Protecting Our Cities from Cyber Attacks
Who will you meet?
Cities are innovating, companies are pivoting, and start-ups are growing. Like you, every urban practitioner has a remarkable story of insight and challenge from the past year.
Meet these peers and discuss the future of cities in the new Meeting of the Minds Executive Cohort Program. Replace boring virtual summits with facilitated, online, small-group discussions where you can make real connections with extraordinary, like-minded people.
As a city’s digital infrastructure improves, the distribution of digital skills and the culture of the digital economy will also improve — making it more likely that as each gets better, the city’s goals can be achieved more effectively. Cities can attract and retain higher quality workers if and when cities draw more businesses, new investments, and improved social and cultural amenities. Through joint planning between varied stakeholders (including the city government, businesses, and artists), all involved can thrive off each other and do so at a lower cost, thanks to shared resources in the cloud, accessible via mobile networks, etc.
In addition to making cities more efficient and productive, the emergence of new digital connections has the potential to also make them more human. Those who are innovating to create the smart city are sometimes overwhelmed by the pace and scale of technology change, and are forced to adapt quickly. This is likely to be the norm for years to come, due to IoT‘s on-going impacts. This is especially the case now that cities are pivoting from “doing digital” to actually “being digital”.
Cities are looking to strengthen their competitive advantage through technology deployment, which in turn can improve their ability to:
- Attract investment and jobs
- Upgrade the cultural, social and environmental amenities that make the city a great place to live
- Harness the power and influence of successive waves of digital innovation
- Enhance skills and learning to create new knowledge useful for both the city’s economic and social development
- Increase engagement by people and businesses in civic governance and leadership
To achieve these core goals, city leaders increasingly understand that there must be a sustained investment in the digital economy’s hard infrastructure and soft infrastructure. This means investing in both traditional assets (e.g., transport, housing) as well as new assets for digital success (e.g., broadband, sensors, big data and analytics). It means nurturing skills and capabilities in design, creativity and innovation that represent an increasingly important part of the new “capital stock” from which cities square the circle of sustainable growth and social inclusion.
Cities are Targets for Cyber Attacks
Cities are not doing a good job of reporting their cybersecurity breaches, but we can make some important conclusions about cities’ experiences in these cases from reports about national-level attacks. Over the past few years, there have been a number of critical attacks targeted at national governments:
- The Canadian government has revealed in news sources that they became a victim of cyber-attacks in February 2011 from foreign hackers. These hackers were able to infiltrate three departments within the Canadian government and obtain classified information. Canada eventually cut off Internet access to the three departments under attack in order control the impact.
- Despite their reputation for being an IT and software powerhouse, India reported 13,301 cyber security breaches in 2011. The biggest cyber-attack the country faced occurred on July 12, 2012 during which hackers compromised the email accounts of 12,000 people, including senior officials from the Defense Research and Development Organization (DRDO), the Indo-Tibetan Border Police (ITBP), the Ministry of Home Affairs, and the Ministry of External Affairs.
- Iran was subjected to cyber-attack in June 2010 when its nuclear facility in Natanz was infected by Stuxnet, a cyber worm that destroyed Tehran’s 1,000 nuclear centrifuges and set back the country’s atomic program by at least two years, as it spread beyond the plant and infected over 60,000 computers.
- A coordinated cyber-attack by anti-Israel groups and individuals, #opiIsrael was a DDoS (Denial of Service) assault that was timed for April 7, 2012, the eve of Holocaust Remembrance Day with the aim of erasing Israel from the internet. Websites targeted by these ‘hactivists’ included financial and business sectors, educational institutions, non-profit organizations, newspapers, and privately-owned businesses in Israel.
- A series of persistent cyber-attacks that started in mid- 2006, ‘Operation Shady Rat’ impacted over 72 organizations worldwide including the International Olympic Committee, the United Nations, corporations and defense contractors. Discovered by Dmitri Alperovitch, Vice President of Threat Research at McAfee in 2011, the operation was derived from the common security industry acronym for Remote Access Tool (RAT) which was also behind the cyber attack on the 2008 Summer Olympics.
