Smart cities wake up to cyber threat
By Garry Booth
Blade Runner, the classic science fiction film set in Los Angeles, portrayed a dystopian vision of city life in 2019. While the future didn’t turn out to be so bad for LA, the picture of a city reliant on technology isn’t so wide of the mark.
Today’s so-called smart cities rely on automated traffic signals and CCTV; their mass transit networks, energy and water utilities are computer controlled; citizens access and pay for their municipal services online. And there’s more to come, as city services are transformed by Big Data, robotics and the Internet of Things.
So it’s not hard to imagine the chaos that a cyber-attack could have on any city’s systems – nor the costly liability implications of a big data breach.
The sprawling metropolis of Atlanta had a taste of the cyber risk threat facing smart cities in March 2018. Two Iranian hackers successfully mounted a ransomware attack on the municipality using a form of malware designed to penetrate weaker IT infrastructure and servers.
According to reports, in the days following the incident, Atlanta residents were unable to do simple city system-dependent tasks like paying parking tickets or utility bills. Reuters reported that at least one third of the 424 software programs that the city runs were still offline or partially inoperable more than two months after the attack.
Almost 30% of those programs were deemed “mission critical” by the authorities, meaning that they controlled crucial city services like the court system and law enforcement.
Scott Skransky, cyber risk expert with catastrophe modelling firm AIR Worldwide said that the Atlanta incident was a wake-up call for cities because they saw it could happen to them: “It was very disruptive as it affected all the municipal services and also the airport, which is a major US hub.”
In Atlanta, the hackers demanded a $50,000 bitcoin payment but were caught and prosecuted. However, Skransky reckons that criminals will increasingly try to monetise disruption.
“Denial of service or ransomware attacks are the most likely events, where hackers could threaten to release raw sewage into water supplies or shut down power grids, for example,” Skransky explains. “Alternatively, hackers could threaten an attack on traffic control, even going so far as to do a ‘proof of concept’ to demonstrate their ability.”
At the start of this year, the website of Dublin’s tram service was attacked, with the hacker demanding a one bitcoin ransom. Users trying to access the home page were presented with a message threatening to “publish all data and send emails to your users” unless the payment was made in the next five days.
Data breach threat
The disruption of essential systems, and the effect on citizens and businesses, is not the only cyber risk facing cities today. Data loss is a massive and increasing risk for municipalities – especially as more countries move to introduce punitive data privacy legislation.
“All city employees’ data is in the system as are residents’, corporations’, tax payers’, land records. When everything was paper based there was a risk of physical theft, but now with everything in electronic format it opens up the potential for hackers in remote locations to steal it.” Skransky warns.
Under the European Union’s General Data Protection Regulation (GDPR) directive, for example, cities as well as corporations can be hit with multi-million Euro penalties if they lose or misuse EU citizens’ data.
In theory, any city in the world could be at risk of action from the EU if, for example, it lost the data of visiting EU tourists in a cyber attack on its facilities payment systems.
High economic loss
In terms of the potential economic loss from cyber risk overall, New York tops the global rankings with an estimated GDP loss potential of $2.34bn, according to Lloyd’s City Risk Index. For Los Angeles and Chicago, the potential loss is $1.44bn and $0.92bn respectively.
European cities are no less exposed to cyber threats and stand to lose $8.67bn, according to the CRI. London ($1.4bn), Paris ($1.1bn) and Madrid ($358m) top the Western Europe CRI ranking.
But smart cities everywhere are “alarmingly” exposed to cyberattack according to management consultant PwC. Because a threat could enter a smart-city infrastructure at any compromised point, the risk can quickly grow as one system compromises the next, PwC said in a recent note.
“In a classic weakest-link scenario, one seemingly innocuous connected device, when hacked and injected with malware, could potentially open up an array of other devices to penetration, causing cascading damage throughout the entire infrastructure,” PwC explained.
“Unfortunately, the development of cybersecurity credentialing, security, safety and prevention systems for smart cities has not kept pace with the burgeoning adoption of digital capabilities,” PwC continued.
Moves are underway to help cities make themselves more resilient to cyber risk, however. The 2018 Global City Teams Challenge in the US, for example, is co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Homeland Security’s Science and Technology Directorate (DHS S&T). The initiative includes a programme to bring together IT vendor companies and cities around the world to work together on cyber security projects.
In Europe, part of the EU’s Horizon 2020 Smart Cities initiative is aimed at improving data security for citizens. The STARDUST project helps cities exchange information on strategies to help them comply with the new GDPR rules. The Spanish city of Pamplona, a STARDUST member, has implemented smart city data protection software under the supervision of a data protection officer to protect the information it holds on citizens.
More cities are starting to consider insuring their cyber risk exposures, according to Graeme Newman, chief innovation officer at Lloyd’s insurer CFC Underwriting.
“A number of public entities in the US purchase cyber insurance and we are starting to see the same in Canada and Australia too,” Newman says, the main driver being the very large volume of sensitive personal data they hold.
“They are also aware of growing risks involving malware and extortion demands that can cause serious disruption to their operations,” he adds, echoing Atlanta’s experience.
AIR Worldwide’s Scott Skransky warns that as cities become smarter, everyone will have to up their game.
“Autonomous vehicles could pose a big cyber risk for cities, for obvious reasons. Other modes of autonomous transit, such as trains, are becoming more common and will present issues,” he warns. “Likewise, the Internet of Things promises great benefits but also potentially presents big cyber risks for cities.”