This article was originally posted on Forbes.com.
Today’s modern enterprises are fully dependent on a complex amalgam of connected technologies that extend beyond the usual mix of IT gear. Servers, routers, switches and computers now operate alongside connected HVAC and facilities management equipment, building access controls and surveillance cameras, manufacturing robots, scientific sensors, medical devices and a growing host of smart devices (the Internet of Things) designed to make us more productive.
The need to use technology to be more efficient, productive and better informed is evinced in civic life as well, where cities are investing heavily in IoT and operational technologies (OT) to better operate their facilities, manage infrastructure, and deliver constituent services. This trend is known as smart cities, and the level of innovation embraced by municipalities around the world is encouraging.
New technologies can contribute to city management in novel ways such as interactive and connected public services, remote education, security and surveillance, smart utility metering, health monitoring and testing, waste management, environmental monitoring, public transportation and infrastructure/traffic management, emergency response, communications, critical infrastructure controls, smart lighting, public health monitoring—nearly every aspect of city services.
Improvements supported by smart city technologies are not luxuries reserved for the world’s richest, most cosmopolitan urban centers. The United Nations projects that by 2030, 60% of the world’s population will live in cities, up from 55% in 2018. This influx will strain demand for services, necessitating a more efficient allocation of time, manpower and other valuable but limited resources.
Technologies like IoT and OT will play a vital role in helping civic leaders meet the needs of growing urban populations. According to the McKinsey Global Institute, “Smart Cities add digital intelligence to the urban world and use it to solve public problems and achieve a higher quality of life” by combining technology, applications and analytics. Improvements in efficiency and decision-making translate to improvements in cost of living, safety, health, economics, environment, connectedness and leisure time.
But as the world’s cities become smarter and more connected, they also become more vulnerable to cyberattacks. In recent years, major American cities like Atlanta and New Orleans have been hit by ransomware attacks that crippled the delivery of essential services while running up millions in recovery costs. Ransomware attacks targeting municipalities have increased during Covid-19, and cities have often had few alternatives to paying the criminals. The situation deteriorated to the point that the U.S. Department of the Treasury issued a warning that payments to the criminal actors and groups behind the attacks not only encouraged further activity but may violate Office of Foreign Asset Control regulations.
There has also been a long list of cyberattacks on critical infrastructure and services like dams, the electrical grid, ports, and health care providers. This February, hackers attempted to poison the water supply in the city of Oldsmar, Florida. The attack in this case wasn’t particularly sophisticated; it was the digital equivalent of walking through an unlocked door. The hacker got into the plant’s computer system via TeamViewer—software that allows remote management of the water facility’s systems—and was able to increase the amount of lye added to the water treatment system by a factor of 100 (before the attacker reversed this).
Clearly, smart cities’ infrastructures are being targeted. The impact of those attacks can spread quickly, especially when multiple agencies and contractors share the same network but without proper segmentation. Any attack on one can quickly become an attack on all. Without centralized security standards or coordinated compliance initiatives, parties may have different cybersecurity objectives and responses may be fragmented.
But the biggest cyber challenge faced by municipalities working to adopt a smart cities approach to service and infrastructure management is the rapid proliferation of IoT and OT devices. The volume and diversity of these devices, along with requirements for ubiquitous connectivity, introduce risks that are difficult to address but can lead to catastrophic consequences if ignored. And few municipalities have the cyber resources available to some of their peers in financial services and other industries. But municipal CISOs in charge of securing their cities’ networks can draw from the experience and best practices of large, complex enterprises when drafting strategies to keep their systems and citizens safe.
Hackers are adept at probing the entirety of an organization’s IT estate in search of a vulnerable device or service that has been overlooked or forgotten. Keeping up with software updates and the patching of devices and systems is critical. Network-attached devices that use default (if any) passwords or run obsolete operating systems are a common point of entry. You can’t secure what you can’t see, and with tens of thousands of devices commonly operating in today’s complex networks, municipalities must start with visibility.
In the past, visibility simply meant identifying devices in the network and knowing where they were. Today, visibility means knowing granular details about every device. That includes basic information like make, model, serial number, operating system, an understanding of normal device behavior, known associated risks and mapping and monitoring how they are being used.
This level of visibility can help municipalities to plan and implement appropriate risk mitigation strategies. It is also critical to adopt best practices for network segmentation so that high-risk or vulnerable devices can be properly isolated to provide greater protection before an attack and to stop successful attacks from progressing into critical parts of the network. The Oldsmar attack also emphasizes the importance of visibility into remote management systems and privileged sessions, such as Remote Desktop Protocol, in addition to continuously monitoring for anomalous and suspicious traffic.
The smart cities trend is a positive one and should be embraced for the public good. But we have enough experience to know that rushing headlong into the highly complex world of device interconnectedness without a comprehensive security strategy is not wise. Urban planners eager to reap the benefits of smart city technology must apply the lessons of the past, taking into account known vulnerabilities, network topology and future considerations of device and infrastructure innovation to ensure that their systems—and the people they serve—remain secure.