More and more cities around the world are jumping on the Smart Cities bandwagon, deploying sensors and smart analytics to tackle the various challenges of urban living – but could this actually set back their resilience in the face of the very real threat of cyber-attacks on public infrastructure.
It’s one key issue discussed at the Smart Cities World Congress that is currently underway in Barcelona, Spain.
The timing is especially acute in the wake of the terrorist attacks by ISIS on Paris, which took 129 lives, and were followed by warnings from the UK government that the militant group could launch potentially deadly cyber-attacks on UK targets such as hospitals, utilities and transport infrastructure like air traffic control.
UK Chancellor George Osborne has promised a sharp increase in government funding to fight such attacks, doubling it to £1.9bn spread over the next five years.
At the conference in Barcelona, Andreas Bentz, ICT security expert at Deutsche Telekom, warned that right now nothing could stop ISIS or anybody else from crippling vital infrastructure, because around the world most infrastructure systems connected to the Internet are wide open.
“Cities are not protected. In my opinion, we will have really resilient cities only after [one city has suffered] the first two-weeks-long blackout, when an electricity network gets hacked, leaving a city out of power for an extended amount of time,” he said.
If this were to happen, any city would grind to a halt. After just a few days, fuel for emergency generators would run out at hospitals. Countries usually don’t have battery-powered petrol pumps; Germany, for instance, has just two, said Bentz. “So tank trucks from all the hospitals will line up in front of these two gas stations. People will start dying.”
To make cities more resilient against cyber-attacks, there needs to be much more co-operation between governments and industry to tackle cyber-security issues, said Annemarie Zielstra, director of cyber-security and resilience at TNO, a Dutch Organisation for Applied Scientific Research in The Hague. “We have collaboration when it comes to water and to climate – but not when it comes to cyber-threats,” she said.
“Partnerships should be based on effective sharing of information, on sharing resources to address a cyber-threat, on using interoperable procedures and processes. We are all in this together. Awareness about risk is crucial. We have to learn about vulnerability, need to build trust - because we don’t exchange business cards during a crisis. It’s too late when incidents occur.”
Bentz said that cities would have to review their lines of communication in case of a natural disaster or other emergency. Rio de Janeiro, for example, at times uses social networks to communicate with the public, he said; this simply was not secure, and could be outright dangerous if permissions to access these accounts got into the wrong hands.
Deutsche Telekom is already facing a rate of 480,000 cyber-attacks on its network every single day, he added. That’s why the company uses a team of “white hackers” to deal with the issue, who constantly probe networks for vulnerabilities. On a national scale, Germany’s Federal bureau of IT security had for example set up what is known as the BSI gateway for smart metering.
Smart Meters are a key component of Smart City set-ups. This highly secured gateway system is connected to each meter, and “the communication is hardened, so you have no central point to attack all the meters. There’s still communication between the gateway and the meter that can be hacked, but you have to go to every meter. So you can’t do a mass attack,” said Bentz.
He added that it took more than three years for Germany to implement the system – and other countries should follow suit.
Right now, argued the panellists, not many – if any – Smart Cities would be able to cope with a large city-wide attack, and few were prepared to face the consequences, said Zielstra. “You need to know the impacts, the scenarios, to know what could go wrong. You need to be aware. You need knowledge and trained personnel in cyber-security. We don’t have much of that at the moment.”
Another major problem on the global scale is that cyber-security parameters are not standardised, said Anusha Rahman Ahmad Khan, Minister of IT and Telecom in Pakistan. “There’s a need for a global network, and we’ll be discussing the issue in December in New York,” she said. “We hope we’ll be able to reach consensus on some of the modalities necessary for going forward and for creating the framework. If we delay it any longer we are exposing ourselves to bigger threats.”