How smart can turn dumb -
A smart city uses technology to automate and improve city services,
ultimately making citizens’ lives better. It describes a city full of
connections, where information technology and the Internet of Things
(IoT) is embedded into everyday life. The problem is, for each
connection, there’s a risk. Data is shared across networks that, if
poorly encrypted, can be accessed. Each connection, however remote or
seemingly innocuous, could provide an entry point for a hacker who could
potentially manipulate that system for their own devices.
Digital security experts like Cesar Cerrudo, CTO for IOActive Labs,
have concerns about how robust this encryption is. Cerrudo points out
that many use weak encryption algorithms, and others have poor key
encryption generation or fixed keys that hackers can gain access to.
It’s not just fragile encryption or weak connection security - citizens
in a smart city have a part to play too. Simple or shared passwords and
lost memory sticks could potentially offer hackers the opportunity to
access personal and business information that we hold. Malware can be
stored within apps we freely download.
And how many of us ever read the terms and conditions when we sign up
for apps or do much checking before clicking the button to allow our
apps to access our data? Given that many of them are longer than novels
(Apple’s Terms and Conditions are notoriously longer than Shakespeare’s
Macbeth), it’s not surprising we don’t, but it could have implications
for our security.
“If that technology is not secure and if it’s not properly protected,
city infrastructure and citizens won’t be safe and will suffer cyber
attacks,” Cerrudo says, warning that smart cities run the risk of
becoming dumb cities if they continually suffer cyber attacks because of
weak infrastructure.
Cerrudo himself has demonstrated how simple our cities’ systems can
be to hack. Using a laptop and hardware that cost under $100, he was
able to access individual traffic lights, changing them at will. Pushing
further, he could access these systems from up to a mile away and even
from an airborne drone.
The technology used for managing traffic lights in New York is also
used to manage the traffic infrastructure in cities across the world,
including Washington DC, New York, Seattle, San Francisco, London, Lyon,
and Melbourne. Cerrudo’s example illustrates just how incredibly
fragile our cities are, with small incidents having big consequences.
It’s the principle of the ‘cascade’ effect. In a cyber attack, hackers
may use the cumulative impact of a number of small intrusions that, when
multiplied together, can cause havoc.
As an example of what can be achieved, in 2006 two aggrieved Los
Angeles traffic operators remotely accessed four traffic lights at busy
intersections. This seemingly minor interruption caused gridlock that
lasted for days. Even more concerning was that it took three years for
the perpetrators to be found, after they owned up to the crime.
Hyper-Cat -
If multiple entry points and unsecured data sharing across systems is
the biggest risk for our smart cities, then surely the answer must be
in having one system that manages everything?
The idea of the Urban Operating System (UOS) has in the past been a
key part of the concept of a Smart City. From one single operating
system, the entire infrastructure of a city can be connected, organised
and managed. But it’s increasingly viewed negatively by smart-city
experts like Tom Saunders, senior researcher at Nesta, who believe we’re
actually safer if systems are fragmented.
“Companies are still pushing the one-system model,” says Saunders,
who is also the author of ‘Rethinking Smart Cities from the Ground Up’.
But for him at least, it’s not the answer: “To be secure you want lots
of separate systems that compete. That way, the whole city network can’t
be hacked.”
One of the main reasons Saunders believes the UOS model won’t take
hold is that, contrary to claims made, there are no real smart cities,
just a collection of individual projects. “In the UK, we can’t afford to
roll out 100,000 sensors across the city,” he says. Smart Cities like
Bristol, Milton Keynes and most recently Manchester are investing in
small-scale smart projects, not imposing a complete smart system upon
the city. The infrastructure and technology behind the projects aren’t
linked, meaning hacking them all would be complex and time-consuming.
If we’re unable to build our Smart Cities from the bottom up, then
it’s essential that we impose security upon the systems that we already
have. Symantec is one of a number of organisations working together to
develop a secure communications standard that it hopes will do just
that.
Called Hyper-Cat, the standard is a JavaScript Object Notation (JSON)
catalogue that securely shares IoT asset information across the web,
making it much more difficult for hackers to access. “The system isn’t a
UOS,” says Sian John, Symantec’s head of resilience. “It’s a set of
standards that enables the safe communication between IoT devices”.
At the moment, many city systems enjoy ‘security through anonymity’.
As these systems are increasingly introduced to Smart City elements,
experts like those at Hyper-Cat are calling for the introduction of a
safe operating standard that can ensure that minimum security conditions
are met.
Cerrudo agrees that securing this communication is the biggest
challenge for a smart city, but he’s critical of the industry. “Most
smart city technology vendors are immature and don’t have enough cyber
security knowledge,” he says.
Rather than developing new communication standards, Securing Smart
Cities - a non-profit organisation that brings together academics and
businesses - creates resources and guidance for public and private
sector organisations to help cities protect themselves. Securing Smart
Cities is increasingly calling on governments to take a much greater
involvement in smart cities. “Right now governments are blindly trusting
vendors and deploying technology without making sure it’s secure,” says
Cerrudo.
Smart crime-fighting -
Security in a smart city often focuses on the big threats to the
population, and on how critical infrastructure can be protected. But
smart, connected cities also play a key role in protecting the citizens.
After all, smart cities thrive on ‘big data’. This mountain of
seemingly unconnected data is being processed by sophisticated computer
programs to help predict real crimes. It may sound like science fiction,
but the concept - dubbed predictive analytics - is actually in
development and being trialled in many places around the world.
In 2011, the Santa Cruz Police Department introduced such ‘predictive
policing’ to the force, and saw arrests increase by 57 per cent. The
system divides the city into cells 450m square, with a computer
algorithm assigning a probability of crime based on an analysis of
previous crime data, social media and other local data sources.
The technique is being further developed by companies like Hitachi,
whose Visualization Predictive Crime Analytics system blends real-time
event data captured from public safety systems and sensors with
historical and contextual crime data from record management systems and
other sources. Spatial and temporal prediction algorithms are used to
assign threat levels for every city block and also to create threat
level predictions, forecasting where crimes are likely to occur or
additional resources may be needed. Hitachi estimates that the system
can predict crimes to within a 200-metre radius.
New technology has always been used by police forces to tackle crime,
with GPS trackers in cars, mobile phone records, bridge toll passes and
more being used as evidence in cases. As our cities become increasingly
connected, law enforcement agencies will be able to use this data to
prosecute criminals. But information can also be misused. The police
have strict rules defining how they investigate crimes and name
suspects, but the general public doesn’t. In April 2013, Boston was
shaken by the detonation of two bombs at its annual marathon. After the
incident, the entire city went into lock-down as the perpetrators went
on the run.
During this time, CCTV images, social media and a variety of other
open sources were used by concerned citizens and media outlets to
identify and name potential suspects. The problem was, these people were
innocent bystanders and, in one case, a participant in the marathon.
The smart city can help protect its citizens, but access to information
should come with some responsibilities.
