Danny Bradbury investigates how cities can protect themselves against ransomware as they prepare for the smart city revolution
The past five years have seen over 400 US cities and country governments suffer ransomware attacks. These digital assaults have crippled emergency response operations and brought administrative systems to a standstill, often forcing bewildered officials back to using pen and paper. So how do we ensure that these attacks don’t hit us even harder as we prepare for a smart city revolution in which connected systems increasingly manage critical municipal infrastructure?
A New Class of Smart City
“A smart city is any municipality that is using various forms of internet of things (IoT) technology to augment and supplement the services that it provides to its constituents,” says Patrick Miller, managing partner at critical infrastructure protection services company Archer International. They’re on the rise as officials adopt this technology in droves, driven by the promise of efficient operations and better services. ResearchAndMarkets expects the global smart city platforms market size to grow from $156.1bn in 2021 to $258.2bn by 2026, at a CAGR rate of 10.6%.
This increase in IoT usage creates additional problems, warns Chris Grove, product evangelist at security company Nozomi Networks, which specializes in securing the operation technology (OT) and industrial control system (ICS) infrastructure that handles everyday tasks from water delivery to traffic management.
Companies face an uphill struggle securing these assets as they become more connected, Grove notes. “All that resiliency that they’re trying to build in as fast as they can, and as cheaply as possible, has challenges,” he says. “In many cases, you can have it fast, cheap or secure – pick two.”
Cities often opt for cheap, Miller agrees. They’ll go for the lowest cost devices and connectivity often purchased from multiple vendors. That often leads to less frequent security updates, he adds.
While this can make it difficult to standardize security, he adds that it might have an upside. An array of technologies from multiple vendors, rolled out in a patchwork by different municipal agencies over time, makes it harder to attack a network.
What does any of this have to do with ransomware, which typically locks up data in file servers far from programmable logic controllers in traffic lights and air sensors? While extortionists have focused mostly on enterprise IT systems, there are signs that attacks on OT are becoming easier. In 2020, Mandiant noted a rise in the number of open-source exploit tools for ICS. These enabled the compromise of infrared communications, low-powered radio for wireless mesh networks, hardware, specialist software, software exploitation and network discovery.
Only 1% of these tools were ransomware. Still, traditional file-encrypting, data-stealing tools aren’t the only way to extort cities, warns Lawrence R. Rogers, principal engineer in the CERT division at Carnegie Mellon University.
"All that resiliency that they’re trying to build in as fast as they can, and as cheaply as possible, has challenges"Chris Grove
“Ransomware is typically not the initial attack,” he says. Attackers can get into a smart city’s systems using whatever exploit works. Once in, they can extort a city using the most damaging threat. “Whatever creates the most amount of need for an organization to pay the ransom,” he warns.
What Could Future Smart City Extortion Look Like?
Before joining IoT asset management company Armis as CTO, Sachin Shah spent over two decades at Intel managing smart building technology systems at almost 800 extensive facilities around the globe. He looks at three pillars of risk with smart city systems.
The first and least serious is the financial impact, whether through payment of a ransom or the cost incurred by not doing so.
Another is the potential for intruders to cause environmental havoc, perhaps by manipulating the flow of chemicals or water. An example could include a threat to dump sewage into a stream, incurring environmental damage and regulatory fines, says Grove.
Last and most serious is life safety, where criminals could launch an attack that causes human harm. That might include causing accidents by tampering with traffic systems or perhaps delaying emergency services and preventing the delivery of critical care.
The federal government has been concerned enough about potential attacks to warn utilities. In October 2021, the Environmental Protection Agency (EPA) joined the FBI, CISA and the NSA in issuing an advisory warning of threats to US water systems after multiple incidents.
Several of these attacks involved ransomware that made its way onto water management infrastructure. Last March saw a ransomware attack against a wastewater system in Nevada. In July, staff at a similar plant in Maine had to operate manually until they could clean up a ZuCaNo ransomware infection on a supervisory control and data acquisition (SCADA) server. In August, a Ghost ransomware attack against a wastewater facility in California caused SCADA servers to display ransomware messages.
In the last couple of years, real-world events hint at potential attacks on city infrastructure that go beyond ransomware. For example, Israel fended off attacks on its water systems from Iran, ranging from minor incidents where agricultural pumps were shut off to more significant attempts at flooding water supplies with chlorine, which officials said nearly succeeded and could have made hundreds sick.
