When we think of smart cities, visions of a utopian hyper-connected world may come to mind. But there’s a dark side: Critical city infrastructure connected via sensors and IoT networks is vulnerable to hacking.
When essential infrastructure such as hospitals and emergency alert systems are hacked, a planned dream city could end up becoming a nightmare.
City planners globally, meanwhile, are barreling forward with smart city projects, and Middle East municipal authorities are no exception. In fact, if all goes as planned the Middle East is destined to host some of the most advanced smart cities in the world.
The impetus to build smart cities stems from the swell of urban populations and the emergence of IoT – networks of connected devices that collect information and provide a stream of data that can be analyzed and acted on. The U.N. expects that by 2050, 68 percent of the world’s population will live in urban areas. By 2020, the number of IoT devices will spike from 8.4 billion today to 20 billion, according to the World Economic Forum.
What is a smart city?
A smart city integrates components such as sensors with IoT networks as well as information and operational technology to monitor and control infrastructure, devices and the flow of data, with the overall goal of improving the standard of living for residents.
For city leaders, the returns on investment are many. The most common drivers for smart cities are urban planning, sustainable energy, transport optimization, social integration and attracting high-value talent.
Smart cities have both great risks and great potential, said Nick Lim, a managing director at software vendor and consultancy Micro Focus. “While one small security gap in such a large information technology environment can provide enough attack surface for nefarious agents to infiltrate the network, the hyper-connected nature of smart cities also presents an opportunity for governments to integrate new technologies on a large scale quickly,” Lim said.
The threat is not theoretical. Real-life examples include the 2015 attack on the Ukraine power grid which impacted 30 substations, resulting in 230,000 people without electricity. In 2017, an attack on Dallas resulted in the activation of 156 emergency sirens, leading to a city-wide panic around midnight. For cities, the financial, reputational, and societal damage can be astronomical.
Middle Eastern smart cities multiply
The desire to create a better urban environment is nevertheless fueling many Middle East smart city projects. Announced in 2017, Neom is the US$500 billion megacity green-lit by Saudi Arabia, located near the Red Sea. Later that same year, Kuwait pledged $4 billion to create the ecofriendly Saad Al-Abdullah with the help of a consortium of South Korean construction companies. The following year, Qatar announced that Lusail would be the first city under Project Qatar 2020 to offer citizens and residents with applications involving infrastructure, energy, mobility, utilities, and more.
Since 2016, the United Arab Emirates has been working on integrating IoT devices and networks for Dubai, Sharjah, and Abu Dhabi, while the Sultanate of Oman is in the process of doing the same for the city of Muscat.
While Neom is a new city being built on the Red Sea, which means it will feature new operational technology and compatible IoT devices, the smart city initiatives in the UAE depend on integrations with legacy systems, potentially causing interoperability issues and increasing security risks.
Meanwhile, portability, speed, and an open license means that Linux is the preferred operating system of choice for IoT. Since the emergence of smart city initiatives worldwide, however, Linux malware has gone from unheard-of to rivaling that of Windows malware in frequency. To make matters worse, the antivirus market for Linux-based systems is not as sophisticated as that for Windows systems.
5G security worries arise
Superfast 5G mobile technology is likely to be critical in accelerating the effectiveness of smart-city networks, but issues related to the security of equipment from different manufacturers, particularly Huawei, have cropped up. The U.S. government is worried that the Chinese government could order Huawei to gather intelligence using its 5G equipment in the Middle East. But similar risks, some critics of the U.S.’s attitude have said, may be true when working with any 5G equipment provider.
Middle Eastern countries do not appear to share the U.S. government’s concerns. Shortly after setting up a 5G Ecosystem Programme in 2018, Huawei announced in early 2019 that 50 operators, vertical industry partners, and industry leaders from the Middle East were actively on board to bring 5G applications to a range of industries in the region.
As smart city infrastructure is built out, security teams need to begin with the worst-case scenario in mind, understanding risks and how to remediate them, said Kevin Gallerin, a managing director at YesWeHack, a bug bounty initiative that pays security experts and white-hat hackers to find system vulnerabitilies.
“If we want to future-proof our smart cities, the best solution is to have the largest pool possible of security experts who are working exhaustively to check every access point,” Gallerin said.
But even if multiple CSOs and security researchers are assigned to test a particular IoT infrastructure, they can still miss a critical vulnerability. Cities need a variety of approaches.
Security personnel should aim to collaborate
“Heads of facility security must be engaging with chief information security officers regularly, and smart cities must segregate their Internet of Things devices from primary networks,” said Tom Kellermann, chief cybersecurity officer at cybersecurity company Carbon Black. Overall, greater visibility into sprawling IoT networks is needed is needed, Kellerman said, adding that security official should consider using tools such as osquery, which allows SQL queries to be used to monitor IoT OSes.
Security teams need to be proactive in conducting regular compromise assessments across IoT infrastructure and the entire information supply chain, Kellerman said.
Robotic automation solutions (RAS) could be deployed across IoT networks to take over error-prone tasks, automate patch management and necessary software updates, as well as collect and provide data to a centralized security management platform for real-time insights, Micro Focus’ Lim said.
Middle East CISOs haven’t been sitting still, however.
“The recent rise of cybersecurity attacks in the Middle East have resulted in Chief Information Officers and Chief Information Security Officers relooking at their existing security architecture and upgrading their tools and processes to mitigate risks,” said Santhosh Rao, a senior director analyst at Gartner in the UAE. “The same is true for smart city projects, particularly that involve IoT devices.”
While selecting the right vendors and technology is key, ensuring that the solution is designed correctly is critical, Rao added. Other security experts agree.
Building security into system design
“Modern-day security requires an investment shift away from trying to prevent breaches at all costs and towards building intrinsic security into everything – the application, the network, essentially everything that connects and carries data,” said said Ahmed Auda, managing director of the Middle East, Turkey and North Africa at VMware. “Breaches are inevitable but how fast and how effectively you can mitigate that threat is what matters.”
Carbon Black’s Kellermann cautioned, however, that hackers and cyberattackers have begun to fight back when detected, and traditional security approaches may in fact be too quick to react. “Based on Carbon Black’s latest incident threat report, more than half (56 percent) of incident response professionals said that adversaries are deploying destructive tactics when detected, Kellerman said.
When discovered, hackers may destroy event logs or even whole systems to hide their tracks and prevent security teams from identifying them.
Cybercrime now requires a stealthier approach, Kellerman said, suggesting that organizations deploy a cognitive attack loop — a security strategy that encompasses the capabilities of the team to detect, deceive, divert, and contain the attacker.
“Instead of switching the lights on and calling the attacker out immediately, security teams should first lay low and watch the attacker, as their behavior patterns reveal their intent,” Kellermann said.
Cities need security talent
Ultimately, cities in the Middle East must nurture a skilled community of IT talent that helps smart cities advance their capabilities and deliver on national priorities while protecting citizen data. Government agencies can tap into crowdsourced white hat hackers who have an understanding of how malicious actors work, YesWeHack’s Gallerin said.
“Smart cities must retain the trust and confidence of their citizens, especially as financial or healthcare data grow increasingly lucrative, and state-sponsored attacks rise in aggression,” Gallerin said. “We can never get too smart.”
By bolstering security capabilities to address the ever-evolving techniques of modern cybercriminals, cities and enterprises in the Middle East can help prevent vital networks from being infiltrated and ensure a city is adequately protected.