Protecting Our Cities from Cyber Attacks
As a city’s digital infrastructure improves, the distribution of digital skills and the culture of the digital economy will also improve -- making it more likely that as each gets better, the city’s goals can be achieved more effectively. Cities can attract and retain higher quality workers if and when cities draw more businesses, new investments, and improved social and cultural amenities. Through joint planning between varied stakeholders (including the city government, businesses, and artists), all involved can thrive off each other and do so at a lower cost, thanks to shared resources in the cloud, accessible via mobile networks, etc.
In addition to making cities more efficient and productive, the emergence of new digital connections has the potential to also make them more human. Those who are innovating to create the smart city are sometimes overwhelmed by the pace and scale of technology change, and are forced to adapt quickly. This is likely to be the norm for years to come, due to IoT‘s on-going impacts. This is especially the case now that cities are pivoting from “doing digital” to actually “being digital”.
Cities are looking to strengthen their competitive advantage through technology deployment, which in turn can improve their ability to:
- Attract investment and jobs
- Upgrade the cultural, social and environmental amenities that make the city a great place to live
- Harness the power and influence of successive waves of digital innovation
- Enhance skills and learning to create new knowledge useful for both the city’s economic and social development
- Increase engagement by people and businesses in civic governance and leadership
To achieve these core goals, city leaders increasingly understand that there must be a sustained investment in the digital economy’s hard infrastructure and soft infrastructure. This means investing in both traditional assets (e.g., transport, housing) as well as new assets for digital success (e.g., broadband, sensors, big data and analytics). It means nurturing skills and capabilities in design, creativity and innovation that represent an increasingly important part of the new “capital stock” from which cities square the circle of sustainable growth and social inclusion.
Cities are Targets for Cyber Attacks
Cities are not doing a good job of reporting their cybersecurity breaches, but we can make some important conclusions about cities’ experiences in these cases from reports about national-level attacks. Over the past few years, there have been a number of critical attacks targeted at national governments:
- The Canadian government has revealed in news sources that they became a victim of cyber-attacks in February 2011 from foreign hackers. These hackers were able to infiltrate three departments within the Canadian government and obtain classified information. Canada eventually cut off Internet access to the three departments under attack in order control the impact.
- Despite their reputation for being an IT and software powerhouse, India reported 13,301 cyber security breaches in 2011. The biggest cyber-attack the country faced occurred on July 12, 2012 during which hackers compromised the email accounts of 12,000 people, including senior officials from the Defense Research and Development Organization (DRDO), the Indo-Tibetan Border Police (ITBP), the Ministry of Home Affairs, and the Ministry of External Affairs.
- Iran was subjected to cyber-attack in June 2010 when its nuclear facility in Natanz was infected by Stuxnet, a cyber worm that destroyed Tehran’s 1,000 nuclear centrifuges and set back the country’s atomic program by at least two years, as it spread beyond the plant and infected over 60,000 computers.
- A coordinated cyber-attack by anti-Israel groups and individuals, #opiIsrael was a DDoS (Denial of Service) assault that was timed for April 7, 2012, the eve of Holocaust Remembrance Day with the aim of erasing Israel from the internet. Websites targeted by these ‘hactivists’ included financial and business sectors, educational institutions, non-profit organizations, newspapers, and privately-owned businesses in Israel.
- A series of persistent cyber-attacks that started in mid- 2006, ‘Operation Shady Rat’ impacted over 72 organizations worldwide including the International Olympic Committee, the United Nations, corporations and defense contractors. Discovered by Dmitri Alperovitch, Vice President of Threat Research at McAfee in 2011, the operation was derived from the common security industry acronym for Remote Access Tool (RAT) which was also behind the cyber attack on the 2008 Summer Olympics.
Helping Cities Guard Against Cyber Threats
What practical advice to offer those responsible for a city’s economic and social life? Firstly, keep in mind that the threat landscape has changed dramatically over the past 10 years. Simple attacks that caused containable damage have given way to modern cyber warfare operations that are sophisticated, well funded and capable of causing major disruptions to the national infrastructure and to critical infrastructure providers. Traditional defenses that rely exclusively on detection and blocking of cyber threats for protection are no longer adequate. It’s time for a new security model that addresses the full attack continuum—before, during, and after an attack.
The model may seem simplistic, but aims at protecting complex critical resources from threats, and specifically, advanced persistent threats, which are a primary concern for cities and those who operate key city systems, and for those who depend upon them.
The model relies on three simple principles:
Before an Attack:
- Reduce the attack surface, enforce baseline defense mechanisms, implement access control policies, and keep the higher ground by getting full visibility on the endpoints connected to the network, and the traffic flow patterns. Use collective intelligence mechanisms to identify dormant components of a threat, which may have compromised network elements to prepare a future attack.
