cities, including New York, San Francisco, Melbourne and Lyon. One year ago, security researcher Cesar Cerrudo warned cities the data from their sensors wasn’t encrypted and that anyone within a quarter-mile could intercept that data. Last week, he retested San Francisco’s sensors; they still hadn’t been fixed.
It can be a huge safety treat. Cerrudo found ways to tap into those systems allowing him to control the traffic lights and change the speed limit on electronic signs.
And it’s not just traffic. Last year, security researchers at a conference in Amsterdam showed how they could black out parts of the city by tapping into smart meters and exploiting security flaws in power line communications.
Stop playing Whack-a-Mole
Taking any action to address the security threat is welcome, but Council Lead Partner Cisco argues that cities also need to re-think their overall security approach. Martin Roesch, chief architect for the Cisco Security Business Group, told the RSA Conference 2015 that today's security approach is too reactive, which doesn't work when there are five times as many hackers as there are security professionals.
"We need to have a better response available than playing Whack-a-Mole with the hackers," he told the conference.
Roesch says cities need to break down internal silos; everyone needs to be on the same security team. He says some organizations use as many as 60 different security tools. They all need to be brought together. That eases management and gives all team members more insight into the security risks and needs. Further, if there’s an attack, they can coordinate a response, rather than individually patching their security holes.
Cities have security options
Despite the evolving nature of the security threats, there are a variety of tools available to help cities mitigate them. Here are a few of the newest options.
Council Lead Partner Allied Telesis is partnering with Kaspersky Lab to add advanced threat protection to its next-generation firewalls. Allied Telesis says threats are becoming much more sophisticated, requiring much more robust protections to guard systems.
Kaspersky Lab is known for its anti-virus engine that detects viruses, Trojans, worms, rootkits, spyware and adware. It also makes Kaspersky SafeStream II, which protects against zero-day malware, server-side malware, web-borne malware and drive-by downloads. Allied Telesis builds on that with its own specialized hardware, which is designed to shield networks not only from hackers, but other threats, such as infected devices city employees may bring to work.
Cisco, meantime, is launching Advanced Malware Protection and Incident Response Services. Its new capabilities provide dynamic malware analytics and threat intelligence, and help security teams pinpoint threats by seeing which hosts are compromised with which threats. AMP for Endpoints can also determine which hosts are most likely to be compromises, helping security teams to prioritize their response.
Cisco says as threats grow more sophisticated, more organizations are looking for outside experts to help. Cisco Security Incident Response Services are designed to help with that need.
Joining with law enforcement
Law enforcement can also play a key role in helping to mitigate threats. A couple of new initiatives and services are designed to help officers determine who’s behind threats and bring them to justice.
Cisco’s AMP Threat Grid for Law Enforcement gives officers in the field access to detailed information about suspicious files or web addresses. Within minutes of entering a query, officers get a comprehensive report explaining exactly what that file does. The service also compares it to other threats, helping to put it in context.
Council Lead Partner IBM has launched a social media network for cybercrime fighters. Its X-Force Exchange functions somewhat like the social media service Pinterest. The service allows security professionals to work together and share information to guard against threats, helping to level the playing field with the people behind the attacks. Research indicates that 80% of cyberattacks come from well-organized gangs that share information with each other. Security professionals have tended to work in isolation.
Real and immediate danger
With more options than ever for tackling cybersecurity, the toughest part for cities may be picking one to start with. But Cerrudo says cities must get started -- today!
“The current attack surface for cities is huge and wide open to attack,” Cerrudo wrote in a report presented at the annual RSA security conference. “This is a real and immediate danger.”
# # #