It is the phone call that everybody fears: the dreaded news that your city has been hacked. Amid a spate of public and private sector cyber-attacks, there is a grim acceptance by local government Chief Information Officers (CIOs) that the likelihood of being targeted is a matter of “when” rather than “if”.
On a recent online Cities Today roundtable, US CIOs shared the cybersecurity scenarios that are, as one put it, “haunting my dreams” and more importantly, what they’re doing about them.
User education is critical, with people identified as often being the ‘weakest link’ in the chain. Other key priorities include advanced detection tools, new procurement processes, two-factor authentication and layered security systems.
Several ransomware attacks – many initiated by email phishing – have wreaked havoc on city systems already, shutting down essential public services and costing millions of dollars. The emerging threat of attacks which also target physical infrastructure is scarier still.
The world was given a chilling glimpse of this in February when someone broke into the computer system of the City of Oldsmar’s water treatment plant and tried to remotely raise chemicals to unsafe levels. This was thwarted by an operator and the city said checks were in place which would have prevented the water from being released. Still, blood ran cold in government offices in the US and beyond.
As more city infrastructure becomes connected via the Internet of Things (IoT) and interdependencies increase, the risks are growing. Experts have highlighted the potential impact of hacked connected infrastructure – such as smart traffic lights, for example. Emergency alert systems and video surveillance tools have also been flagged as among the most risky but others could be attacked too, including connected streetlights.
Against this backdrop, cities, along with technology partners, are doubling down on cybersecurity in several key areas to mitigate these threats.
Creating a segmented infrastructure, with the operational network separate from the IoT network is a priority as cities upgrade their systems, as well as protecting remote access.
Within IoT, cities are also evaluating which systems relate to critical infrastructure and which are simply sensing – air quality, for instance – and having specific separate strategies to handle each of these based on risk.
Cybersecurity threats are also driving new centralised procurement processes, including mandatory architecture, security and user experience reviews that must take place before any software-as-a-service (SaaS) products or smart infrastructure solutions can be approved.
Cities agreed that frontline workers remain the first line of defence. Measures to address this include mandatory cybersecurity training and phishing email testing with staff. This is particularly important as Angelo Consoli, Professor and Head of Cybersecurity at the University of Applied Sciences of Southern Switzerland (SUPSI), noted that the tactics used by hackers are becoming more sophisticated, with an increasing number of cyber-attacks using at least one social engineering component. This could include using email or chat to convincingly pose as a friend or trusted organisation to deceive people into taking action such as clicking a malicious link or sharing details.
One CIO said they’re not averse to sharing “really scary security stories” with their team to impress upon them the importance of vigilance.
Security by design
Nicola Crespi, Chief Innovation Officer at Paradox Engineering, urged cities to take a ‘security by design’ approach to IoT networks.
He said cities must “move away from the conventional ‘bastion defence’ paradigm and inject cybersecurity into IoT from the very inception.”
He said 100 percent cybersecurity is “an impossible goal, unless we fully give up on innovation and digital transformation” but that we must be 100 percent “cybersecurity aware”. This means focusing on risk mitigation and making cyber-attacks economically unattractive and too time-consuming.
There is only so much cities can do alone, though, and several called for more federal investment and support to bolster systems to protect everyone. With infrastructure-focused funding on the table and the Biden administration’s attention on cybersecurity in light of recent high profile attacks such as SolarWinds, Microsoft Exchange and the Colonial Pipeline, it is hoped that a more collaborative approach is on the way.