Is it possible to build secure smart cities?

By Phil Beecher
Phil Beecher, President and CEO of Wi-SUN Alliance, discusses if smart cities can be built to be 'secure by design'

IoT technologies are finding their way into every part of our lives, from factory production lines, to smart home applications and smart city design. Security-by-design and open standards should be the guiding principles when building IoT systems. These will not only help to minimise cyber risk, but can also speed time-to-market and drive cost efficiencies.

We are in a new era of creating and building smart cities. Yet as connectivity and computing power is distributed more widely across large-scale outdoor networks, threat actors will scale-up their own operations. A Nokia report last year shows that internet-connected, or IoT, devices now make up around a third of infected devices, up from 16% the previous year. The report’s findings are based on data aggregated from monitoring network traffic on more than 150 million devices globally.

Weak passwords, vulnerabilities and insecure networks continue to blight deployments, providing attackers with an opportunity to sabotage critical infrastructure, hold organisations to ransom and steal sensitive data from connected networks. Perhaps the first example of this was in the 1969 film, The Italian Job. Traffic on the streets of Turin is brought to a standstill as a criminal gang sabotage the ‘smart city’s’ traffic signalling and camera surveillance network.

 

 

Unfortunately, real life is worse and we are already seeing the impact of cyber attacks. Earlier this year, we saw an attack on a water plant in Oldsmar, Florida designed to poison residents’ drinking water. More recently, a hack was able to take down the largest fuel pipeline in the US, leading to shortages across the East Coast.

In this context, engineers and developers must focus on developing a robust security architecture based on two key elements: device authentication and encryption.

Each device must be uniquely identifiable so that it can be authenticated effectively when joining a network, and able to prove that it has not been tampered with or hijacked with rogue code. Digital certificates embedded in each device are the best way to achieve the former. Passwords should be avoided at all costs as they can be easily stolen or cracked.

All secure devices must contain a private key, but this is also an Achilles heel from a cyber risk perspective. How can you mitigate against this? Consider a Hardware Secure Element — a chip designed specifically to protect against unauthorised access, even if the attacker has physical access to the device, as is often the case with IoT.

Another technique to prevent tampering is the Physical Unclonable Function (PUF). Here, a ‘fingerprint’ is derived from the unique characteristics of a piece of silicon. This can then be turned into a unique cryptographic key and used as the chip’s root key. The advantage here is that no additional hardware is needed to store the key securely, and that it becomes invisible to hackers when the device is powered off.

But don’t forget encryption. At Wi-SUN Alliance, we build AES encryption into radio chips to scramble messages on the fly, reducing power consumption and processor overhead, while maximising data security.

It’s also worth considering network topography at the design stage. Mesh networks offer several advantages over star (or hub and spoke) networks. More reliable because data can be re-routed a different way if devices lose contact with each other. Transmissions are typically made over shorter distances so there is improved power efficiency and performance. With Wi-SUN we have frequency hopping functionality that makes it difficult for an attacker to deny service by jamming signals.

The final piece is to focus efforts on open, interoperable standards. From a security perspective, this means specs will be mature and reliable, stress-tested and verified by many users, and vulnerabilities are quickly detected and remediated.

From a hardware perspective, following open standards can speed time-to-market, keep costs down and also ensure products are usable with a variety of manufacturers’ processors and radios. There will be a whole host of existing publicly available protocol stacks, design information and reference implementations to help build and future-proof secure products.

As smart cities and smart utilities continue to evolve and large-scale corporate IoT networks continue to grow, so will the attention of those looking to bring them down or hold the to ransom. Security-by-design must be non-negotiable when designing and building them.

Share

Featured Articles

WFH initiative drives Spotify’s 15% drop in attrition rate

After the recent implementation of its “work from anywhere” model, Spotify has achieved a 15% reduction of its attrition rate, compared to 2019

Female mobile voice assistants - what needs to change?

In the years following UNESCO’s ground-breaking report, highlighting the problematic nature of mobiles’ female voice assistants, how much have we learned?

How well do telecom customers understand the benefits of 5G?

According to a new report, the majority of customers don’t understand how 5G can benefit key telecoms technologies, including IoT and reliable service

Enhancing mobile app technology with artificial intelligence

Technology & AI

Mazars and CENSIS partner to boost cybersecurity diversity

5G & IOT

50% say the best service comes when threatening to switch

Mobile Operators