A group of security researchers wants cities to take security seriously as they implement new smart technologies.
If cities want to be smarter, they need to be unhackable.
That's the main message that a group of security researchers is sending to city governments all over the world. The group published a paper on Wednesday listing the guidelines and best practices that cities should follow when implementing smart technologies and the so-called internet of things.
Earlier this year, Cesar Cerrudo, a security researcher from IOActive, warned that while cities embrace new technologies that make them more efficient, such as smart traffic lights, parking and energy management systems, they are exposing themselves to potentially catastrophic cyberattacks. And he would know, given that in the last few years he has exposed hackable traffic control systems and traffic lights.
Now, Cerrudo, along with two co-authors and a dozen contributors, wants to helps cities take better care of security before it's too late.
"Technology makes things easier for governments to manage a city and provide a better service," Cerrudo told Motherboard in a phone interview. "But at the same time if they are not secure it makes easier for attackers to cause a big mess to a city."
To avoid this, Cerrudo and the other researchers have put together a list of recommendations that cover the whole cycle, from the technology selection stage, to the deployment and maintenance of the smart technology. The paper doesn't give set-in-stone rules or a detailed security assessment program, but rather it's a basic guide on what to do and what to avoid.
"The impact when [smart cities] technology gets compromised is really big, because it will impact hundreds and sometimes millions of people."
One of the main problems, for example, is that city governments tend to trust vendors, such as companies that sell smart parking systems, too much, according to Cerrudo.
"The problem is that governments are not paying much attention to security," he said. "They just will believe what the vendor say about security, they won't do any testing."
Instead of blindly trusting, cities should do their own testing and figure out what solutions are better, not just from a functionality standpoint, but also from a cybersecurity standpoint, Cerrudo added.
According to the researchers, cities should require vendors to use strong encryption and implement it correctly, have mechanisms to prevent tampering, push quick updates securely, disable unnecessary functionality, and come configured securely by default—with no easy-to-guess default passwords, for example. (Last year, somebody put up a website broadcasting video feeds from webcams that were easy to hack because they had default passwords.)
The paper also details a series of questions cities should ask vendors when buying their products, guidelines for independently testing them, and advice on how to maintain security once they are deployed.
The researchers hope that cities will pick up the paper and start taking security more seriously, but they're aware that city governments are often cash-strapped and can't afford to do their own security assessments. But they also hope more resources will be shifted toward security to avoid costly attacks.
"When you think about critical infrastructure [such as a traffic system], something that is used to run a city," Cerrudo said, "then the impact when technology gets compromised is really big, because it will impact hundreds and sometimes millions of people."