Critical infrastructure and Smart City network security

The discovery of a critical programming mistake in OpenSSL (the program that generates the lock symbol when you are buying something online) by a Google security researcher two weeks ago exposed a vulnerability shared by over 66% of all internet servers and sites in the world. The Heartbleed bug allows hackers to steal not only passwords, bank information, and other sensitive or privileged information, but also the security certificates that are at the core of trust networks on the Internet. Worst of all, the bug allows people to access all of this information and leave absolutely zero trace that anything was missing.

This bug is one of thousands that are detected each year, both in open source and propriety software, and will most certainly not be the last. As many of the early adopters of Smart City systems and networks are built upon existing open standards, there needs to be more coordinated and sophisticated security protocols in place for critical infrastructure such as electricity, heat, gas, fresh- and waste water systems, and traffic signals. Closed source software is not the answer, since much of the existing and future software platforms are built upon open standards anyway, as are the sensors and network transmission protocols such as WLAN, Bluetooth, NFC, and other forms of wireless transmission. Wired transmissions are no safer, since much of the telecoms switching equipment provided by Cisco, Ericsson, and Huawei is riddled with intentional security holes.

Among the many revelations that have resulted from the actions of Edward Snowden is that the NSA has cracked a majority of the encryption and security protocols in existence, including Secure Socket Layers, RSA encryption, and https. The NSA broke Google’s security layers and intercepted all traffic for search, documents, pictures, and anything else on Google Drive, without their knowledge. The reality today is that encryption of data may be possible, but it is unlikely to be of much use to dedicated individuals or, even more, state actors.

Smart Cities will need to develop far more sophisticated and standardized security protocols in order to protect their citizens, systems, and data. This includes a comprehensive risk management and contingency operations plan in collaboration with leading software firms, dedicated security firms such as Cloudflare, F-Security, and Kaspersky Labs, as well as creating legal grey zones for so-called grey hat and black hat hackers to try to break Smart City security protocols and systems. Additionally, cities will have to carefully consider the types of network connectivity will be acceptable given the risk, likelihood, and impact of a malicious attack. For example, the system protocols for “dumb” infrastructure such as rubbish bins will not necessarily require the same level of security as those for traffic lights or the transmission grid. But even dumb infrastructure in a wires network provides a potential access point to other, more critical systems.

Prior to rolling out an interlinked network of sensors, hardware, software, and systems at the city scale, it would make sense to test the vulnerabilities at a smaller scale with dumb, low risk infrastructure first. This may also have the beneficial effect of introducing a security element into the larger governance framework that includes privacy, transparency, rights not to be tracked, and ownership of data.

Patrick Driscoll
The Danish Centre for Environmental Assessment

Email this to someoneShare on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on Tumblr