Defending the smart city: 3 aspects to a holistic security approach
With all the hype around Smart Cities today, you’d think they are ubiquitous. After all, the technology exists, and the idea behind the Smart City is pretty straightforward: make life better for citizens and stakeholders by leveraging high-speed communication networks to power Internet of Things (IoT) devices and “smart” technologies that enhance their standard of living. The benefits are significant and accumulative: traffic data collected by sensors can determine patterns that will help transportation departments alleviate congested areas, both in regards to long term planning and real-time traffic jams; sources of water leaks can be pinpointed and proactive repairs can be scheduled; public safety will improve due to smart surveillance measures to assist police, as well as weather monitoring and management, among others. The list goes on, and it’s widely acknowledged that the Smart City of the future’s concept is well on its way to realization.
But even though there are a few high-profile examples (Barcelona, Rio, and Nice), Smart Cities aren’t yet as widespread as one might imagine. Many cities are held up in the complex planning stage. To create a Smart City, related devices, sensors, and networks need to talk to each other, and in many cases, that requires city planners to completely rearchitect their networks. To achieve the operational efficiencies that smart devices and sensors enable, city planners should consider converging the disparate voice, data and video networks often managed by different municipal agencies.
City planners also need to ensure that the Smart City network is secure and stable. An unencrypted smart network and vulnerable devices could put cities or individuals at risk from malicious actors. The integrity of the network is key to ensuring privacy, security and safety. For example, damage to a city’s smart electric grid could make it impossible for residents to obtain power and heat. Hacked traffic lights could cause confusion and cripple transportation, and downed power systems could take municipal computers and networks offline. On a smaller scale, the potential for havoc is no less serious. For example, a smart thermostat or meter could be used as an entry point to all the connected devices on that network, and according to the State of Colorado’s Energy Assurance Emergency Plan (2012), criminals could also “leverage the utilities’ network[s] to break into home networks or vice versa.”
New endpoints lead to new vulnerabilities
With each new endpoint on a Smart City’s network—smart devices and sensors, connected phones, tablets, and more—a new vulnerability is introduced that must be secured to avoid compromising other endpoints connected to that network. To wit, it’s thought that a hacked smart device such as an electricity meter could provide a hacker access to the billing data of the entire neighborhood surrounding that meter, and even worse, as it would mean access to a large portion of the utility’s network, all the way back to the utility’s IT system. According to the same State of Colorado report cited above, the CIA confirmed that in the U.S., “cyber attacks have been used to disrupt power equipment,” and in at least one case the disruption “caused a power outage affecting multiple cities,” also stating that “all involved intrusions through the Internet.” In addition to smart devices, substations also represent significant cyber intrusion vulnerabilities, as they are often unmanned and their communication protocols may not include cyber security features.
With Smart Cities a likely presence in our future and with the many potential threats to the network they bring, utilities need to adopt a holistic security strategy that protects data where it resides and when it moves, and make sure authentication and authorization practices are up to snuff. Unfortunately, many smart grid planners are not taking this holistic approach to security and are focusing more efforts on perimeter security, not considering the fact that the majority of data breaches are caused (unintentionally or maliciously) by inside actors. Whether from loss or theft of portable devices, unintended disclosure of authentication credentials, or deliberate leaking of information, insider misuse is the leading cause of data breaches, according to the Trend Micro Analysis of Data Breaches from 2005-2015.
There are policies and procedures that utilities must follow in regards to integrated physical and cyber security, including regulations and standards set forth by the Federal Energy Regulation Commission (FERC), and the North American Electric Reliability Corporation (NERC). Yet nearly half of respondents to Black & Veatch’s 2014 Strategic Directions: U.S. Electric Industry indicated that they do not have integrated security systems –cybersecurity, physical security, corporate and control system environments., Further compounding the danger is the reality that there is often a lack of “cyber best practices” and new threat detection sharing among utility providers.
Within municipal governments, many agencies operate in silos, with limited venues for sharing relevant knowledge. Not only does this inhibit the government’s ability to remain secure, but in a way it defeats the very purpose of a Smart City: connecting people and organizations to better the lives of citizens.
Protect utility networks with a holistic security approach
Focusing on just one aspect of a cybersecurity solution is a sure way for utilities to put their systems, networks, and customers at risk. A holistic solution should address three main aspects: authentication, authorization and encryption.
Authentication: With authentication, the user and the computer or server both need to prove that they are who they claim to be. The most basic form of authentication is a username and password, but time has proven this basic method to be exceptionally vulnerable. Adding a multi-factor authentication requirement, such as a physical card or a code text-messaged to a mobile phone, or even biometric checks (everything from voice recognition to fingerprint or retina scanners) can improve security. Third-party authentication tools have also proven to be effective.
For many utilities, perimeter security is the focus: keeping intruders out, which is what authentication is designed to do. But, as mentioned above, many breaches begin inside the perimeter—whether as an “inside job” or by someone inadvertently creating a way for outsiders to access databases, individual computers, or anywhere else sensitive data resides. This is a large part of why authorization, on top of authentication, is so crucial.
Authorization: Notably, authentication does not determine what an individual can do or see once inside a server or system. If security measures stop there, there would be ample opportunity for even low-ranking employees who are on a system to access sensitive data that they should not be privy to. Authorization management systems exist that can ensure a user only sees what they’re allowed to see. Commonly-used authorization tools also keep employee- or administrator-only parts of a website blocked off from others on the site, for example a consumer logging in simply to pay a bill.
Encryption: At its most basic, encryption involves scrambling data so that it is unreadable unless accessed by someone who has the decryption key. While encryption is a popular topic in the media today, many organizations are underutilizing it, or using it improperly, so that holes still exist in the protection it affords. For example, most of the focus has been on data “at rest,” with little attention given to data in-flight (or “in motion”), when in reality both are necessary.
Optical and Ethernet encryption solutions at Layer 1 and 2 levels of the network are preferable for securing data in-flight, as they keep intact the full bandwidth of the network—avoiding sacrificing data throughput for the sake of security. Higher layer IP encryption solutions can add latency, reducing data throughput.
An important aspect of any encryption solution is key management. Whether installed by the user on an existing element in a private network, or offered by a service provider, most quality encryption solutions allow end users to manage the keys themselves. One of the most reliable measures of how secure a key management practice will be is how long a key is valid. In short, the quicker they expire, the less opportunity malicious actors will have to access and use them. In practice, this means the most secure encryption keys are those that are generated at initiation of a session, and are automatically rotated (changed) very quickly after initiation (sometimes as quickly as every sixty seconds, giving very little chance for anyone but the intended user to make use of them).
Additionally, it’s important to remember that those with unencrypted private fiber networks are not immune to hacks—that’s a common misconception. It’s possible for someone to buy a "fiber clamping device"—legally—and then (illegally) use it to gain access to all that data. Not only does this serve as a reminder that physical security (cameras, fences, physical authorizations, etc.) is important, but that it’s critical to have an encryption solution that protects data in-motion, in case a fiber clamp is introduced.
Leave no aspect unguarded
Authentication, authorization, encryption for data in-flight as well as at-rest, sound key management practices, physical security are all needed for the utility of today to take a holistic approach to securing their systems and networks as cities become smarter, because criminals are becoming smarter too. And forgoing one of these aspects of security could be like boarding all the windows of your home while leaving the door unlocked.
This piece was originally published in Energy Central.