How hackers are holding cities to ransom

Cyber security has dominated the headlines in the US. From CIA claims that Russia meddled in the US presidential election in Donald Trump’s favour to the release of thousands of FBI agents’ names, Jonathan Andrews explains how cyber criminals are now increasingly turning their attention to cities

In November last year 900 office computers at the San Francisco Municipal Transport Agency suddenly flashed with the message, ‘You hacked, ALL data encrypted’. The ransomware hacker demanded 100 Bitcoins, or around US$73,000 for the screens and data to be ‘unlocked’.

Although the malware encrypted mainly office computers, the agency took the precaution of opening fare gates on its light rail network and shutting down the fare system, providing free travel for almost two days. The city lost US$50,000 in revenue as a result.

“The San Francisco Municipal Transportation Agency never considered paying the ransom,” explains Paul Rose, spokesperson from the agency. “The cyber attack never compromised the fare system.”

Existing back up systems allowed the agency to get most of its affected computers up and running the next morning with the remaining computers functional in the next two days. Although customer payments were not hacked and no data was accessed from any of the servers, it would, no doubt have caused some jitters among city chief information officers across the US.

It’s easy to see why smart cities would be a top target for cybercriminals, terrorists or state-sponsored bodies. Given how critical the systems used to run a city are, hackers could wreak havoc with transport networks, street lighting, traffic control systems and smart grids.

Information on how the attack in San Francisco happened, how the city overcame the attack, or details of the hacker are not yet available due to an ongoing investigation by the FBI and Department of Homeland Security (DHS). Rose can only say that the system recovery was conducted “in-house” and that the ransomware was immediately reported to DHS.

Why DHS? To help cities across the US, the department runs the Multi-State Information Sharing and Analysis Center, the key resource to preventing cyber threats. It works with stakeholders including the US Conference of Mayors, and acts to protect, respond and recover for the country’s state, local, tribal and territorial governments. The centre shares and coordinates real-time risk information to support national cyber security situational awareness with DHS and the National Cybersecurity and Communications Integration Center.

According to a DHS spokesperson, “multiple other cities have also reported ransomware infections”. Figures released to Cities Today show that the centre has seen an 85 percent increase in ransomware total attacks from 2015 to 2016 and a whopping 295 percent increase from 2014 to 2016.

The DHS spokesperson did say that currently there is a limited threat to Internet of Things (IoT) from ransomware, although “this could change”.

According to Joshua Crumbaugh, CEO of Peoplesec and an ethical hacker, he believes the reason for an increase in targeted attacks on cities is straightforward.

“Ransomware is the most common incident facing most cities,” he says. “Cities are generally a soft target for obtaining personally identifiable information or financial information. Cities have just recently started investing in information security personnel and security controls. Budget constraints tend to be a common theme in my interactions with municipalities.”

New officers to protect cities

San Diego is one city taking a lead on cyber security. Gary Hayslip was appointed as the city’s first official Chief Information Security Officer. In 2015 the city saw about 500,000 attacks on its networks per day. This rose by 80 percent last year.

“With hiring me the city had decided it was time to formally focus on cyber,” he explains. “I was brought in to build an enterprise programme that would cover cyber security engineering, operations and physical security.”

As well as partnering with federal agencies, Hayslip says they currently have two of three teams fully operational and are completing the build out of the security operations centre.

He believes that cities are now realising cyber security is not a “one and done” process and that if cities expect to be innovative and incorporate industrialised IoT solutions to their smart city portfolio of services they need to have a mature cyber security programme as a foundation to build on.

“What I see is those cities that are performing cyber security as a strategic process are able to implement the smart city framework with less issues and less risk exposure to their organisation,” he says.

In San Diego ransomware is moving up to being the number one form of cyber attack. In 2015 out of every 50 phishing emails that users received, five contained some type of ransomware attachment or link. Hayslip says that in 2016 this rose to 40.

Michael Shalyt, Co-Founder and Vice President of Aperio Systems, believes that this trend will only rise.

“The explosion of ransomware over the past few years started once cyber criminals saw that it was a good business model and that people are actually willing to pay to get their files back,” he says. “How much would a city pay to ‘release’ the traffic light system from the clutches of organised cybercrime? Or the water system? Not to mention the power supply.”

Who is to blame for security flaws?