Helping Cities Guard Against Cyber Threats
What practical advice to offer those responsible for a city’s economic and social life? Firstly, keep in mind that the threat landscape has changed dramatically over the past 10 years. Simple attacks that caused containable damage have given way to modern cyber warfare operations that are sophisticated, well funded and capable of causing major disruptions to the national infrastructure and to critical infrastructure providers. Traditional defenses that rely exclusively on detection and blocking of cyber threats for protection are no longer adequate. It’s time for a new security model that addresses the full attack continuum—before, during, and after an attack.
The model may seem simplistic, but aims at protecting complex critical resources from threats, and specifically, advanced persistent threats, which are a primary concern for cities and those who operate key city systems, and for those who depend upon them.
The model relies on three simple principles:
Before an Attack:
- Reduce the attack surface, enforce baseline defense mechanisms, implement access control policies, and keep the higher ground by getting full visibility on the endpoints connected to the network, and the traffic flow patterns. Use collective intelligence mechanisms to identify dormant components of a threat, which may have compromised network elements to prepare a future attack.
During an Attack:
- Detect enemy incursions and attacks in real-time, block and defend the resources by dropping traffic flows, which are threatening the network. Use real- time intelligence, both internal and external, to recognize those attacks.
After an Attack:
- Using retrospective analysis, collective intelligence and forensics methods, investigate the attack sources, methods used, and identify any remaining compromised elements which could potentially be used for future waves or similar attacks.
One common requirement of government agencies – national and local – is to make use only of “trusted” or “certified” components when building an ICT infrastructure. Because of the complexity in defining the certification requirements and processes, several nations have agreed to pool their efforts through the Common Criteria approach, which is used to provide product level assurance.
On 8 September 2014, the governments of 26 nations ratified a revision of the Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security (aka, Common Criteria Recognition Arrangement – CCRA). The purpose of the revision was to raise the general security of certified information and communications technology products without increasing costs or preventing timely availability of such products from commercial companies.
CCRA is important because it ensures the following:
- Products can be evaluated by competent and independently-licensed laboratories, in order to determine the function of particular security properties or features;
- Supporting documents are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied when certifying specific technologies;
- The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation;
- These certificates are recognized by all the signatories of the CCRA.
The intended goals are that all providers of technologies and services will adhere to the following guidelines:
- Designing security policies which protect citizens, assets and information, but will not hinder economic growth.
- Adapting to shifting patterns, since critical city infrastructure is often in shared ownership and/or shared management, meaning that both public sector and private sector are woven together.
- Provide support where it’s really needed for the modernization of infrastructure, both IT infrastructure and non-IT infrastructure.
- Provide up-to-date real-time responses to cyber-attacks, whether these originate from another nation state within the scope of laws on cyber warfare, or from criminals operating outside the scope of laws.
Cybersecurity Will Continue to Challenge Cities
Expensive investments in traditional security technologies have not been as effective in preventing breaches or in responding to them effectively. This can be attributed to a few key factors that often impair successful responses:
Insufficient skilled resources
- Mature and skilled security incident response personnel are both difficult to obtain and difficult to retain, which leaves many organizations without the skills needed to respond effectively.
Lack of threat intelligence
- While many security technologies leverage such intelligence, it is not typically clear which threats are most important to a particular organization.
The sheer deluge of threat intelligence data available
- This makes it complex to determine what is critical or what is relevant in a given operational environment.
One requirement in any security system should be that the customer – a city or a utility or whomever – is able to trust the elements which are embedded in and used within the digital infrastructure. Creating a truly secure environment becomes even more complex as governments and businesses continue to invest in mobility, collaboration, cloud computing, and other forms of virtualization. These capabilities help to improve resiliency, increase efficiency and reduce costs, but can also introduce additional risks. The security of the manufacturing process together with the supply chain of IT vendors is also now at risk, with counterfeiting and tampering of products becoming a growing problem.
