by K.T. Weaver, SkyVision Solutions
Key Point (Quotation):
“The more technology a city uses, the more vulnerable to cyber attacks it is, so the smartest cities have the highest risks.” [1]
Key Point (Quotation):
“If the history of city building in the last century tells us anything, it is that the unintended consequences of new technologies often dwarf their intended design.” [2]
Introduction
At this website we have persistently expressed concerns regarding the risks associated with smart grid technology including those related to cybersecurity. A recently published article in Computer Networks journal provides an excellent summary perspective on these smart grid cyber risks:
“Compared with legacy power systems, the Smart Grid is envisioned to fully integrate high-speed and two-way communication technologies into millions of power equipments to establish a dynamic and interactive infrastructure with new energy management capabilities, such as advanced metering infrastructure (AMI) and demand response. However, such a heavy dependence on information networking inevitably surrenders the Smart Grid to potential vulnerabilities associated with communications and networking systems. This in fact increases the risk of compromising reliable and secure power system operation, which, nonetheless, is the ultimate objective of the Smart Grid. For example, it has been shown that potential network intrusion by adversaries may lead to a variety of severe consequences in the Smart Grid, from customer information leakage to a cascade of failures, such as massive blackout and destruction of infrastructures.”
With that background and as an outgrowth of smart grid issues, it is now time to expand our concerns beyond smart meters and the smart grid to so-called “smart cities.” To highlight these issues, we focus on a new white paper issued by IOActive Security Services on April 8, 2015. In short it states:
“Cities around the world are becoming increasingly smart, which creates huge attack surfaces for potential cyber attacks.”
The IOActive paper defines the term smart city as:
“A city that uses technology to automate and improve city services, making citizens’ lives better. … In the truly smart city of the future, everything will be connected and automated.”
Before reviewing in more detail the IOActive white paper, let’s first examine some of the hype surrounding the increasing emphasis on building “smart cities.”
The Smart Cities Hype
The Institute of Electrical and Electronics Engineers (IEEE) proclaims to be “working to help municipalities address urbanization and integrate technology to create smart cities in its Smart Cities Initiative (SCI).”
One consulting group estimates the “global smart city market” to be valued in excess of $1.5 trillion (USD) in the year 2020 and adds that “over 26 Global Cities are expected to be Smart Cities in 2025, with more than 50% of these smart cities [to be located] in Europe and North America.”
In searching the Internet it is quite easy to discover artists’ conceptions of future smart cities. These images use attractive and alluring color schemes and resemble alien landscapes used in many science fiction novels and films. There is even use of the made-up term “smartification,” and the IEEE on its website describes the smart city utilizing the word smart in a repetitive and nonsensical manner, as follows:
“A smart city brings together technology, government and society to enable the following characteristics:
– a smart economy
– smart mobility
– a smart environment
– smart people
– smart living
– smart governance …
– smart buildings
– smart transportation
– smart energy
– smart communications
– smart networks”
Naturally, the IEEE also envisions the smart grid as an integral part of the smart city where it states:
“All supporting systems are ultimately tied to creating a smart grid and realizing the benefits it brings about. … Smart cities can only exist with the support of smart grids in a symbiotic way where they share electronics, telecommunications, and information technologies to leverage smart initiatives across all the other areas involved in developing a smart city.”
It should also not go unnoticed that the IEEE is an organization that downplays any possible adverse biological effects of the wireless technologies for which the “smart” world is envisioned by its creators to depend. On its website, the IEEE refers to “an RF-like fabric” nature of the technologies associated with smart cities.
Smart City Vulnerabilities and Risks and the IOActive White Paper
As part of the IOActive white paper entitled, “An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks,” author Cesar Cerrudo and chief technology officer for IOActive Labs emphasizes that:
“There is a huge and unknown attack surface on smarter cities. With so much complexity and interdependency, it is difficult to know what and how everything is exposed. Therefore, simple problems could cause a big impact due to interdependency and chain reactions.”
“In our research at IOActive Labs, we constantly find very vulnerable technology being used across different industries. This same technology also is used for critical infrastructure without any security testing. Although cities usually rigorously test devices and systems for functionality, resistance to weather conditions, and so on, there is often little or no cyber security testing at all, which is concerning to say the least.”
“Systems and technologies vulnerable to attack in a smart city include:
– Traffic Control Systems
– Smart Street Lighting
– City Management Systems
– Sensors
– Public Data
– Mobile Applications
– Cloud and SaaS [Software as a Service] Solutions
– Smart Grid
– Public Transportation
– Cameras
– Social Media
– Location-based Services”
IOActive then states what seems obvious to anyone reading the current news headlines. One can only wonder why the industry groups promoting smart city initiatives seem to ignore the following:
“City technology is vulnerable because almost everything in a city is or will soon be running software inside. For instance, cybercriminals could find a good business opportunity: Charging cities a ransom to regain control of compromised systems and infrastructure. Their message could be: ‘Do you want the smart grid back? Then pay us $100 million in bitcoins’.”