During an Attack:
- Detect enemy incursions and attacks in real-time, block and defend the resources by dropping traffic flows, which are threatening the network. Use real- time intelligence, both internal and external, to recognize those attacks.
After an Attack:
- Using retrospective analysis, collective intelligence and forensics methods, investigate the attack sources, methods used, and identify any remaining compromised elements which could potentially be used for future waves or similar attacks.
One common requirement of government agencies – national and local - is to make use only of “trusted” or “certified” components when building an ICT infrastructure. Because of the complexity in defining the certification requirements and processes, several nations have agreed to pool their efforts through the Common Criteria approach, which is used to provide product level assurance.
On 8 September 2014, the governments of 26 nations ratified a revision of the Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security (aka, Common Criteria Recognition Arrangement – CCRA). The purpose of the revision was to raise the general security of certified information and communications technology products without increasing costs or preventing timely availability of such products from commercial companies.
CCRA is important because it ensures the following:
- Products can be evaluated by competent and independently-licensed laboratories, in order to determine the function of particular security properties or features;
- Supporting documents are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied when certifying specific technologies;
- The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation;
- These certificates are recognized by all the signatories of the CCRA.
The intended goals are that all providers of technologies and services will adhere to the following guidelines:
- Designing security policies which protect citizens, assets and information, but will not hinder economic growth.
- Adapting to shifting patterns, since critical city infrastructure is often in shared ownership and/or shared management, meaning that both public sector and private sector are woven together.
- Provide support where it’s really needed for the modernization of infrastructure, both IT infrastructure and non-IT infrastructure.
- Provide up-to-date real-time responses to cyber-attacks, whether these originate from another nation state within the scope of laws on cyber warfare, or from criminals operating outside the scope of laws.
Cybersecurity Will Continue to Challenge Cities
Expensive investments in traditional security technologies have not been as effective in preventing breaches or in responding to them effectively. This can be attributed to a few key factors that often impair successful responses:
Insufficient skilled resources
- Mature and skilled security incident response personnel are both difficult to obtain and difficult to retain, which leaves many organizations without the skills needed to respond effectively.
Lack of threat intelligence
- While many security technologies leverage such intelligence, it is not typically clear which threats are most important to a particular organization.
The sheer deluge of threat intelligence data available
- This makes it complex to determine what is critical or what is relevant in a given operational environment.
One requirement in any security system should be that the customer – a city or a utility or whomever – is able to trust the elements which are embedded in and used within the digital infrastructure. Creating a truly secure environment becomes even more complex as governments and businesses continue to invest in mobility, collaboration, cloud computing, and other forms of virtualization. These capabilities help to improve resiliency, increase efficiency and reduce costs, but can also introduce additional risks. The security of the manufacturing process together with the supply chain of IT vendors is also now at risk, with counterfeiting and tampering of products becoming a growing problem.
Malicious actors will seek out and exploit any security weakness in the technology supply chain. Vulnerabilities and intentional backdoors in technology products can ultimately provide them with access to the “full house.” Backdoors have long been a security issue and should be a concern for organizations, because they exist solely to help facilitate surreptitious or criminal activity.
Developing trustworthy systems means “building in” security from the ground up, throughout a product’s life cycle. Does the provider of technology to a city (and/or to a city system like water or power) use a highly repeatable and measurable methodology? The benefit of such is this: it would be designed to build in product security at the product concept stage, to minimize vulnerabilities during development, and to increase resiliency of products in the face of an attack.
Leave your comment below, or reply to others.
Read more from the Meeting of the Minds Blog
Spotlighting innovations in urban sustainability and connected technology
The key to the Access Pass success was to make sure from the beginning that it was as easy to sign up for as possible. Eligible residents only need to input their Access Pass number into Indego’s website to make use of the discounted option. While BTS figured out the technical side of setting up the Access Pass, the Coalition has been vital to getting the word out about this alternative, and encouraging individuals to enroll.
Progress needs to be made in the evaluation of approaches to developing resilient communities. The evidence base for the effectiveness of these approaches is currently lagging behind practice. Funding for evaluation is generally too short-term to offer scope for capturing the developmental nature of community resilience related activity and evaluations on wider outcomes are lacking.
Disaster resilience is frequently pursued separately by the public and private sectors in the US. Federal, state, and local governments take it as their role to execute disaster preparedness and emergency response for their populations; however, economic recovery is often not addressed. The public sector does not necessarily engage businesses, nor does it seem to plan for the economic “reboot” required after a disaster, resulting in business disruption continuing for much longer.