EXCLUSIVE: Top challenges for smart city cybersecurity

As the smart city becomes increasingly connected, what follows is a host of cybersecurity risks says Willi Nelson, Field CISO for Operational Technology at Fortinet.

The hyper-connectivity of IT, IoT, the industrial IoT (IIoT) means that cities and other municipalities have their hands full when it comes to keeping pace with and even mitigating cybersecurity threats.

In response to more devices being connected to the internet, most organizations add new networking or security point solutions, leading to too many IT and security stacks, too many vendors and too many products that operate in a silo with their own policies and their own management consoles. 

This creates complexity, especially when you consider the current cybersecurity skills gap and introduces exploitable holes in smart systems, leaving critical urban services vulnerable to a growing cyber-criminal arsenal that has the means and intention to cause harm.

It’s not all doom and gloom, though. With modern security technology and the right cybersecurity guidance and training, protecting businesses and residents from critical service disruption or safety risks from cyber-threats is achievable.

Smart cities, IoT and rising risk

As of 2023, most cities around the world have implemented at least some smart solutions, integrating information and communication technology (ICT) and IoT tools like smart sensors to enhance the delivery of services, reduce costs, conserve resources and improve the quality of life for its citizens.

We’re continuing to see smart city technology grow in adoption and implementation, including features that range from smart parking to smart car data analysis to help drivers avoid traffic jams and self-dimming streetlights to conserve energy and reduce the number of lights that need servicing at any given time.

Unfortunately, along with cost savings and increasing efficiency, as well as improving quality of life, with bleeding-edge technology comes new avenues for exploitation by cyber-criminals. Every device that’s “connected” to the internet represents another device that can potentially be hacked or used to access sensitive information in corporate networks or personal information that could be sold on the dark web.

In general, attacks against IoT devices are on the rise globally, whether it’s cars, wearable devices or smart sensors and that shows no signs of slowing. The proliferation of IoT devices creates a larger attack surface and their use in a smart city means these will undoubtedly be a target for bad actors, who will target them as a platform for “land-and-expand” attacks.

Unlike mobile phones and laptops, IoT devices usually only go through a one-time authentication process across multiple sessions. This makes them attractive to criminals trying to breach corporate networks because it enables easy control. 

More sophisticated and destructive threats

Leaders working in the smart city capacity need to be on high alert as cyber-threats become more sophisticated. As noted in Fortinet’s threat predictions for 2023, cyber-criminals are having great success with ransomware-as-a-service (RaaS), which enables them to pull off more and larger attacks in a much quicker fashion.

As advanced persistent threat (APT) techniques and cyber-crime merge, cyber-criminals are discovering ways to weaponize emerging technologies at scale in order to inflict more disruption and devastation. To avoid detection, intelligence and controls, advisories continue to invest time in reconnaissance.

In fact, in 2021, we began to see early indications that attackers were upping the ante by adding wiper malware to their ransomware attacks. Wiper malware, which was initially discovered a decade ago, gives cyber-criminals the ability to delete data and cripple critical system availability, such as the smart city, operational technology (OT) or manufacturing equipment and servers, unless a ransom demand is met.

Given the level of convergence between IT, OT and IoT, we anticipate an increasing number of ransomware attacks to be targeted at smart city and OT networks and to be combined with more destructive capabilities like wiper malware.

Five principals for securing the smart city

In this new world of IoT and the smart city, networks and security must work together as a single system at every layer to improve cybersecurity resilience. Developing an architecture of this type can happen by employing these five key principles:

1. Automated: cybersecurity best practices must be implemented through an ecosystem that is seamlessly integrated with the underlying network. This enables rules to automatically adjust to network changes, whether it be as straightforward as switching connections or if new devices or networks – be they physical or virtual – are added or discarded, or if new and typically transient edge networks are created
2. Broad: anywhere that users, devices and applications are located, security solutions must be deployed. When distributed networks and systems are widely deployed, it is important that IT and security teams must be able to track, protect and provide consistent policy enforcement from beginning to end across all applications and data, regardless of where they reside – from on premises to the cloud
3. Intelligent: modern cybersecurity strategies provide in-depth defense by using time-sensitive, actionable threat intelligence and fighting the latest threats at machine speed. As threat actors continue to evolve their tactics, techniques and procedures (TTPs), the importance of machine learning (ML) and artificial intelligence (AI) to identify and mitigate threats only increases. Whether in the cloud, at the endpoint, the edge or in the datacenter, AI and ML has given security teams the ability to correlate enormous quantities of data to detect and assess suspicious behavior in real time and act before a security incident occurs
4. Fast: unacceptable latency happens when cybersecurity services bottleneck operations. Supporting ever-growing volumes of streaming data and more complicated applications requires hyper-performance. Security solutions must check encrypted data that is streaming at line rates, including video. To make modern gaming and entertainment systems possible, new technologies are needed, such as purpose-built security processors that work similarly to cutting-edge graphics processors by offloading and rendering high-resolution video traffic
5. Integrated: identification of new devices, correlation of data to identify threats, control of resource access and enforcement of policy through a co-ordinated response all require orchestrated communication across solutions. To achieve continuous discovery and response to known, zero-day and unknown threats, such collaboration should be supported by a single set of actionable threat intelligence. A unified management and orchestration platform is achievable via integration, which also improves end-to-end visibility and control

Defending the expanded threat landscape

With most organizations struggling with talent shortages, increased technology complexity and an expanding threat landscape, it is imperative that these businesses strongly consider technologies, services and expertise from security vendors to help fill the void.

For organizations that do not have their own in-house security operations center (SOC) or team, investing in a SOC-as-a-service (SOCaaS) and technologies such as extended detection and response (XDR) and in-line sandboxing is incredibly important for proactively monitoring and mitigating threats.

From a technology decision making perspective, organizations can reduce complexity, close security gaps, improve operational efficiency, optimize user experience and accelerate outcomes by focusing on three key concepts:

1. Converge networking and security into a secure networking solution
2. Consolidate point products into an integrated cybersecurity platform
3. Consistently apply threat intelligence and security services across everything

Businesses must be agile, informed with the best intelligence on the market, leverage automation and lean heavily on the talents of skilled cybersecurity practitioners with expertise in incident response and threat detection if they are to fortify a smart city against threats today and into the future.

Willi Nelson joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in information security working across industry verticals such as healthcare, telecom, financials, manufacturing and life sciences. Most recently with GSK, he established and directed the Global OT Infrastructure Security team charged with monitoring and protecting the OT assets for GSK. During Willi’s tenure, he also oversaw the creation of the Security Organization and the Global Cyber Defense team for GSK’s Consumer Health startup (now Haleon). Willi is a graduate of Rockhurst University in Kansas City, US and holds a CISSP certification in good standing.

This article was originally published in the March edition of Security Journal Americas. To read your FREE digital edition, click here.