Protecting Our Cities from Cyber Attacks
As a city’s digital infrastructure improves, the distribution of digital skills and the culture of the digital economy will also improve — making it more likely that as each gets better, the city’s goals can be achieved more effectively. Cities can attract and retain higher quality workers if and when cities draw more businesses, new investments, and improved social and cultural amenities. Through joint planning between varied stakeholders (including the city government, businesses, and artists), all involved can thrive off each other and do so at a lower cost, thanks to shared resources in the cloud, accessible via mobile networks, etc.
In addition to making cities more efficient and productive, the emergence of new digital connections has the potential to also make them more human. Those who are innovating to create the smart city are sometimes overwhelmed by the pace and scale of technology change, and are forced to adapt quickly. This is likely to be the norm for years to come, due to IoT‘s on-going impacts. This is especially the case now that cities are pivoting from “doing digital” to actually “being digital”.
Cities are looking to strengthen their competitive advantage through technology deployment, which in turn can improve their ability to:
- Attract investment and jobs
- Upgrade the cultural, social and environmental amenities that make the city a great place to live
- Harness the power and influence of successive waves of digital innovation
- Enhance skills and learning to create new knowledge useful for both the city’s economic and social development
- Increase engagement by people and businesses in civic governance and leadership
To achieve these core goals, city leaders increasingly understand that there must be a sustained investment in the digital economy’s hard infrastructure and soft infrastructure. This means investing in both traditional assets (e.g., transport, housing) as well as new assets for digital success (e.g., broadband, sensors, big data and analytics). It means nurturing skills and capabilities in design, creativity and innovation that represent an increasingly important part of the new “capital stock” from which cities square the circle of sustainable growth and social inclusion.
Cities are Targets for Cyber Attacks
Cities are not doing a good job of reporting their cybersecurity breaches, but we can make some important conclusions about cities’ experiences in these cases from reports about national-level attacks. Over the past few years, there have been a number of critical attacks targeted at national governments:
- The Canadian government has revealed in news sources that they became a victim of cyber-attacks in February 2011 from foreign hackers. These hackers were able to infiltrate three departments within the Canadian government and obtain classified information. Canada eventually cut off Internet access to the three departments under attack in order control the impact.
- Despite their reputation for being an IT and software powerhouse, India reported 13,301 cyber security breaches in 2011. The biggest cyber-attack the country faced occurred on July 12, 2012 during which hackers compromised the email accounts of 12,000 people, including senior officials from the Defense Research and Development Organization (DRDO), the Indo-Tibetan Border Police (ITBP), the Ministry of Home Affairs, and the Ministry of External Affairs.
- Iran was subjected to cyber-attack in June 2010 when its nuclear facility in Natanz was infected by Stuxnet, a cyber worm that destroyed Tehran’s 1,000 nuclear centrifuges and set back the country’s atomic program by at least two years, as it spread beyond the plant and infected over 60,000 computers.
- A coordinated cyber-attack by anti-Israel groups and individuals, #opiIsrael was a DDoS (Denial of Service) assault that was timed for April 7, 2012, the eve of Holocaust Remembrance Day with the aim of erasing Israel from the internet. Websites targeted by these ‘hactivists’ included financial and business sectors, educational institutions, non-profit organizations, newspapers, and privately-owned businesses in Israel.
- A series of persistent cyber-attacks that started in mid- 2006, ‘Operation Shady Rat’ impacted over 72 organizations worldwide including the International Olympic Committee, the United Nations, corporations and defense contractors. Discovered by Dmitri Alperovitch, Vice President of Threat Research at McAfee in 2011, the operation was derived from the common security industry acronym for Remote Access Tool (RAT) which was also behind the cyber attack on the 2008 Summer Olympics.
Helping Cities Guard Against Cyber Threats
What practical advice to offer those responsible for a city’s economic and social life? Firstly, keep in mind that the threat landscape has changed dramatically over the past 10 years. Simple attacks that caused containable damage have given way to modern cyber warfare operations that are sophisticated, well funded and capable of causing major disruptions to the national infrastructure and to critical infrastructure providers. Traditional defenses that rely exclusively on detection and blocking of cyber threats for protection are no longer adequate. It’s time for a new security model that addresses the full attack continuum—before, during, and after an attack.
The model may seem simplistic, but aims at protecting complex critical resources from threats, and specifically, advanced persistent threats, which are a primary concern for cities and those who operate key city systems, and for those who depend upon them.
The model relies on three simple principles:
Before an Attack:
- Reduce the attack surface, enforce baseline defense mechanisms, implement access control policies, and keep the higher ground by getting full visibility on the endpoints connected to the network, and the traffic flow patterns. Use collective intelligence mechanisms to identify dormant components of a threat, which may have compromised network elements to prepare a future attack.
During an Attack:
- Detect enemy incursions and attacks in real-time, block and defend the resources by dropping traffic flows, which are threatening the network. Use real- time intelligence, both internal and external, to recognize those attacks.
After an Attack:
- Using retrospective analysis, collective intelligence and forensics methods, investigate the attack sources, methods used, and identify any remaining compromised elements which could potentially be used for future waves or similar attacks.
One common requirement of government agencies – national and local – is to make use only of “trusted” or “certified” components when building an ICT infrastructure. Because of the complexity in defining the certification requirements and processes, several nations have agreed to pool their efforts through the Common Criteria approach, which is used to provide product level assurance.
