Local governments are increasingly incorporating and relying on “smart” technology in their cities. A smart city uses information and communication technology (ICT) to increase operational efficiency, communicate information with the public, and enhance the quality of government services and citizen welfare. Using smart technology and data analysis, the primary objective of a smart city is to optimize municipal activities and stimulate economic development while also enhancing the quality of life for its residents. (TWI Global, n.d.). Unfortunately, the increased reliance on smart technology leaves entire cities and critical infrastructure vulnerable to cyberattacks. Water utility systems, electric utilities & services such as street lights and traffic lights, parking meters, traffic monitoring, camera & audio surveillance systems, and building management systems are all examples of vulnerable smart city infrastructure.
Real-World Threats
Water Supply Poison Attempt
On February 5th, 2021, a hacker attempted to poison Oldsmar, Florida’s city water supply (Tampa Bay area). The attacker remotely controlled the computer system and changed the sodium hydroxide in the water supply from about 100 parts per million to more than 11,100 parts per million. Fortunately, a plant operator noticed the dangerous changes and immediately reduced the sodium hydroxide to a safe level. Article: https://www.cbsnews.com/news/florida-water-hack-oldsmar-treatment-plant/
City of Yonkers Hacked
On September 6th, 2021, the City of Yonkers, New York, fell victim to a ransomware attack. For at least five days (the article doesn’t state when services were restored but does state that the city hopes to restore services on September 10th), city employees could not use their computers. The city refused to pay the ransom and chose to restore its systems by utilizing backups, which is a tedious but effective process. Article: http://yonkerstimes.com/city-of-yonkers-hacked-no-computers-for-the-past-week-ransom-demanded-city-hall-says-no/
Kansas City, Kansas Cyberattack
On April 16th, 2022, “ Officials with the Unified Government of Wyandotte County/Kansas City, Kansas gave few new details on the nature of a cybersecurity attack during a press conference.” Many government services were shut down as a precaution; most were restored however, some were still down at the time of the article’s publication. Article: https://www.govtech.com/security/kansas-city-kan-remains-relatively-silent-on-cyber-attack
Common Themes
In all of the articles in this blog post, there is a cyberattack that affects or could affect all citizens in the respective city. The severity of a city-wide cyberattack can vary. However, there is no denying that cyberattacks have the potential to cause serious harm, including death. City services can easily be compromised if targeted, especially in “smart” cities. Unfortunately, these articles do not detail exactly what happened during their respective cyberattack. How did these attackers gain access to systems? What technologies did they exploit? What is the probable cause of such a breach? How could these attacks be prevented? These questions go unanswered, not just for these three articles but for many others with similar stories. Society isn’t looking into these major cyberattacks enough. People accept cyberattacks as the new normal and determine that the issue is someone else’s problem.
Another common theme with city-wide cyberattacks, and in general, is the lack of pinpointing who the cybercriminal is. Most of the time, no one is found guilty of these crimes. At best, investigators can guess which advanced persistent threat (APT) committed the crime, or they can pinpoint what country the attacker resides in. Very rarely can an attack be linked to the names of the people involved. Because of this, cybercrime is a very lucrative endeavor.
Prevention
Cybersecurity is a vast extensive art. Yes, an art, not science, as one may think. There aren’t definitive answers to any problem, and every issue has 0 to many multiple solutions. Every organization will have different problems and critical assets they need to secure. There are no one-size-fits-all solutions, and listing an entire cybersecurity plan in this blog would be impractical. For those reasons, this post will not be giving cookie cutter answers such as “encrypt data,” “make backups,” “form an incident response team,” “patch systems,” “use strong passwords,” etc. Instead, this post will focus on practical ideas to point you in the right direction.
Get with your cybersecurity team to determine posture
If you don’t have a dedicated cybersecurity team, start hiring one as soon as possible. This will be expensive. But remember, if you don’t invest in your cybersecurity team, your data is already on its way to the dark web. The current cyber workforce shortage will make it hard to find cybersecurity professionals. Don’t rely on your IT team for this responsibility. IT’s job is to make the network function for the organization and often neglects basic security best practices to make things work. You should adopt a cybersecurity framework from the National Institute of Standards and Technology (NIST), International Standards Organization (ISO), Information Systems Audit and Control Association (ISACA), etc. if you don’t already have a working framework in place. Cybersecurity frameworks are the best starting points for any new cybersecurity program.
Address risks from the top down
Once your cybersecurity posture has been determined, you must start addressing the most critical risks and work down to the least critical ones. Even if the less critical risks are "easy kills." Solve the issues one by one until you reach a point where your organization determines that the cybersecurity posture is robust. This can take years, and it will not happen overnight. Don't add new technologies until the cybersecurity posture is strong. Getting caught up with all the latest technology is easy, but ensuring your existing technologies and procedures are robust before implementing new ones is critical. You are introducing another risk for each new device that connects to the network. Be careful when converting everything to "smart" devices. As a general rule of thumb, the more convenient a technology is, the more vulnerable it is.
Conduct outsider audits
When your cybersecurity posture is determined to be strong, put it to the test by hiring an external penetration tester team, also known as red team penetration tests. Red teams will simulate real-world attacks just as an actual cybercriminal would. The only difference is that they won’t damage your network and will write a report of their findings and provide recommendations to fix your weaknesses. Don’t forget to act on this report and secure any holes they find. Perform red team penetration tests at least quarterly and whenever you add something new to your network/organization.
Summary
In cities, local administrations are increasingly adopting and depending on "smart" technology. A smart city utilizes information and communication technology (ICT) to promote operational efficiency, interact with the public, and improve the quality of government services and citizen welfare. Unfortunately, the rising dependence on smart technology exposes whole cities and vital infrastructure to cyberattacks. The Oldsmar Florida's city water supply, City of Yonkers, and Kansas City cyberattacks are three real-world attacks within the past 1.5 years. City-wide cyberattacks can have catastrophic effects that can affect entire populations. Unfortunately, in most cases, the exact cause for these major breaches usually goes undetermined or, at the very least, withheld from the public. Talking to your cybersecurity team and determining security posture, addressing risks from the top down, and conducting outside audits are some of the many things you can do to protect your smart city today.
References
Pegues, J. (2021, February 9). Feds tracking down hacker who tried to poison Florida town's water supply. CBS News - Breaking news, 24/7 live streaming news & top stories. https://www.cbsnews.com/news/florida-water-hack-oldsmar-treatment-plant/
Torres, A. (2022, May 2). Kansas City, Kan., remains relatively silent on cyber attack. GovTech. https://www.govtech.com/security/kansas-city-kan-remains-relatively-silent-on-cyber-attack
TWI Global. (n.d.). What is a smart city? – Definition and examples. Retrieved June 10, 2022, from https://www.twi-global.com/technical-knowledge/faqs/what-is-a-smart-city
Yonkers Times. (2021, September 10). City of Yonkers hacked, no computers for the past week: Ransom demanded, city hall says no. https://yonkerstimes.com/city-of-yonkers-hacked-no-computers-for-the-past-week-ransom-demanded-city-hall-says-no/