Protecting Our Cities from Cyber Attacks

By Gordon Feller

Gordon Feller is the Co-Founder of Meeting of the Minds, a global thought leadership network and knowledge-sharing platform focused on the future of sustainable cities, innovation and technology.

As a city’s digital infrastructure improves, the distribution of digital skills and the culture of the digital economy will also improve — making it more likely that as each gets better, the city’s goals can be achieved more effectively. Cities can attract and retain higher quality workers if and when cities draw more businesses, new investments, and improved social and cultural amenities. Through joint planning between varied stakeholders (including the city government, businesses, and artists), all involved can thrive off each other and do so at a lower cost, thanks to shared resources in the cloud, accessible via mobile networks, etc.

In addition to making cities more efficient and productive, the emergence of new digital connections has the potential to also make them more human. Those who are innovating to create the smart city are sometimes overwhelmed by the pace and scale of technology change, and are forced to adapt quickly. This is likely to be the norm for years to come, due to IoT‘s on-going impacts. This is especially the case now that cities are pivoting from “doing digital” to actually “being digital”.

Cities are looking to strengthen their competitive advantage through technology deployment, which in turn can improve their ability to:

  • Attract investment and jobs
  • Upgrade the cultural, social and environmental amenities that make the city a great place to live
  • Harness the power and influence of successive waves of digital innovation
  • Enhance skills and learning to create new knowledge useful for both the city’s economic and social development
  • Increase engagement by people and businesses in civic governance and leadership

To achieve these core goals, city leaders increasingly understand that there must be a sustained investment in the digital economy’s hard infrastructure and soft infrastructure. This means investing in both traditional assets (e.g., transport, housing) as well as new assets for digital success (e.g., broadband, sensors, big data and analytics). It means nurturing skills and capabilities in design, creativity and innovation that represent an increasingly important part of the new “capital stock” from which cities square the circle of sustainable growth and social inclusion.

Cities are Targets for Cyber Attacks

Cities are not doing a good job of reporting their cybersecurity breaches, but we can make some important conclusions about cities’ experiences in these cases from reports about national-level attacks. Over the past few years, there have been a number of critical attacks targeted at national governments:

  • The Canadian government has revealed in news sources that they became a victim of cyber-attacks in February 2011 from foreign hackers. These hackers were able to infiltrate three departments within the Canadian government and obtain classified information. Canada eventually cut off Internet access to the three departments under attack in order control the impact.
  • Despite their reputation for being an IT and software powerhouse, India reported 13,301 cyber security breaches in 2011. The biggest cyber-attack the country faced occurred on July 12, 2012 during which hackers compromised the email accounts of 12,000 people, including senior officials from the Defense Research and Development Organization (DRDO), the Indo-Tibetan Border Police (ITBP), the Ministry of Home Affairs, and the Ministry of External Affairs.
  • Iran was subjected to cyber-attack in June 2010 when its nuclear facility in Natanz was infected by Stuxnet, a cyber worm that destroyed Tehran’s 1,000 nuclear centrifuges and set back the country’s atomic program by at least two years, as it spread beyond the plant and infected over 60,000 computers.
  • A coordinated cyber-attack by anti-Israel groups and individuals, #opiIsrael was a DDoS (Denial of Service) assault that was timed for April 7, 2012, the eve of Holocaust Remembrance Day with the aim of erasing Israel from the internet. Websites targeted by these ‘hactivists’ included financial and business sectors, educational institutions, non-profit organizations, newspapers, and privately-owned businesses in Israel.
  • A series of persistent cyber-attacks that started in mid- 2006, ‘Operation Shady Rat’ impacted over 72 organizations worldwide including the International Olympic Committee, the United Nations, corporations and defense contractors. Discovered by Dmitri Alperovitch, Vice President of Threat Research at McAfee in 2011, the operation was derived from the common security industry acronym for Remote Access Tool (RAT) which was also behind the cyber attack on the 2008 Summer Olympics.

