Over the last 20 years there have been many technological advances in how municipalities operate, ranging from parking meter systems, transit scheduling, traffic flow management and air and water controls (to just name a few).
This transformation of the urban landscape into a cyber landscape has brought many benefits and efficiencies, but also new forms of threats, specifically in how these systems all rely on vulnerable IoT devices to perform their work. Let’s dig into why cyber-criminals are increasingly focused on exploiting smart city IoT devices and how municipalities can establish a better security posture and reduce the overall risk to their cities and residents.
Addressing smart city IoT security starts with recognizing the problem. For as long as there have been IoT devices, municipalities have been deploying them across multiple functions. Yet until recently, many of these devices were not designed with security in mind or given consideration for how they could be exploited. IP cameras for example are one of the most widely used IoT devices in cities, yet often lack mechanisms to perform cyber-hygiene at scale, such as firmware updates, password rotations or certificate deployment.
With budgets being tight in almost all cities there is little motivation to replace them if they are functioning, even if the manufacturer has brought those devices to end of life (EOL) or end of support (EOS), almost ensuring that their vulnerabilities will remain even after public disclosure of them. Related to the budget issue, many of these devices operate autonomously – with a “set it and forget it” approach. Think of a traffic control system; it’s designed for minimal oversight and may be paid attention to only when citizens complain about any issues.
Perhaps most concerning from a security management perspective is that IoT devices operate within cities on a giant scale, both in number of devices and their physical locations, often without resources to fully secure them. The city of New York more than doubled its procurement of new IoT devices between 2019 and 2022, from roughly 60,000 new devices to over 150,000 per year, adding to an existing IoT landscape of millions of devices. One state’s Department of Transportation that operates hundreds of thousands of IoT devices for their toll system and other functions has only two cybersecurity people to manage them (compared to over 50 focused on IT security).
Making a city both operational and secure in this context means focusing on automated IoT security management. Having an automated IoT asset discovery solution is the baseline, so that as various city agencies deploy new devices, they can be visible and tracked. New vulnerabilities are found literally every day, so knowing quickly what devices are impacted and where they are is crucial to shrinking the overall window of vulnerability. Preventing those vulnerabilities from being exploited requires more than discovery, it takes remediation.
Resolving the issue
Organizations should deploy automated IoT firmware patching and updating, along with the ability to quickly update passwords and other credentials at scale. For this reason, the US Government (specifically CISA) is actively promoting their Known Exploited Vulnerability (KEV) catalog to help government agencies focus on the most critical threats and imposing mandates for remediating these vulnerabilities within a short timeframe (typically one or two months). Expect to see this same approach of focus followed by mandate to be the norm within municipalities in order to minimize their overall attack surface.
Governance across multiple agencies and organizations is key: threat actors view municipalities as a whole while many cities operate as independent silos (transportation, police, fire, water, sanitation, parks and recreation, etc.) A best practice for commercial organizations has been to bring together all IoT operators to devise and co-ordinate on security threats; municipalities are no different.
City leaders can also rely on a cross-functional team to get a better understanding of their overall risk and work with them to budget and plan for ways to secure the vast (and vulnerable) landscape of already deployed devices. For many cities there are already existing shared functions that can be leveraged for this purpose, especially procurement. Enforcing IoT security policy on new devices being deployed is a good starting point to getting control of the IoT attack surface, which procurement is very well suited for. This approach also ensures IoT devices are secure prior to deployment, making it easier for them to remain secure over time. Not all devices are directly managed by the municipality itself, so extending security requirements into services contracts is another key function procurement can play.
City leaders should also view IoT security through another lens: how resilient are they to an attack on their IoT infrastructure. As many in security know, the probability of an event happening is close to 100% and what matters is how well you are prepared for it. Alongside having automated security methods for firmware, passwords and certificates there needs to be an underlying focus on service assurance and early detection of events. Having a safety-critical system go offline should never happen silently or without a reaction; seeing a change in system performance is often an early indicator of compromise or exploitation. The mantra for city governments should be that all their IoT systems are visible, operational and secure.
Journey to security
In summary, when it comes to security (physical or cyber) there should never be a ‘tale of two cities’. All municipalities hold the trust of their citizens to ensure that safety is maintained, whether it is in the streets or on the network. Civic leaders can start by understanding where they are on their security journey and taking the appropriate next steps. Co-ordination across agencies is critical on this journey and presents many advantages to ensuring all IoT devices are being managed for security and also to be resilient should a cyber-attack occur.
Arming procurement with the right guidelines and requirements is critical to ensuring the IoT attack surface does not keep growing and through this, preventing vulnerabilities from being deployed on a massive scale. With this co-ordination, it moves municipalities from a reactive approach to a proactive one and a security posture that can be maintained over time and extended to new municipal functions as they emerge.
Bud Broomhead brings to Viakoo, Inc. two decades of executive experience in the technology sector, leading innovative teams at Sun Microsystems and for privately held startups in challenging CEO, COO and GM roles in the US and Europe. He is a serial entrepreneur who has led successful software and storage companies for more than two decades. He has experience delivering computational and storage platforms to the physical security space for over seven years, with an emphasis on infrastructure solutions for video surveillance.
This article was originally published in the March edition of Security Journal Americas. To read your FREE digital edition, click here.