“Terrorism is evolving. People with university degrees are joining extremist groups. They are skilled and can use new technologies to launch terrorist attacks. Nation states are already targeting companies and governments around the world for espionage, cyber attacks, and so on. Nation states have the knowledge and skills to easily attack cities and cause significant damage.”
IOActive Security Services backs up its cyber threat claims by providing specific examples of where systems expected to become part of smart city infrastructures already exist in a compromised state. Last year, Cesar Cerrudo from IOActive Labs demonstrated how 200,000 traffic control sensors installed in major hubs like Washington, D.C., New York, and Melbourne were vulnerable to attack. It was shown how information coming from these sensors could be intercepted from 1500 feet away — or even by drone — because one company had failed to encrypt its traffic. In April of this year, Mr. Cerrudo tested the same traffic sensors in San Francisco and found that, one year later, they were still not encrypted.
“Smart Cities: Big Data, Civic Hackers, and the Quest for a New Utopia”
The IOActive paper at one point references a popular book on the topic of smart cities, entitled, “Smart Cities: Big Data, Civic Hackers, and the Quest for a New Utopia.” Browsing through this book, I found several quotes worth repeating. To be clear, the book generally paints a favorable outlook for smart cities as one might conclude by reading the following excerpt:
“For the giants of the technology industry, smart cities are fixes for the dumb designs of the last century to prepare them for the challenges of the next, a new industrial revolution to deal with the unintended consequences of the first one. Congestion, global warming, declining health — all can simply be computed away behind the scenes. Sensors, software, digital networks, and remote controls will automate the things we now operate manually. Where there is now waste, there will be efficiency. Where there is volatility and risk, there will be predictions and early warnings. Where there is crime and insecurity, there will be watchful eyes.”
“All over the world, a motley assortment of activists, entrepreneurs, and civic hackers are tinkering their ways toward a different kind of utopia.”
Of course the use of the term utopia in above sentence (and in the title of the book itself) is already a bit unsettling. The term utopia generally refers to an imaginary ideal society free of poverty and suffering. There is an additional unsettling concept mentioned a few pages later:
“The coming century of urbanization is humanity’s last attempt to have our cake and eat it too, to double down on industrialization, by redesigning the operating system of the last century to cope with the challenges of the coming one.”
Does it seem wise (and smart) to strive for a utopia-like state where we double down on industrialization so we can have our cake and eat it too? Is that what sustainable development is all about? On the contrary, the current course would seem to not only be impractical, but reckless, … given the risks.
The Smart Cities book does elaborate on some of the tremendous risks involved in smart city initiatives including cybersecurity as well as other risks:
“Before it ever comes close to collapse, we might tear down the walls of the smart city ourselves, for they will be the ultimate setup for surveillance. Will smart cities become the digital analogue of the Panopticon, Jeremy Bentham’s 1791 prison design, where the presence of an unseen watcher kept order more effectively than the strongest bars? … As we install countless new devices that record, recognize, influence, and control our movements and behaviors, [the prior whimsical dissent on such devices as surveillance cameras] will seem quaint in retrospection. For as the true value of these technologies for governments and corporations to spy on citizens and consumers alike becomes apparent, the seeds of distrust will bloom.”
“If the history of city building in the last century tells us anything, it is that the unintended consequences of new technologies often dwarf their intended design.”
“The broader challenge to inclusion in smart cities, however, is that by design everyone is left out. Nothing works until they connect, register, and log in — and any Web start-up trying to build a user base will tell you this is a tricky process to streamline.”
“Unfortunately, the risks inherent in smart cities have also snowballed. The Heartbleed security bug exposed in April 2014 showed how sloppy programming can introduce catastrophic flaws into the infrastructure of smart cities. … [and] for instance, the February 2014 breakdown of taxi-hailing app Uber after a California data-center outage. And perhaps no level of alarm about government surveillance of citizens’ communications is unjustified in light of National Security Agency whistle-blower Edward Snowden’s alarming revelations during the summer of 2013.”
“Taken together, these rapid accelerations of the forces at play in smart cities foretell a colossal and potentially chaotic period of growth and transformation.”
Conclusions and Analysis
The conclusions of the IOActive white paper on smart cities concludes:
“The current attack surface for cities is huge and wide open to attack. This is a real and immediate danger. The more technology a city uses, the more vulnerable to cyber attacks it is, so the smartest cities have the highest risks.”
“Actions must be taken now to make cities more secure and protect against cyber attacks.”
Unfortunately, the IOActive white paper and the referenced Smart Cities book do not offer the more obvious and logical suggestion to completely rethink the current strategy of promoting a fully connected world, i.e.,
- A world fully immersed in wireless radiation emissions as part of “an RF-like fabric”;
- A society where all people are subjected to total and complete surveillance of their every movement; and
- A centrally controlled infrastructure where one successful cyber attack or fault could lead to cascading failures and where the entire society may collapse and where most people would die.
