Cesar Cerrudo, an Argentine security researcher and chief technology officer at IOActive Labs, describes himself as a «professional hacker» on his Twitter account. And he has a rather unusual vocation: he exploits systems, in broad daylight, on behalf of the public good.
For the past few years, Cerrudo has been visiting cities like New York, San Francisco, Seattle, and Washington, D.C., opening his laptop on a street corner, and running a few passive tests on their traffic technology.
«I hacked some devices used by traffic systems in a lab, and then I did some passive tests—not hacking, because it would be illegal—to prove that the same devices used in cities around the world were really vulnerable. And what I found in the lab tests was right,» he tells Security Management. «What I did was to look at the devices’ wireless communications, and the devices’ configurations, to make sure the security problems really existed on a real deployment. I had positive results.»
«Positive results,» in this case, means they were entirely vulnerable. Depending on the configuration, it would be possible for a hacker in these cities to reduce or increase the amount of time traffic lights flash, how long they stay green or red, or have them not change at all. Electronic signs could he hacked to display dangerously inappropriate speed limits and incorrect instructions.
This need for better security spurred Cerrudo into collaborating with some likeminded others and starting up a new not-for-profit global initiative, Securing Smart Cities (SSC). SSC is designed to address the existing and potential future cybersecurity problems of smart cities, where wireless sensors control an increasing amount of the infrastructure, from traffic lights to water supply to waste management systems.
The problem has become more serious in the last few years as smart cities have proliferated. Around the world, innovations are emerging to make urban areas more energy efficient, comfortable, environmentally friendly, and safe.
For example, with smart parking, residents use mobile apps to find available spots and review pricing, which may change based on the time of day, availability, and location. With smart water management, pipes measure water quality, regulate flow and distribution, and detect problems. With smart energy management, grids can deliver energy based on user demand, and buildings use different techniques to conserve energy and buy electricity when rates are low.
With these advances, spending on smart cities has increased rapidly around the globe. In Saudi Arabia, $70 million was recently spent on an initiative to build four smart cities. In South Africa, $7.4 billion has been spent on an in-progress smart city project. In 2020, the global smart city market will be valued at $1.5 trillion, according to a recent study by Frost & Sullivan Global Consultants.
But as smart city innovations advance, so do ensuing vulnerabilities, and some experts say that not enough thought is given to the cybersecurity of these smart cities. And as the smart cities evolve and become more sophisticated, their growing complexity will make it more difficult to address vulnerabilities further down the line, some experts say.
To address this, SSC is forging collaborations between private companies, local and state governments, media outlets, and individuals across the world, to build up a repository of best practice expertise and provide advice on smart city security.
«SSC is a global initiative, and we plan to collaborate with cities around the world,» Cerrudo says. «The goal is to provide guidance and recommendations based on members’ experience and knowledge, which is very broad.»
Overall, the SSC initiative has five goals: educate cities and providers on the importance and cost benefits of security best practices; collaborate with SSC partners to share ideas and methodologies; promote the benefits of introducing security early into the development lifecycle of a smart city project; build partnerships among cities, service providers, and the security community; and create standards, guidelines, and other resources to improve smart city cybersecurity.
So far, SSC contributors range from government administrators to cybersecurity experts to CSOs. Contributors include David Jordan, CISO for Arlington County, Virginia; Luis Parrondo, cybersecurity architect and business manager for Transport for London; and Mike Newborn, CSO with Bloomberg BNA.
Last summer, SSC issued a white paper, Keeping Smart Cities Smart: Preempting Emerging Cyber Attacks in U.S. Cities, and briefed some members of Congress and federal administrators on the issues involved with smart city cybersecurity.
The briefing paper contains a long list of recommendations for officials, such as implement fail safe and manual overrides on system services, so as not to depend solely on the smart technology; run regular penetration tests on all systems and networks; implement backup versions of critical systems; update and secure the backups to the same degree as primary systems; and prepare for the worst by creating a threat model for every conceivable scenario.
«It was just an initial and short briefing, but it seems there was great interest,» Cerrudo says. «It’s a very early stage. We need to keep working closely with government agencies and members of Congress to raise more awareness and engage them to take good actions.»
Moving forward, SSC has also been working on publishing some security guidelines aimed at helping cities «become smarter in a more secure way,» Cerrudo says. The group also hopes to hold an international smart city cybersecurity conference later in 2016.
Time may be of the essence for smart city security. The Keeping Smart Cities Smart report concludes that the attack surface for cities is «unimaginably vast,» and the paper’s conclusion is ominous. «It is only a matter of time until attacks on city services and infrastructure happen,» the report says.