On 8 September 2014, the governments of 26 nations ratified a revision of the Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security (aka, Common Criteria Recognition Arrangement – CCRA). The purpose of the revision was to raise the general security of certified information and communications technology products without increasing costs or preventing timely availability of such products from commercial companies.
CCRA is important because it ensures the following:
- Products can be evaluated by competent and independently-licensed laboratories, in order to determine the function of particular security properties or features;
- Supporting documents are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied when certifying specific technologies;
- The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation;
- These certificates are recognized by all the signatories of the CCRA.
The intended goals are that all providers of technologies and services will adhere to the following guidelines:
- Designing security policies which protect citizens, assets and information, but will not hinder economic growth.
- Adapting to shifting patterns, since critical city infrastructure is often in shared ownership and/or shared management, meaning that both public sector and private sector are woven together.
- Provide support where it’s really needed for the modernization of infrastructure, both IT infrastructure and non-IT infrastructure.
- Provide up-to-date real-time responses to cyber-attacks, whether these originate from another nation state within the scope of laws on cyber warfare, or from criminals operating outside the scope of laws.
Cybersecurity Will Continue to Challenge Cities
Expensive investments in traditional security technologies have not been as effective in preventing breaches or in responding to them effectively. This can be attributed to a few key factors that often impair successful responses:
Insufficient skilled resources
- Mature and skilled security incident response personnel are both difficult to obtain and difficult to retain, which leaves many organizations without the skills needed to respond effectively.
Lack of threat intelligence
- While many security technologies leverage such intelligence, it is not typically clear which threats are most important to a particular organization.
The sheer deluge of threat intelligence data available
- This makes it complex to determine what is critical or what is relevant in a given operational environment.
One requirement in any security system should be that the customer – a city or a utility or whomever – is able to trust the elements which are embedded in and used within the digital infrastructure. Creating a truly secure environment becomes even more complex as governments and businesses continue to invest in mobility, collaboration, cloud computing, and other forms of virtualization. These capabilities help to improve resiliency, increase efficiency and reduce costs, but can also introduce additional risks. The security of the manufacturing process together with the supply chain of IT vendors is also now at risk, with counterfeiting and tampering of products becoming a growing problem.
Malicious actors will seek out and exploit any security weakness in the technology supply chain. Vulnerabilities and intentional backdoors in technology products can ultimately provide them with access to the “full house.” Backdoors have long been a security issue and should be a concern for organizations, because they exist solely to help facilitate surreptitious or criminal activity.
Developing trustworthy systems means “building in” security from the ground up, throughout a product’s life cycle. Does the provider of technology to a city (and/or to a city system like water or power) use a highly repeatable and measurable methodology? The benefit of such is this: it would be designed to build in product security at the product concept stage, to minimize vulnerabilities during development, and to increase resiliency of products in the face of an attack.
Leave your comment below, or reply to others.
Please note that this comment section is for thoughtful, on-topic discussions. Admin approval is required for all comments. Your comment may be edited if it contains grammatical errors. Low effort, self-promotional, or impolite comments will be deleted.
Read more from MeetingoftheMinds.org
Spotlighting innovations in urban sustainability and connected technology
Accenture analysts recently released a report calling for cities to take the lead in creating coordinated, “orchestrated” mobility ecosystems. Limiting shared services to routes that connect people with mass transit would be one way to deploy human-driven services now and to prepare for driverless service in the future. Services and schedules can be linked at the backend, and operators can, for example, automatically send more shared vehicles to a train station when the train has more passengers than usual, or tell the shared vehicles to wait for a train that is running late.
Managing urban congestion and mobility comes down to the matter of managing space. Cities are characterized by defined and restricted residential, commercial, and transportation spaces. Private autos are the most inefficient use of transportation space, and mass transit represents the most efficient use of transportation space. Getting more people out of private cars, and into shared feeder routes to and from mass transit modes is the most promising way to reduce auto traffic. Computer models show that it can be done, and we don’t need autonomous vehicles to realize the benefits of shared mobility.
The role of government, and the planning community, is perhaps to facilitate these kinds of partnerships and make it easier for serendipity to occur. While many cities mandate a portion of the development budget toward art, this will not necessarily result in an ongoing benefit to the arts community as in most cases the budget is used for public art projects versus creating opportunities for cultural programming.
Rather than relying solely on this mandate, planners might want to consider educating developers with examples and case studies about the myriad ways that artists can participate in the development process. Likewise, outreach and education for the arts community about what role they can play in projects may stimulate a dialogue that can yield great results. In this sense, the planning community can be an invaluable translator in helping all parties to discover a richer, more inspiring, common language.
While the outlook for the environment may often seem bleak, there are many proven methods already available for cities to make their energy systems and other infrastructure not only more sustainable, but cheaper and more resilient at the same time. This confluence of benefits will drive investments in clean, efficient energy, transportation, and water infrastructure that will enable cities to realize their sustainability goals.
Given that many of the policy mechanisms that impact cities’ ability to boost sustainability are implemented at the state or federal level, municipalities should look to their own operations to implement change. Cities can lead as a major market player, for example, by converting their own fleets to zero emission electric vehicles, investing in more robust and efficient water facilities, procuring clean power, and requiring municipal buildings to be LEED certified.