Helping Cities Guard Against Cyber Threats

What practical advice to offer those responsible for a city’s economic and social life? Firstly, keep in mind that the threat landscape has changed dramatically over the past 10 years. Simple attacks that caused containable damage have given way to modern cyber warfare operations that are sophisticated, well funded and capable of causing major disruptions to the national infrastructure and to critical infrastructure providers. Traditional defenses that rely exclusively on detection and blocking of cyber threats for protection are no longer adequate. It’s time for a new security model that addresses the full attack continuum—before, during, and after an attack.

The model may seem simplistic, but aims at protecting complex critical resources from threats, and specifically, advanced persistent threats, which are a primary concern for cities and those who operate key city systems, and for those who depend upon them.

The model relies on three simple principles:

Before an Attack:

  • Reduce the attack surface, enforce baseline defense mechanisms, implement access control policies, and keep the higher ground by getting full visibility on the endpoints connected to the network, and the traffic flow patterns. Use collective intelligence mechanisms to identify dormant components of a threat, which may have compromised network elements to prepare a future attack.

During an Attack:

  • Detect enemy incursions and attacks in real-time, block and defend the resources by dropping traffic flows, which are threatening the network. Use real- time intelligence, both internal and external, to recognize those attacks.

After an Attack:

  • Using retrospective analysis, collective intelligence and forensics methods, investigate the attack sources, methods used, and identify any remaining compromised elements which could potentially be used for future waves or similar attacks.

One common requirement of government agencies – national and local – is to make use only of “trusted” or “certified” components when building an ICT infrastructure. Because of the complexity in defining the certification requirements and processes, several nations have agreed to pool their efforts through the Common Criteria approach, which is used to provide product level assurance.

On 8 September 2014, the governments of 26 nations ratified a revision of the Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security (aka, Common Criteria Recognition Arrangement – CCRA). The purpose of the revision was to raise the general security of certified information and communications technology products without increasing costs or preventing timely availability of such products from commercial companies.

CCRA is important because it ensures the following:

  • Products can be evaluated by competent and independently-licensed laboratories, in order to determine the function of particular security properties or features;
  • Supporting documents are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied when certifying specific technologies;
  • The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation;
  • These certificates are recognized by all the signatories of the CCRA.

The intended goals are that all providers of technologies and services will adhere to the following guidelines:

  • Designing security policies which protect citizens, assets and information, but will not hinder economic growth.
  • Adapting to shifting patterns, since critical city infrastructure is often in shared ownership and/or shared management, meaning that both public sector and private sector are woven together.
  • Provide support where it’s really needed for the modernization of infrastructure, both IT infrastructure and non-IT infrastructure.
  • Provide up-to-date real-time responses to cyber-attacks, whether these originate from another nation state within the scope of laws on cyber warfare, or from criminals operating outside the scope of laws.

Cybersecurity Will Continue to Challenge Cities

Expensive investments in traditional security technologies have not been as effective in preventing breaches or in responding to them effectively. This can be attributed to a few key factors that often impair successful responses:

Insufficient skilled resources

  • Mature and skilled security incident response personnel are both difficult to obtain and difficult to retain, which leaves many organizations without the skills needed to respond effectively.

Lack of threat intelligence

  • While many security technologies leverage such intelligence, it is not typically clear which threats are most important to a particular organization.

The sheer deluge of threat intelligence data available

  • This makes it complex to determine what is critical or what is relevant in a given operational environment.

One requirement in any security system should be that the customer – a city or a utility or whomever – is able to trust the elements which are embedded in and used within the digital infrastructure. Creating a truly secure environment becomes even more complex as governments and businesses continue to invest in mobility, collaboration, cloud computing, and other forms of virtualization. These capabilities help to improve resiliency, increase efficiency and reduce costs, but can also introduce additional risks. The security of the manufacturing process together with the supply chain of IT vendors is also now at risk, with counterfeiting and tampering of products becoming a growing problem.

Malicious actors will seek out and exploit any security weakness in the technology supply chain. Vulnerabilities and intentional backdoors in technology products can ultimately provide them with access to the “full house.” Backdoors have long been a security issue and should be a concern for organizations, because they exist solely to help facilitate surreptitious or criminal activity.