There seems to be a mindset even for those experts identifying fatally flawed systems and concepts that somehow these issues can be “fixed.” They cannot.
The reckless and naive forward movement on smart city initiatives reminds me of an article in 2013 at Power magazine discussing the electric grid as the “Achilles Heel of Civilization,” i.e., where unanticipated events can bring down a civilization. A retired Oak Ridge lab scientist suggested at a technical conference in the April-May 2012 timeframe that “the U.S. electric transmission and distribution grid offers a clear path to destruction of our way of life.”
It was further suggested that “one of the best ways to protect the grid is to go into islanding mode,” the deliberate disconnection of sections of the grid to prevent cascading. This idea is considered heretical to the power industry in that it means reverting back to more local geographic operation, the exact opposite the electric industry has gone the past 20 years. I interpret this to mean that we should head in a direction that is “less connected” as compared to “more connected.” This concept makes perfect sense but is considered heretical to the central planners who are predisposed to implement fully connected solutions.
In addition, a good portion of the current momentum towards building smart and connected cities is influenced by industrial interests in the pursuit of the legal tender, all wanting their share of the trillions of dollars forecasted to be spent on smart city initiatives in the years ahead. Their judgment is apparently clouded by money and greed.
So for those who are now aware of the serious issues discussed in this article, it is up to you to share this information with others. It is up to you to help raise the awareness of legislators, local city officials, and those who can truly make a difference in changing the current course that is leading us towards near certain disaster. This disaster will ultimately take the form of a successful cyber attack that will end civilization as we know it. Until then, it will increasingly take the form of a population immersed in potentially dangerous radiofrequency (RF) emissions [A, B] and subject to a prison-like state of total surveillance and control.
Epilogue
To help drive home a point on an issue where the stakes are very high, it can be useful to employ a somewhat dramatic audio-visual aid. I find a curious similarity between smart city initiatives and at least a portion of the content of the 1999 film, The Matrix. In this film most members of the human race lived in a virtual reality and where they did not realize that intelligent machines had taken over the world or what remained of it. Morpheus offered the truth. Below is a short film clip adapted to the smart city issue. There is reference to the “red pill and blue pill” where one chooses to live with either the “truth of reality” or the “ignorance of illusion.”
[The above video contains material used pursuant to the Fair Use Doctrine under 17 U.S.C. 107 and is presented in the public’s interest for non-commercial purposes.]
Source Material for this Article
[1] “An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks,” IOActive Security Services White Paper, by Cesar Cerrudo, April 2015; available at http://wp.me/a3nav9-2PK
[2] “Smart Cities: Big Data, Civic Hackers, and the Quest for a New Utopia,” by Townsend, Anthony M.; W. W. Norton & Company, 2013, with Epilogue updated in 2014; available at http://www.amazon.com/Smart-Cities-Civic-Hackers-Utopia/dp/0393349780
“Cyber Security in the Smart Grid: Survey and Challenges,” by Wang and Lu, Computer Networks, volume 57, Issue 5, April 2013, pp 1344-1371, http://dx.doi.org/10.1016/j.comnet.2012.12.017
“IOActive’s Global Call to Action: Smart Cities Must Protect Citizens from Emerging Cyber Security Threats,” Company press release, April 8, 2015, available at http://finance.yahoo.com/news/ioactive-global-call-action-smart-130700450.html
“Smart Cities the World over Ripe for Hacking, Expert Says,” The Sydney Morning Herald, at http://www.smh.com.au/it-pro/security-it/smart-cities-the-world-over-ripe-for-hacking-expert-says-20150422-1mr8m1.html
“Your city’s not smart if it’s vulnerable, says hacker,” The Register, at http://www.theregister.co.uk/2015/04/20/smart_city_vendors_blasted_for_dumb_security/
“Developing Exemplary Smart Cities for a Smarter World,” Embedded Computing Design at http://embedded-computing.com/articles/developing-cities-a-smarter-world/
“Frost & Sullivan: Global Smart Cities market to reach US$1.56 trillion by 2020,” November 2014, at http://ww2.frost.com/news/press-releases/frost-sullivan-global-smart-cities-market-reach-us156-trillion-2020
About IEEE Smart Cities at http://smartcities.ieee.org/about.html
“Smartly Opening Up City Data,” IEEE Smart Cities website at http://smartcities.ieee.org/articles-publications/ieee-xplore-readings-on-smart-cities.html
“The Electric Grid: Civilization’s Achilles Heel?,” powermag.com, January 1, 2013, at http://www.powermag.com/the-electric-grid-civilizations-achilles-heel/?pagenum=1
The Matrix (the film), 1999, by Warner Bros., information available at http://en.wikipedia.org/wiki/The_Matrix
—————————–
Here is an additional related article posted a day after the one at Smart Grid Awareness:
- “Watch out: Smart city defenses are not up to snuff,” at http://gcn.com/articles/2015/04/28/smart-city-cyber-risks.aspx
Smart Grid Awareness 
Thanks for another great article.