Malicious actors will seek out and exploit any security weakness in the technology supply chain. Vulnerabilities and intentional backdoors in technology products can ultimately provide them with access to the “full house.” Backdoors have long been a security issue and should be a concern for organizations, because they exist solely to help facilitate surreptitious or criminal activity.
Developing trustworthy systems means “building in” security from the ground up, throughout a product’s life cycle. Does the provider of technology to a city (and/or to a city system like water or power) use a highly repeatable and measurable methodology? The benefit of such is this: it would be designed to build in product security at the product concept stage, to minimize vulnerabilities during development, and to increase resiliency of products in the face of an attack.
Leave your comment below, or reply to others.
Please note that this comment section is for thoughtful, on-topic discussions. Admin approval is required for all comments. Your comment may be edited if it contains grammatical errors. Low effort, self-promotional, or impolite comments will be deleted.
Submit a Comment
Read more from MeetingoftheMinds.org
Spotlighting innovations in urban sustainability and connected technology
Middle-Mile Networks: The Middleman of Internet Connectivity
The development of public, open-access middle mile infrastructure can expand internet networks closer to unserved and underserved communities while offering equal opportunity for ISPs to link cost effectively to last mile infrastructure. This strategy would connect more Americans to high-speed internet while also driving down prices by increasing competition among local ISPs.
In addition to potentially helping narrow the digital divide, middle mile infrastructure would also provide backup options for networks if one connection pathway fails, and it would help support regional economic development by connecting businesses.
Wildfire Risk Reduction: Connecting the Dots
One of the most visceral manifestations of the combined problems of urbanization and climate change are the enormous wildfires that engulf areas of the American West. Fire behavior itself is now changing. Over 120 years of well-intentioned fire suppression have created huge reserves of fuel which, when combined with warmer temperatures and drought-dried landscapes, create unstoppable fires that spread with extreme speed, jump fire-breaks, level entire towns, take lives and destroy hundreds of thousands of acres, even in landscapes that are conditioned to employ fire as part of their reproductive cycle.
ARISE-US recently held a very successful symposium, “Wildfire Risk Reduction – Connecting the Dots” for wildfire stakeholders – insurers, US Forest Service, engineers, fire awareness NGOs and others – to discuss the issues and their possible solutions. This article sets out some of the major points to emerge.
Innovating Our Way Out of Crisis
Whether deep freezes in Texas, wildfires in California, hurricanes along the Gulf Coast, or any other calamity, our innovations today will build the reliable, resilient, equitable, and prosperous grid tomorrow. Innovation, in short, combines the dream of what’s possible with the pragmatism of what’s practical. That’s the big-idea, hard-reality approach that helped transform Texas into the world’s energy powerhouse — from oil and gas to zero-emissions wind, sun, and, soon, geothermal.
It’s time to make the production and consumption of energy faster, smarter, cleaner, more resilient, and more efficient. Business leaders, political leaders, the energy sector, and savvy citizens have the power to put investment and practices in place that support a robust energy innovation ecosystem. So, saddle up.
Governments are going to continue to fail at security as long as they are looking for a silver bullet to address their concerns. So much of security comes down to just doing the work of selecting software with critical mass and being vigilant about upgrades. There is a lot more to it than that, but so many government agencies still allow departments to write custom software from scratch that they have no mechanism to review or maintain.
Cities generally do not have a big enough software development team to allow them to effectively manage security concerns. They need to be able to collaborate with other institutions outside of the corporate hierarchy to allow them to effectively rise to the challenge. Engagement with open source communities is a big piece of this.
Although it was written specifically for the Drupal CMS, many of the proponents in our security guide are relevant to other software. There is a section available for what management should know too, which is particularly important.
i’m in total agreement with you here….including about the importance of staying focused on “what management should know “.
Would you have an examples to offer here where a city did the right thing?
For instance: “Engagement with open source communities. “….we’d want to showcase that kind of story on these pages for our readers!