It is the phone call that everybody fears: the dreaded news that your city has been hacked. Amid a spate of public and private sector cyber-attacks, there is a grim acceptance by local government Chief Information Officers (CIOs) that the likelihood of being targeted is a matter of “when” rather than “if”.
On a recent online Cities Today roundtable, US CIOs shared the cybersecurity scenarios that are, as one put it, “haunting my dreams” and more importantly, what they’re doing about them.
User education is critical, with people identified as often being the ‘weakest link’ in the chain. Other key priorities include advanced detection tools, new procurement processes, two-factor authentication and layered security systems.
Several ransomware attacks – many initiated by email phishing – have wreaked havoc on city systems already, shutting down essential public services and costing millions of dollars. The emerging threat of attacks which also target physical infrastructure is scarier still.
The world was given a chilling glimpse of this in February when someone broke into the computer system of the City of Oldsmar’s water treatment plant and tried to remotely raise chemicals to unsafe levels. This was thwarted by an operator and the city said checks were in place which would have prevented the water from being released. Still, blood ran cold in government offices in the US and beyond.
As more city infrastructure becomes connected via the Internet of Things (IoT) and interdependencies increase, the risks are growing. Experts have highlighted the potential impact of hacked connected infrastructure – such as smart traffic lights, for example. Emergency alert systems and video surveillance tools have also been flagged as among the most risky but others could be attacked too, including connected streetlights.
Against this backdrop, cities, along with technology partners, are doubling down on cybersecurity in several key areas to mitigate these threats.
Creating a segmented infrastructure, with the operational network separate from the IoT network is a priority as cities upgrade their systems, as well as protecting remote access.
Within IoT, cities are also evaluating which systems relate to critical infrastructure and which are simply sensing – air quality, for instance – and having specific separate strategies to handle each of these based on risk.
Regular external audits help to validate cities’ cybersecurity efforts and instil confidence with leadership.
“The auditors give us hell and we welcome that hell because that’s what makes us get better and better,” said one CIO.
Cybersecurity threats are also driving new centralised procurement processes, including mandatory architecture, security and user experience reviews that must take place before any software-as-a-service (SaaS) products or smart infrastructure solutions can be approved.
This requires additional resources and, increasingly, dedicated staff to meet the demand.
“It takes a lot of effort, people and time,” one CIO said. “And there can be push back from people in a hurry, but it has to be done.”
This might not be viable in smaller cities, though, which is worrying as they have been a regular target for hackers.
Cities agreed that frontline workers remain the first line of defence. Measures to address this include mandatory cybersecurity training and phishing email testing with staff. This is particularly important as Angelo Consoli, Professor and Head of Cybersecurity at the University of Applied Sciences of Southern Switzerland (SUPSI), noted that the tactics used by hackers are becoming more sophisticated, with an increasing number of cyber-attacks using at least one social engineering component. This could include using email or chat to convincingly pose as a friend or trusted organisation to deceive people into taking action such as clicking a malicious link or sharing details.
One CIO said they’re not averse to sharing “really scary security stories” with their team to impress upon them the importance of vigilance.
Security by design
Nicola Crespi, Chief Innovation Officer at Paradox Engineering, urged cities to take a ‘security by design’ approach to IoT networks.
He said cities must “move away from the conventional ‘bastion defence’ paradigm and inject cybersecurity into IoT from the very inception.”
Crespi explained that cities need to combine different technologies to make urban infrastructures and devices intrinsically secure – in particular, ultra-reliable encryption, hardware security modules, trusted data and devices, and blockchain.
He said 100 percent cybersecurity is “an impossible goal, unless we fully give up on innovation and digital transformation” but that we must be 100 percent “cybersecurity aware”. This means focusing on risk mitigation and making cyber-attacks economically unattractive and too time-consuming.
Securing cities is an ongoing challenge which requires constant monitoring, learning and collaboration, especially as hackers tap advanced technologies such as AI to become more effective and cybersecurity insurance costs soar.
There is only so much cities can do alone, though, and several called for more federal investment and support to bolster systems to protect everyone. With infrastructure-focused funding on the table and the Biden administration’s attention on cybersecurity in light of recent high profile attacks such as SolarWinds, Microsoft Exchange and the Colonial Pipeline, it is hoped that a more collaborative approach is on the way.
Image: Zenobillis | Dreamstime.com