So-called ‘smart cities’ are heavily dependent on their information and communications networks, but few are ready to cope with a large-scale cyber attack.
The Smart City Expo World Congress in Barcelona, Spain, would traditionally be the place to expand on how increasing numbers of cities are deploying sensors and smart analytics to better meet the needs of urban living. This year’s event, however, took place in the wake of the terrorist attacks claimed by ISIL on Paris, which took 130 lives.
The 13 November attacks were followed by warnings from the UK government that the militant group could launch potentially deadly cyber attacks on UK targets such as hospitals, utilities and transport infrastructure like air traffic control. Chancellor of the Exchequer George Osborne has promised a sharp increase in government funding to fight such attacks, doubling it to £1.9bn spread over the next five years.
All the talk among delegates at the Barcelona conference, which brought together 500 cities from five continents, therefore focused on how such sophisticated and integrated systems might render a smart city more vulnerable to the very real threat of cyber attack.
ICT security expert Andreas Bentz at Deutsche Telekom warned that right now nothing can stop ISIL or anybody else from crippling vital infrastructure, because around the world most infrastructure systems connected to the Internet are wide open.
“Cities are not protected. In my opinion, we will have really resilient cities only after [one city has suffered] the first two-week blackout, when an electricity network gets hacked,” he said.
If this were to happen, he said, any city would grind to a halt. After just a few days, fuel for emergency generators would run out at hospitals. Countries usually don’t have battery-powered petrol pumps; Germany, for instance, has just two, said Bentz. “So tank trucks from all the hospitals will line up in front of these two gas stations. People will start dying.”
To make cities more resilient against cyber attacks, there needs to be much more cooperation between governments and industry to tackle cyber security issues, said Annemarie Zielstra, director of cyber security and resilience at TNO, a Dutch organisation for applied scientific research in The Hague. “We have collaboration when it comes to water and to climate, but not when it comes to cyber threats,” she said.
“Partnerships should be based on effective sharing of information, on sharing resources to address a cyber threat, on using interoperable procedures and processes. We are all in this together. Awareness about risk is crucial. We have to learn about vulnerability, need to build trust – because we don’t exchange business cards during a crisis. It’s too late when incidents occur.”
Bentz said that cities would have to review their lines of communication in case of a natural disaster or other emergency. Rio de Janeiro, for example, at times uses social networks to communicate with the public, he said; this simply was not secure, and could be outright dangerous if permissions to access these accounts got into the wrong hands.
Deutsche Telekom is already facing a rate of 480,000 cyberattacks on its network every single day, he added. That’s why the company uses a team of ‘white hackers’ to deal with the issue, who constantly probe networks for vulnerabilities.
On a national scale, the German federal bureau of IT security had for example set up what is known as the BSI gateway for smart metering. Smart meters are a key component of smart city set-ups. This highly secured gateway system is connected to each meter, and “the communication is hardened, so you have no central point to attack all the meters. There’s still communication between the gateway and the meter that can be hacked, but you have to go to every meter. So you can’t do a mass attack,” said Bentz.
He added that it took more than three years for Germany to implement the system – and other countries should follow suit.
Right now, argued the panellists, not many – if any – smart cities would be able to cope with a large city-wide attack, and Zielstra said few are prepared to face the consequences. “You need to know the impacts, the scenarios, to know what could go wrong. You need to be aware. You need knowledge and trained personnel in cyber security. We don’t have much of that at the moment,” she said.
Another major problem on the global scale is that cyber security parameters are not standardised, said Anusha Rahman Ahmad Khan, Minister of IT and Telecom in Pakistan. “There’s a need for a global network, and we’ll be discussing the issue in December in New York,” she said. “We hope we’ll be able to reach a consensus on some of the modalities necessary for going forward and for creating the framework.
“If we delay it any longer we are exposing ourselves to bigger threats.”