For at least the last five years — futurists and smart technology boosters have been touting the inevitable rise of the smart city. The smart city’s biggest fans predict that living in a fully integrated connected environment will change how we commute, how we shop, how we pay our bills.
In short, as former Google CEO Larry Page noted, after Alphabet-owned Sidewalk Labs finally inked an agreement with Toronto for a smart city pilot program — the city of tomorrow will change how consumers live in ways predictable from today and not.
“The city of tomorrow ought to be a community that will never be completed, but will always be introducing and testing and demonstrating new materials and systems,” Page noted at an industry event in 2019. “A city that caters to the people as a service function.”
But while much is still under development and thus unknown about exactly how the smart city will function — and what its future extensions will be — there is sadly an unfortunate fact we can be sure of while the plans are still be drawn up. Cybercriminals are waiting in the wings to begin laying virtual siege to infrastructure that the high-tech, highly responsive urban areas envisioned for the not-too-distant future.
And “waiting on the wings,” in fact, maybe a slightly misleading way to tag that. Attacks on smart cities, per se, are not commonly reported as of early 2020 because there aren’t very many smart cities out there. These are still the earliest days and there’s not a lot to attack yet. But cybercriminals — as the January 2020 edition of the PYMNTS Digital Fraud Tracker points out — have found municipalities, and have been enthusiastically moving through them as they’ve discovered municipal employees, unused to being targeted, make an excellent target for phishing attacks.
As of today, those attacks have led to cities finding their technology held hostage via ransomware and paying large sums to either free their data or rebuild their systems to lock out the attackers.
Going forward, however, those costs could get quite a lot higher, as municipalities learn that in a smart city, there are things more critical than their computers that cybercriminals can gain access to and hold hostage.
Cybercrime Comes To Call In Cities Large And Small
While private industry has been the more favored target of cybercriminals — enterprising cybercrooks in the digital fraud world now eye towns and cities as excellent places to infiltrate and shakedown.
New Orleans made the headlines as 2019 drew to a close when a cyberattack shut down all city-owned computers. The city was forced to declare a state of emergency after the December ransomware attack hit 4,000 computers. The city’s entire system was left unusable by the incident, including its online payment systems used for paying property taxes.
And that was New Orleans’ second hit of the year — the first one forced its Office of Motor Vehicles to close for several days. Mayor LaToya Cantrell announced plans to increase the city’s 2020 cybersecurity insurance policy to $10 million in light of the recent attacks.
New Orleans certainly ended the year with a bang, but it was far from alone. In all, 40 cities and towns reported major ransomware attacks in 2019. Atlanta was hit in March and had all of its data held by encryption software until the city agreed to cough up $51,000. Baltimore endured a similar incident in May after hackers infiltrated the city’s computers and shut down the majority of its servers and asked for tens of thousands in ransom. Baltimore, like Atlanta, refused. Both cities expect to spend more than $10 million repairing their systems and hardening them against attacks.
Attacks target cities of all sizes. Palestine, Texas has a population of less than 20 thousand and yet cybercriminals seized their computers for a ransom in December. A single criminal gang is believed to be behind a series of small-town municipal takeovers in Florida in late summer.
What these attacks all have in common — other than municipalities finding themselves locked out of all their data and facing a hacker’s demand of tens of thousands of dollars — is how they are getting hacked. From New Orleans to Atlanta to Palestine, Texas, the path to accessing the city’s servers and other data was always the same in that it started with a phishing scam.
Phishing as a means of accessing corporate or government computers is having something of a golden era as the Digital Fraud tracker notes in the January 2020 Deep Dive: up 65 percent year-on-year between 2018 and 2019. Government employees are at particular risk for these attacks because they are relatively new to the game. While private industry has been avidly acting to fight the phisherman of the web for the last several years, it is only in recent years that hackers have viewed municipalities as a good place to target. Government workers are less likely to be trained to look out for scammers, and unsurprisingly, are therefore much more likely to open them.
Today that is leading to millions of dollars lost as cities need to rebuild their seized systems.
But, as recent news reports demonstrate, things are going online in cities in the not too distant future in the U.S. and around the world that it might be a good deal scarier and more dangerous to have seized.
The Target Rich City
A smart city, in many ways, is a treasure trove of data resources and critical systems with which a cybercriminal could cause a lot of trouble. A recent Wall Street Journal report picked out four key areas that experts think will be of particular fascination to cybercriminals: sensors and data gathering networks, energy and water supply systems, autonomous vehicle systems and waste management systems.
All of which, experts agree, come pre-built with their own very serious concerns. Take those sensor and data systems, for example. Sensors are the building blocks of smart-city initiatives with the mountains of data they collect. Hack in there, and criminals could either insert bad data or hide good data about things like the integrity of bridges. Or they could do something like diverting emergency services to fires and natural disasters that don’t exist.
Or, as Michael Sherwood, director of innovation and technology for the city of Las Vegas, told The Journal, criminals may want the data itself, since the amount that will be up for grabs on residents will be of massive and likely highly useful to someone looking to commit fraud.
More alarming, however, is the possibility that hackers could get access to cities’ crucial infrastructure like power or water systems. With a few clicks and malign intent, the amount of chaos that could be caused in short order is hard to imagine. Citywide blackouts, targeted blackouts effecting in hospitals, panic over water safety and water diverted away from fire hydrants — the list according to Cesar Cerrudo, the founder of Securing Smart Cities, is long. It is also quite terrifying, mainly because once the critical infrastructure is attacked it isn’t easy to reboot.
“If you don’t cover security from the very beginning, then it becomes very difficult to protect it,” said Cerrudo.
And that list of potential smart city disasters goes on from there — hacked public transport systems that cause mass casualty events through crashes, water treatment plants that stop treating the water because the sensor gauges are attacked and transportation turnstiles that charge $100 per ride instead of $1. Some are annoying, some are paralyzing and some would end in fatalities — and in a connected city that isn’t properly secured, all are possible if not probable.
Plus, while it might be comforting to assume that any city that wants to connect will have the good sense to do so securely, Charles Henderson, the global head of International Business Machines Corp.’s offensive cybersecurity unit X-Force Red, told the WSJ that is probably too big an assumption to make. Cities want to build smart securely, he noted, but that doesn’t mean they have the faintest idea how to do that. One city his team worked with, he said, they found 17 major vulnerabilities in a sensor that had been deployed. Weaknesses they found purely by looking at the software it was running on, without ever so much as holding one of the sensors.
“We just downloaded the [software] from the [manufacturer’s website] and started plowing through it, finding vulnerabilities,” he says. “That’s not good.”
Indeed it is not.
So how to make it better, since it seems rather unlikely we are going to collectively scrap the smart city plan? Part of it is securing the technology itself, according to Kevin Martin, program manager for Smart City Portland, and making sure that a single vulnerable point doesn’t become a point for systemic collapse. Portland, he noted, quarantines sensor data from the rest of the city’s systems to prevent possible hacking issues.
But, as the wave of attacks that plagued municipalities in 2019 demonstrated, cities and towns have a lot more to do than just protecting their tech. They also have to secure their people — and find a way to teach them not to open suspicious emails — in an environment where the data says they are going to be receiving an ever-increasing number of them with attacks of escalating intelligence baked in.
Because before one can run a smart city, they need to know the people behind all that automation as ready to outsmart the clever criminals looking for an entry point to take it over.