Skip to content

News & opinion

26 FEB 2019

Protecting intelligent cities from cyber attacks

The best way to defend a city used to be by building a wall around it. But with property and infrastructure becoming increasingly connected through the technology such as the Internet of Things, we must be wary of digital attacks, not physical ones.

Smart street lights sense and manage traffic for maximum efficiency. Meanwhile, tiny sensors monitor the health of buildings and critical infrastructure, directing maintenance teams wherever they are needed, and usually before they’re needed. And smart recycling bins even report back in real time on how full they are, allowing waste disposal services to collect only when it’s worth doing so.

Yes, the smart city of the future is a wonderful place to live. That is, until the systems controlling everything are hacked and the entire city is shut down.

That’s the promise and threat of any smart, connected technology: easy data collection and analysis promise cost savings and environmental efficiencies, but also introduce security concerns that can’t be ignored.

A history of hacking

Indeed, such attacks are already common. In January 2017, hackers targeted police surveillance cameras in Washington DC, leaving them unable to record in the days ahead of the presidential inauguration. A few months later, all 156 of Dallas’ severe storm warning alarms were triggered by hackers, sending sirens blaring across the city. In May 2017, one-third of the UK’s NHS hospital trusts were crippled by the WannaCry ransomware attack, which was not even targeting the British healthcare system, but had spread via out-of-date computer software.

Barcelona skyline
Barcelona is one of the smartest cities in the world, with technologies ranging from smart bins that send alerts when full to free WiFi delivered via street lights

In 2016, hackers locked down San Francisco’s Municipal Transportion Agency with ransomware, offering free travel to all passengers. Back in 2015, a cyber attack left half of homes in Ukraine without electricity.

No wonder, then, that Cyber Resilient Infrastructure – a 2016 report from consultancy Atkins – found that 60% of business leaders lack confidence that critical national infrastructure can withstand cyber attacks. Seven in 10 respondents felt the advantage lies with hackers, not defenders, while many do not believe that supply chains are secure from attack.

That becomes problematic, as the connectivity of our buildings and cities increases. Research by US lobby group the National League of Cities published in October 2017 suggests two-thirds of American cities are already investing in smart tech for operations or services. Researcher Gartner predicts that half of urban citizens will be sharing their data with smart city systems by 2019. This is all necessary as urbanisation continues – the UN says 60% of the world’s population will live in cities by 2030.

The rise of smart cities

That said, smart cities are arriving in fits and starts. Plenty of municipalities already have sensors for traffic, street lighting and pollution, or use big-data analysis to make decisions about public services; while new developments are built with responsive lighting and temperature controls. However, very few cities are fully integrated with such smart tech – although Sidewalk Labs, a subsidiary of Google parent Alphabet, is working on such a neighbourhood on Toronto’s waterfront.

The concept of smart cities is no longer limited to the diffusion of new technologies. So, the technology is the tool, not the result.

Elisabet Viladecans-Marsal
Director of the smart cities research programme, University of Barcelona

One city that has integrated elements of smart tech is Barcelona, from smart bins that send alerts when full, to free WiFi delivered via street lights. “Barcelona is ranked as one of the smartest cities in the world,” says Elisabet Viladecans-Marsal, director of the smart cities research programme at the University of Barcelona. This isn’t just down to the hardware and software used, she notes, but how you solve specific problems: “The concept of smart cities is no longer limited to the diffusion of new technologies. So, the technology is the tool, not the result.”

Still, cities such as Barcelona are not the norm. “Arguably [they are] still some time off,” says Philip Putman MRICS, associate at consultancy Rider Levett Bucknall in London. “It’s probably best to think of them as a collection of smart buildings combined with smart utilities and smart transport infrastructure.” And those are already open to attack, Putman notes, adding that companies are “witnessing daily attacks” on their assets. In one case, hackers accessed the building’s control systems and turned off air-flow units, leaving the property unusable.

In other words, the first truly smart cities still do not exist, but attacks against them are already happening. That may sound like a contradiction, but it is worth remembering that attacks on critical national infrastructure are nothing new – adding connectivity merely offers more opportunities.

“As a developing country, India is prone to security breakdowns in terms of vandalism, break-ins, sabotage, and terrorist attacks,” notes Shankar Arumugham MRICS, national director of strategic consulting, India, at JLL. “Any attack of this nature on critical infrastructure can potentially derail the economy of a city or a region. Sensitive regions of India have been plagued with such issues for a long time now.”

Toronto waterfront
Sidewalk Labs, a subsidiary of Google parent Alphabet, is working on a fully integrated neighbourhood on Toronto’s waterfront

How to manage infrastructure

Managing such infrastructure over a network offers potential efficiency gains, particularly when decisions are automated with machine learning and data analytics. The more intelligence a system adds, however, the more complex it becomes. That increases the attack surface area – providing more routes for hackers to slip inside, says Cesar Cerrudo, chief technology officer at IOActive Labs. “The biggest concerns relate to the rapid adoption of new technologies that are highly insecure,” he says. “This means the attack surface [area] in a city is growing fast, giving attackers a lot of opportunities.”

And, if hackers have not yet successfully targeted a technology, do not assume it is safe. “If we don’t see attacks now, it’s not because they aren’t possible, it’s just that nobody’s done it yet,” Cerrudo notes. Traffic lights might not yet have been hacked by cyber criminals, but Cerrudo has highlighted flaws in controllers for vehicle detection systems which could allow attackers to fool lights into thinking roads are full with cars when they are, in fact, clear.

Indeed, many of the dramatic smart-city-hack headlines are not caused by criminals, but by “white-hat” security researchers such as Cerrudo, who hunt for flaws in a bid to help secure systems. That can add to hype around concerns, but the lessons learned by such work are well worth considering.

The biggest concerns relate to the rapid adoption of new technologies that are highly insecure. This means the attack surface [area] in a city is growing fast, giving attackers a lot of opportunities.

Cesar Cerrudo
Chief technology officer, IOActive Labs

The best way to battle security issues – city-wide or at a local level – is for the technology industry to build in security by design. For the rest of us, that means only using solutions that prioritise security. For IT and connected systems, it means that decision makers, project managers and those in procurement need to look for well-designed software, only opt for those that can be updated to address new problems and limit collected data so there is less to steal. “We shouldn’t trust vendor claims,” warns Cerrudo. “Cities must ensure technology is secure by doing audits before it is implemented.”

If that sounds intimidating, there is expert advice on offer. For instance, the Securing Smart Cities Initiative, backed by IOActive, has developed guidelines on a range of smart city security topics to help parties understand the basics. RICS professionals can help “by educating themselves about these issues and raising them as concerns their clients should consider”, Putman adds.

The resilient city

Many experts argue the starting point is to design resilient – rather than smart – cities, with technology as a solution, not an end goal. Technology for the sake of it can make cities more complicated and fragile. It may sound obvious, but if your connected lighting stops working, can you control it manually?

At a city level, Rotterdam is embracing the concept of resilience as security protection. Alongside wider initiatives, such as climate-proofing projects and social impact investment programmes, the city has appointed a chief cyber resilience officer for its port. As the facility increasingly embraces digital technologies, the city government has identified it as a potential security risk.

“Decision-makers should have a clear understanding of cyber security and its impact on current society,” says Cerrudo. A city that can be stopped by hackers is not smart, and that is a lesson to learn now – before such technology becomes a ubiquitous part of our buildings, neighbourhoods and cities.