Cesar Cerrudo, Chief Technology Officer for IOActive Labs, believes that cyber security problems originate mostly on insecure technology that is produced by vendors. He adds that although there are vendors that are more mature at cyber security and produce more secure technology they are an exception.

“Security takes time and money and most vendors need to take products out to market very fast so security is ignored or is an afterthought when it’s too late because technology is already in use and vulnerable to cyber attacks,” says Cerrudo who is also a board member of Securing Smart Cities, a global initiative that aims to solve the existing and future cyber security problems of smart cities.

He admits that cities are also failing to make sure the technology they acquire is secure before deployment, which is making problems worse since they are not encouraging vendors to produce more secure technology.

The human element

In San Francisco the agency is remaining tight-lipped about any new procedures and processes following the attack for fear of providing a roadmap for any future attacks. Rose says they are, however, reaching out to staff to further remind them of the impacts of clicking on links and opening emails from unfamiliar sources.

The human element it seems is the weakest link in any city’s cyber defences.

“Humans continue to be the most vulnerable element and the primary entry point of ransomware, targeted attacks and malware,” adds Crumbaugh from Peoplesec, a company trains staff to offset cyber attacks. “The majority of breaches are the result of a human making a mistake and clicking on a malicious link or opening a malicious attachment.”

He believes that cities should implement comprehensive security awareness training and testing that includes phishing emulations, minimising the city’s external footprint and restricting access to city networks to anyone who doesn’t adhere to city security policies. 

What else can cities do?

Cerrudo suggests that cities should also create a simple checklist-type cyber security review so that they:

• Check for proper encryption, authentication, and authorisation and make sure the systems can be easily updated.
• Ask all vendors to provide all security documentation
• Ensure Service Level Agreements include on-time patching of vulnerabilities and 24/7 response in case of accidents
• Regularly run penetration tests on all city systems and networks

“There should be a big change in mentality on how things are currently done and should be done from now on,” explains Cerrudo. “We are constantly talking with smart city ecosystem organisations including some cities and providing guidance in general with the resources we are creating with Securing Smart Cities with some initial success but there is still a lot of work to be done.”

The way cities are going to implement ISO 37150 and ISO 37151 on smart community infrastructures is another area of concern for San Diego’s Hayslip. He believes cities need to start planning now how they are going to incorporate the framework with connected infrastructure and rich datasets.

“Cybersecurity doesn’t do well when it is in a vacuum,” he says, “but in a community environment when it is incorporated with stakeholders and peers, cyber can be the strategic asset that enables tomorrow’s smart cities to be successful.”

The Department for Homeland Security has issued guidance for dealing with ransomware and says it’s important to have a good cyber hygiene programme. This includes maintaining an inventory of all hardware and software, making sure all equipment and systems are routinely patched and having a vulnerability management programme where systems are regularly checked and vulnerabilities are remediated.

Cerrudo is happy that at least the conversation is moving in the right direction and compares the situation to a couple of years ago when the topic of securing smart cities was rarely discussed.

“Cyber security problems affecting cities are real and exist right now,” he warns. “If we don’t start making technology more secure and also making sure technology being used is secure and well protected soon we will suffer the consequences which could have a great impact on our daily lives.”

 —–

Gary Hayslip, Chief Information Security Officer, San Diego 

Keeping up with the latest technology and at the same time phasing out and getting rid of old technology adds further security complications. Hayslip says that as cities operate 24/7 there is more complexity in planning large-scale technology projects that will impact on city services. These issues include:

• Increased complexity (legacy & converged): With legacy and new technologies like cloud, connecting them together leaves many unknowns with respect to attack surfaces exposed to malicious actors. To manage this risk, cities need to have a fully deployed security programme that is implementing cyber hygiene and managing it as a standard process.
• Cascading effect: Simple issues can have a large impact on intertwined systems. Conducting security scans can shut down equipment or pushing updates can slow down data flows on legacy infrastructure.
• Patch deployments: System updates become troublesome with large disparate networks. With a mix of technologies, truly understanding the impact of what happens when a city pushes an update to smart city infrastructure “can get quite interesting”.
• Lack of threat models: Threats on a large city scale are unique. Accurate data and threat models designed for this infrastructure profile are still being built; there is a move to create a cyber range that is a digital city. This would allow security teams to practise both attacking and defending city infrastructure to gain a better understanding of how to protect their smart city.