by Ishan Bhattacharya

Securing Smart Cities a Work-in-Progress: Security Vendors

Mar 31, 20155 mins
ComplianceCybercrimeEnergy Industry

It is important to understand and address vulnerabilities associated with IoT in its early stages as companies cannot fully rely on IoT vendors to patch vulnerabilities and protect against all attack vectors.

‘Think before you leap’ is a phrase that one can comfortably associate with India’s ambition of building 100 smart cities by empowering them with IoT devices in every nook and corner. That’s because India has a habit of noticing loop holes a bit too late in the day. If our government does not ensure that the enormous amount of data generated by smart cities will be safe, it will remain an ambiguous two-faced creature. There’s no doubt that with smart cities there will be terabytes of data exchanged between devices flying in and out of datacenters, presenting a truly massive attack surface for hackers to exploit, says Rajesh Maurya, country manager, India and SAARC, Fortinet. And that’s true to a large extent. Consider a 2014 KPMG cybercrime survey, which revealed that 49 percent of Indian respondents have experienced cyber-attacks and that number is actually increasing year-on-year. Although, the concept of smart cities is yet to take off, we can imagine the number of cyber-attacks that they would fall victim to, owing to its enormity and management issues. “Cyber criminals are today trying to exploit this as an area. Threats grew in the mobility space as more people began becoming a part of the connected world,” says Ambarish Deshpande, MD, Blue Coat. Therefore, cyber-attacks on smart cities should not come as a surprise to us. Deshpande feels that what happened with mobility will happen with IoT as well. Every device will have an Internet protocol, and smart cities will have users connected to each other like never before, “And every time such things are established cyber criminals will look for opportunities to create chaos,” he says. Also read: That’s something that Sanjay Rohatgi, VP, India, Symantec, agrees with. “Like any other ICT environment, cities can experience different types of cyber-attacks. As systems grow more complex, become more interconnected and handle more information, their exposure to vulnerabilities increases, whether due to malicious intent or human error,” he says. One way to fix is to ensure that security vendors play an active role in IoT and smart cities. The architects of smart cities have to build in security from the design level itself, as Deshpande rightly points out that “security cannot be an after-thought in this case.” While that’s true, Fortinet’s Maurya says, another problem is that in this early stage of development of IoT, vendors do not focus on security because of the cost factor. “Also the embedded operating systems they use are usually not patched on a regular basis,” he says. However, having said that, it is definitely not impossible to secure smart cities. It is important to understand and address vulnerabilities associated with IoT in its early stages as companies cannot fully rely on IoT vendors to patch vulnerabilities and protect against all attack vectors. “Recognize the need for actionable threat intelligence as attacks are becoming more evasive and can circumvent traditional perimeter protection such as next-generation firewalls and unified threat management devices,” says Maurya. That’s important because, according to Maurya, most IoT devices, like printers or webcams wouldn’t come with antivirus control but even if they did, the size and diversity of the IoT ecosystem would make the process impossibly complex to manage. “This makes IoT a low hanging fruit for hackers to exploit,” says Maurya. Another best practice, according to Deshpande, is that while using IoT devices or the benefits of smart cities, it is advisable to be extremely careful about the location from where one is using a sensitive application. Also, vendors say, the government should look for technologies that focus on discovering unknown threats that have tried or are trying to enter their networks.  A significant point that Maurya highlights with regard to security is formulation of a good incident response process. Also read: “No matter how much money is spent on security, no organization is 100 percent secure from breaches. There should be an incident response plan to ensure you have processes, procedures and skilled resources to quickly identify and mitigate threats as soon as they hit a network,” says Maurya. Apart from securing networks, it is equally important to ensure that our mobiles and laptops are capable enough to understand rogue applications. “Developing an end-to-end framework to manage critical infrastructure, promote compliance, mitigate fraud, and protect privacy are important steps in the right direction towards building resilient smart cities that will set new benchmarks in urban development,” says Symantec’s Rohatgi. To sum up in a nutshell, security, when it comes to smart cities, is still a work-in-progress.  The government and security providers need to work in tandem to ensure security. Otherwise the smart city project could remain an ambiguous two-faced creature trapped in the new-age threat environment.