Miller warns against too much hand-wringing over water system attacks. He says that the physical dimensions of pumps, vats and valves make it harder than people think to flood a water supply with surplus chlorine. “There would be impacts, but they’re just not on the scale of killing thousands of people,” he says. “Yet, it’ll still be enough to get people’s attention.” At the very least, it could deny a city the ability to manage its water system automatically, sending it to manual mode.
He is more concerned about the marriage of cyber and kinetic attacks, using the detonation of a dirty bomb as an example. If an attacker takes out a city’s essential services, like 911 emergency call transmissions and traffic control, that would add “an enormous amount of chaos to an already bad situation,” warns Miller.
"If an attacker takes out a city’s essential services, like 911 emergency call transmissions and traffic control, that would add an enormous amount of chaos to an already bad situation"
There are other attacks to be aware of, which are less critical but still severe, warns Theresa Payton, CEO at security services company Fortalice and a former CIO at the White House. “Attackers could lock up smart infrastructures such as intelligent thermostats controlling energy that heat and cool schools,” she says. She recalls a software glitch in Google Nest thermostats that drained batteries and left schools manually adjusting heat and air. “Attackers could also lock up smart infrastructure that powers autonomous delivery vehicles,” she warns.
In 2016, UK security company Pen Test Partners made a proof of concept ransomware for thermostats. As far back as 2006, researchers hacked into traffic light systems, demonstrating the potential for traffic disruption. Academics have also shown how compromising just one in 10 autonomous vehicles could bring a large city to its knees.
Payton warns that an IoT device might not be the target of an attack but merely a conduit into the broader IT infrastructure. “Ransomware syndicates continue to focus on locking up servers, apps and data,” she says. “We have shown executives in both the public and private sector how IoT blends into their surroundings but can be an access point for cybercrime, including ransomware. In one ethical hacking exercise, we gained access to an enterprise using the toehold we gained through the IoT fish tank in an executive’s office.”
With IoT bridging the air gap between OT and IT systems, if attackers find a way in through a vulnerable Wi-Fi access point or gateway, they could launch the kinds of traditional ransomware attacks that have devastated cities for years.
Shoring up Smart City Defenses
How prepared are municipalities to deal with this threat as they modernize their infrastructures? Miller says that some cities are refusing to pay and doing their best to fix their IT instead, especially as insurance companies grow stricter on the protection requirements for cybersecurity policies.
In 2019, the US Conference of Mayors signed a resolution vowing not to pay ransoms, but as the stakes increase, not everyone is convinced that commitment will stick. “Common sense tells me that that’s a nice going-in strategy until the rubber hits the road,” muses Rogers.
Smart city infrastructure entails a transition from managing OT physically to handling it remotely, he adds. That represents a steep learning curve for many small cities. So while municipalities are eager to take advantage of smart city technologies, they’re often ill-equipped to protect them, warn experts.
“These are some of the lowest paying jobs out there. You’re doing this in a lot of cases because you want to be a public servant or you believe in the greater good,” Miller explains. That leaves many cities and counties without the expertise they need to stop the hackers.
"The White House’s infrastructure bill, signed into law in mid-November, devoted funds to securing systems in municipal and state government, including utilities"
Faced with these challenges, how can smart cities avoid making dumb mistakes?
“From an audit standpoint, you can incorporate some sort of security monitoring and analysis,” Shah says, but warns that traditional IT monitoring systems might not translate to low-footprint networks of IoT devices. This new scenario calls for passive monitoring without the use of endpoint software agents, he says.
Those devices must also be equipped with firmware integrity and secure boot technology and should have mutual authentication capabilities so that they can verify sessions with each other, he warns. Segmenting infrastructure properly, always advisable in IT environments, also becomes even more critical in an IoT scenario where thousands or even millions of devices might manage a plethora of different processes across city operations. Segmentation could stop someone from accessing your traffic control system from a streetlamp’s mesh Wi-Fi access point.
Buckle Up
Cities face an uphill struggle as they attempt to balance the benefits of connected technologies with the potential risks of security attacks. Few smart cities are built from scratch. Instead, new IoT technologies must integrate with legacy OT and IT systems, creating potential security gaps.
To surmount these challenges, officials will need help. The White House’s infrastructure bill, signed into law in mid-November, devoted funds to securing systems in municipal and state government, including utilities.
Cities need to find a sweet spot where their connected systems are secure while still being usable enough to let data flow, Miller concludes. “That is a tough and expensive target to hit, so giving them money and additional resources to try to find that spot is a phenomenal idea.”