Smart Cities Smart Attacks – Data Security Council of India (DSCI) Blog

This blog has been jointly authored by Aditya Bhatia & Vivek Sarkale

Future City aka Smart City is aimed at making lives and experiences far more seamless, systematic and hassle free compared to existing times. It is quite fascinating to note the various facets of a city’s infrastructure that can be dramatically improved by smart application of technology. This blog briefly touches upon what a Smart City actually entails and then quickly gets on to the threat landscape of such a comprehensive and interconnected ecosystem where a lot will be at stake. Finally, as a wrap up of this piece, some Best Practices are shared that may help us pave the way forward.

Defining Smart City elaborately here might prove to be a futile exercise. It would suffice to say that in order to make a city smart, the human part, the digital part, and the physical part has to come together in such a fashion that the end result is effective delivery of services, which in turn, ups the standard of living for all its citizens. Thus, inevitably, plethora of players, providers and stakeholders get inextricably linked in a smart city set up.

Such a massive ecosystem can’t come without its own set of challenges. Enormous amount of data that gets collected, processed, transferred and stored in the ecosystem could potentially give rise to serious Security & Privacy concerns if the right set of mitigation controls and measures are not adopted and internalized. It is not that the Smart Cities existing across the globe haven’t been at the receiving end of vicious Cyber-attacks. In one of the smart cities, attackers encrypted files, locking employees out of the smart city network completely. It is believed that the cyberattack destroyed years’ worth of police dash cam video footage. And other such attacks compromising or disrupting one or more of the aspects of City’s functioning. One of the major concerns is that smart city sensors are insecure and not tested thoroughly. Owing to lack of standardization of IoT devices, the sensors are prone to hacking. Notorious individuals can hack the sensors and feed fake data, causing signal failures, system shutdowns, etc.

Smart city architecture mainly consists of four Internet of things (IoT) layers – Sensor/Device layer, Communication layer, Data layer and Application layer, each layer carries equal operational importance and sophisticated cyber security threats and risks are expected to emerge at each layer.

Threat Landscape Smart City cyberattacks may be mainly categorized into the following four categories:

Threats to physical devices
Threats to communication channel / Network Protocols
Threats to centralized storage /DB/Cloud
Threats to web/ Smartphone applications

It’s evident that as cities are getting smart – adopting advanced technologies, attacks are increasing in numbers. Such attack scenarios could directly harm many lives, posing risks to citizen’s health and safety. To avoid such consequences, here are a few security best practices which can be practiced.

Best Practices:

Early detection: monitor and analyze network traffic continuously
Set up bandwidth limit on network to avoid DDoS
Deploy DDoS protection Solution
Employ robust encryption mechanisms
Obtain TLS/SSL certification for web applications
Update operational system and do patching, enable next generation of IDS/IPS and anti-ransomware detection.
Do Periodic VAPT
Deploy Anti-Spoofing detection mechanism

Join us at Annual Information Security Summit (AISS 2018) to participate in more intense discussions on Smart City threat modelling, charting attack surface & architecting defense.