Developing trustworthy systems means “building in” security from the ground up, throughout a product’s life cycle. Does the provider of technology to a city (and/or to a city system like water or power) use a highly repeatable and measurable methodology? The benefit of such is this: it would be designed to build in product security at the product concept stage, to minimize vulnerabilities during development, and to increase resiliency of products in the face of an attack.

Discussion

Leave your comment below, or reply to others.

2 Comments

  1. Mike Gifford

    Governments are going to continue to fail at security as long as they are looking for a silver bullet to address their concerns. So much of security comes down to just doing the work of selecting software with critical mass and being vigilant about upgrades. There is a lot more to it than that, but so many government agencies still allow departments to write custom software from scratch that they have no mechanism to review or maintain.

    Cities generally do not have a big enough software development team to allow them to effectively manage security concerns. They need to be able to collaborate with other institutions outside of the corporate hierarchy to allow them to effectively rise to the challenge. Engagement with open source communities is a big piece of this.

    Although it was written specifically for the Drupal CMS, many of the proponents in our security guide are relevant to other software. There is a section available for what management should know too, which is particularly important.

    https://openconcept.ca/drupal-security

    Reply
  2. gordon feller

    Mike,

    i’m in total agreement with you here….including about the importance of staying focused on “what management should know “.
    Would you have an examples to offer here where a city did the right thing?
    For instance: “Engagement with open source communities. “….we’d want to showcase that kind of story on these pages for our readers!

    –gordon

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Read more from the Meeting of the Minds Blog

Spotlighting innovations in urban sustainability and connected technology

Combining Technologies to Bring Connectivity to the Community

Rhyzome Networks has undertaken a project to upgrade the equipment used for wireless access in order to create stronger connections between the root access points and the repeaters. Our new network does not rely on the original projects wireless mesh and fibre combination, and instead uses wireless point-to-point and fibre for the backhaul of information and the aging 7181 access points will be swapped out in favor of Aruba units.

Our journey into telecommunications began in 2009 as an initiative to provide a backhaul for Festival Hydro’s smart metering system. That project led us down a path to offering wireless and fibre optic connections. It became clear early on in the project that the infrastructure we were putting in place provided us with the opportunity to create a robust backbone that would support the offering of affordable internet and other connectivity options in a community that was, at the time, largely overlooked by the big players in the Canadian telecommunications space.

Indianapolis Revitalizing Neighborhoods Through Arts & Culture

As historian Mark I. Gelfand has noted: “No federal venture spent more funds in urban areas and returned fewer dividends to central cities than the national highway program.” A micro example of the devastating effect of the highway system developed through the core of Indianapolis is Cruft Street, with a dead end abutting I-65 near the I-65/I-70 split (completed in 1976) in the Garfield Park area of Indianapolis. Forty-two percent of houses in the area have incomes below $25,000, and 13.5 percent live on less than $10,000 a year. The low income demographic of the area results in 22 percent of adults over age 25 having no high school diploma and 81 percent with no college degree.

An examination of the Cruft Street neighborhood has spurred many nonprofit organizations in Indianapolis to question how the public sector can support the role of arts and culture in revitalizing the Cruft Street neighborhood.

How to Build More Connected and Inclusive Cities

When thinking about the cities of the future, I know that they will be more connected, and I strongly believe that they must be more inclusive. We can’t have the Internet of Everything without the Inclusion of Everyone. Already today, a growing number of cities are using smart technologies to better connect people to places and to each other – and more importantly also connecting people to opportunities for better and safer lives.

Unfortunately, what still causes a significant amount of friction in our cities and prevents inclusive growth is the dominance of cash. In fact, close to 85 percent of all consumer payments in the world are still done with cash or checks. This means that far too many people are trapped by default in an informal economy. They lack the financial services to guard themselves against risk, save for themselves, plan for their children’s futures, and build better lives.

Meeting of the Minds is made possible by the generous support of these organizations.