BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Securing Smart Cities

This article is more than 8 years old.

When you think about it, a smart city is like a giant graduate thesis for the Internet of Things (IoT). Having grasped the individual technologies, these must be combined on a grand scale. There are millions of sensors, mesh networks, big data infrastructure, and a variety of standards involved. There are also hundreds of individual IoT vendors and IT organizations working together at the cost of billions of dollars, orchestrating everything to make sure it all works smoothly because, if one piece should fail, it could cause a massive ripple effect with potentially catastrophic results.

On Tuesday a group of vendors launched the Securing Smart Cities initiative to address the security concerns. "We will help governments approach the vendors to apply technology in a safe way, help vendors to produce more secure products, and create research that will be used to identify new threats and also find solutions for all the problems that are identified," said Cesar Cerrudo, CTO for IOActive and Board Member of Securing Smart Cities. In addition to the consulting and research services provided by IOActive, the not-for-profit global initiative includes endpoint security company Kaspersky and the IoT security company Bastille.

Cerrudo has been a leading voice in securing smart cities in recent months. Last summer he addressed a packed house at DefCon 22 on vulnerabilities in common traffic signals found in over 40 US cities and nine countries worldwide. But his talk could have also been about smart meters, or any other embedded devices going into any modern city infrastructure. He said IoT vendors sometimes implement their own patent-pending technology, falsely assuming because it is not standard it must therefore be hacker-safe.

"They all have a problem with encryption," Cerrudo said. "Sometimes they don't have encryption at all. Sometimes they have encryption but maybe they have really bad key management so they distribute products with the private keys inside and they share the same key with all the devices. As an attacker, you only need to get inside one device and then you get inside everything. That's a very common problem today."

Another problem, Cerrudo said, is that many embedded systems and IoT vendors don't sign the updates they send out to the field. An attacker could be in the middle of that communication, providing a fake update to a device they want to control. "And then sometimes," he said, "the vendor will sign the update but the private key will be inside the device, so the attacker would be able to sign their own binaries." In other words, it would appear to the device to be a legitimate update from the vendor.

Cerrudo said IoT vendors are having some of the same problems that the software industry had ten years ago. For example when Microsoft, Oracle, and Adobe started having vulnerabilities they started to invest in implementing secure software development lifecycles and securing the product from the beginning. "But these companies that come from the hardware side or these companies that are starting produce a new embedded products, they don't know about security," he said.

Fortunately the software industry created some best practices and technology to make the product —even hardware products-- more secure, Cerrudo said. "The knowledge, the solutions are there. It is just understanding the security, understanding what the problem is and implementing a solution for it, that will take time."

In security there's a feeling nothing will be done until people and companies realize they have to do something or they will lose business, Cerrudo said. "We need right now to have an incident that people will start to react." For example, he mentioned smart street lights. "All the street lights are connected wirelessly, so if you can hack that, you can turn off all the lights in a big area. There's a lot of wireless technology that does not have encryption." Random blackouts, he said, might get people's attention.

It's not just the large systems that need research. "Tiny sensors play a really important role in smart cities because they constantly provide feedback and information to all the systems," Cerrudo said. "The system will take that sensor information and proceed to take actions. If you have problems with sensors then you will have that problem propagated over many systems, in many different areas of the city. It's like a sensor in the poor part of the city, they are sometimes one of the most vulnerable because they are small devices and they can be stolen." With a device in hand, someone could try and figure out the encryption keys and take over the whole system.

Another example where one technology will affect many other systems is traffic. "With traffic, you have a car detection mechanism so it will detect if there's a car waiting. When changing the timing of the traffic light where there's metering it is useful to know how many cars are in the line, in the queue, waiting for the highway. And if you also know how many cars are on the highway you can synchronize how you let the cars in –if that doesn't work, then you have a big mess."

Securing smart cities isn't just a macro problem, it is also a micro problem as well. "There are security problems at different levels," Cerrudo said. "You have to take care of everything. You have a house with windows and doors. If you protect just one door and one window, you can't leave all the others open, you have to implement a global solution. You need to see the whole picture and start working from that because if you fix just one thing it won't have a big impact on the whole system. You need to work on the whole system."

Toward that end, the security research into IoT must be ongoing. "Because if you stop researching," Cerrudo said, "later you will find you have more new problems that you didn't see before. The approach for me is continuous research, to produce knowledge that can be used by everyone in the system—vendors to produce secure software and government to implement them properly." He estimates that cities have one year or so advantage over attackers because it takes some time to develop tools to exploit the security problems.

The idea behind the Smart Cities Initiative is to create guidelines, standards and recommendations that are not too specific for city deployment, Cerrudo said. "They should be general guidelines such as: city government should have a more secure infrastructure; vendors should produce more secure products or share information in certain areas to identify actual problems; and some lucky people should always get do research so they are always one year or more ahead of the problems."