In-brief: Governments looking to deploy ‘smart city’ technologies are still failing to pay enough attention to security and privacy issues, according to researcher Cesar Cerrudo.
More than a year after the technology firm IOActive documented glaring security holes in many “smart city” technologies, cities and municipalities still struggle to balance “smartness” with security, according researcher Cesar Cerrudo.
Cities are increasing investments in technologies from seismic monitoring and smart street lighting to gun shot detectors. But municipalities still frequently fail to assess – or even inquire about – the security of software and hardware they deploy, said Cerrudo.
“One of the main problems in cities around the world is that they’re incorporating technologies, but they’re not doing any security testing at all,” Cerrudo told The Security Ledger in an interview last week.
Smart city deployments are accelerating globally, particularly in Asia, Western Europe and North America. The Obama Administration unveiled a $160 million program in September, 2015, to encourage federal research and help local communities tackle challenges like traffic congestion, crime, fostering economic growth and improving the delivery of city services.
In recent months, Columbus, Ohio, recently received a $150 million public and private grant to fund a “smart” makeover of the Rust Belt city that is focused on improving traffic and efficiency.
Companies working on smart city problems include Sidewalk Labs, a Google spin-out that is developing a platform called “Flow” that can use real-time data from smartphones and environmental sensors to provide a realtime view of how roads and parking spaces are being used.
But Cerrudo said that cities focus too much on the promise of specific technologies, without thinking too hard about the security and privacy implications of a given solution.
“They do a lot of functionality testing, but there is no security testing. That’s a real risk, because basically you’re running your city with systems and devices that, most of the time, are insecure. And cities completely ignore these,” Cerrudo said.
Cerrudo has conducted research on systems like traffic control systems used in metropolitan areas like Boston, Washington D.C., New York City and Seattle. He found that these systems are often vulnerable to remote, wireless attacks that could be used to control the behavior of traffic lights and sow chaos.
The best time to assess and address security flaws in smart- and connected city platforms is during the technology selection phase, Cerrudo argues. So, to help cities and other municipalities do a better job selecting quality vendors and technologies, Cerrudo and IOActive put together a document that provides guidelines for making smart cities safe (PDF).
Among other things, the Guidelines call for smart city solutions to comply with basic information technology security requirements like using strong cryptography to protect data at rest and in transit, strong authentication features, the use of automatic updating and robust auditing and alerting features.
Cities should stay away from solutions with so-called “backdoor” accounts – undocumented and hard-coded administrative or maintenance accounts. Backdoor accounts have been shown to be common on many industrial platforms.
Additionally, municipalities should take a cue from private sector firms: locking in Service Level Agreements (SLAs) that hold vendors to ensure and stand behind security promises.
Progress in the smart city space will need to follow a similar path as the software industry, Cerrudo said.
“If you look at past history on how security has improved in technology – operating systems or office software, companies realize that their profit will be affected by the security of their product. That happened to Microsoft, Apple, Adobe, Oracle…everyone.”
The same will happen to companies in the smart cities, he said, with the push to get products to market in a hurry tempered by pressure by consumers or, possibly, regulators. “In order to add cyber security as a goal in a company, the requirements have to come from consumers and the government, and companies have to pay attention to that.”