Risk in the Internet of Things

By Oliver Yule-Smith.

Much of the current excitement on the Internet of Things (IoT) revolves around a focus on how we as individuals increasingly embed the use of internet-dependent devices to make our lives easier. However, there is a much more prevalent, but less discussed of late, practice of using this same IoT to run our cities. This IoT automates our traffic systems, runs our metros, surveys our streets bringing us ever closer to the Smart Cities of the future. Although, unlike the use of the IoT by individuals this does not involve an active choice, by say the purchase of this IoT technology for a household, the wider public does not have a say in the increasing digitisation of the city.

In the same way that individuals increased acceptance of the IoT into their lives involves greater security risks so too does a city’s use of this technology herald increased risks. You don’t need to look far for examples of this. Last November the San Francisco Municipal Transportation Agency was hacked by ransomware, extorting the San Francisco Municipality for the safe return of its rail system. The result of this hack allowed riders of the light transit system to ride for free. Whilst, being an economic issue for the San Francisco Municipal Transportation, the hack was generally not threatening for railway users. However, the hacking of Ukraine’s power grid last year provides a more nefarious example of threats to cities. Whilst, the identity of the hackers is unclear, given the scale of the operation and a simple Cui Bono explanation would quickly point the finger to the Russian state or patriotic hackers who have a vested interest in the Ukraine’s demise. This attack was able to knock out 30 substations leaving 230,000 residents without power for close to 6 hours. It is easy to say that this is a result of weak investment in cyber security in Ukraine and a case and point of poor cyber hygiene, but it is worth noting that according to sources for Wired magazine, “the control systems in Ukraine were more secure than some in the US”.

Cities have thought about aspects of this potentiality by ‘air-gapping’ the use of certain IoT systems’ or using an intranet to prevent direct contact with the internet, for example. For their part, the San Francisco Municipal Transport Agency will wish that they had backup systems NOT connected to the internet. However, with the closing of the gap between what is provided by the public sector and what is provided by the private sector in cities, there is a need to ensure consistent security standards across internet-dependent systems, particularly those that are automated. This can come about through the use of security regulatory agencies, education on good cyber hygiene and the use of regular security audits.

Ultimately, all technological advances present opportunities as they do challenges. The increasing digitisation offers increased efficiency and opportunity into our lives but it is clear that the challenges in the form of intrusion vulnerabilities must be mitigated. Unlike, an individual’s use of the IoT, a city’s increased use of the IoT cannot be managed single-handedly. It requires active engagement by residents and security professional to bring about not just smart cities but secure cities.