Enabling citywide cybersecurity: Lessons from Dallas

Late in the night on April 7, Dallas was kept awake by the sound of citywide emergency sirens being activated again and again. Initially, it was thought to be a computer hack, but later the nuisance was attributed to someone with a radio that broadcast specific tones and activated the sirens.

Dallas has not taken any chances for the siren system to be messed with again. In a press release following the incident, Dallas' Office of Emergency Management said that security had been put in place for the 155 siren sites and now have "constant encrypted communication."

Of course, the siren system in Dallas isn’t the only system with vulnerabilities. Earlier this week, a hack that started in Ukraine and spread internationally crippled systems from e-mail to ATMs to the computers helping in monitoring radiation at Chernobyl. Cybersecurity is such a ubiquitous problem that Girl Scouts can now get badges for it.

For cities with so much public safety and mission-critical infrastructure, the stakes are even higher to keep digital assets safe. Already, electricity grid operators in the U.S. experience near constant cyberattacks, with one utility recording approximately 10,000 cyberattacks a month. But that’s nothing compared to Israel’s electric utility, which records an average of 6,000 attempts every second.

Cybersecurity is such a ubiquitous problem that Girl Scouts can now get badges for it.

Smart Cities Dive

Cybersecurity issues can come up when installing new "smart" systems or trying to upgrade systems to make them smart. Those smart systems may include connecting traffic lights to dedicated short-range communications radios for better traffic control, or IoT for waste management. With more than 80 cities expected to be smart by 2025, problems are only going to grow.

"80% of deployed systems today are not connected," Sameer Sharma, global general manager of Intel's IoT Smart Cities Group, told Smart Cities Dive.

The first problem cities run into when connecting the unconnected is that some of these devices were never designed to be connected, and don’t always have a clear method of security.

"They are more useful but in some ways they become more vulnerable," Sharma said.

Once those systems are installed, there are a whole host of vulnerabilities. In a paper titled "The (in)security of smart cities: vulnerabilities, risks, mitigation and prevention," two cyber security researchers broke down all the common ways that cities are hacked. The problems include weak software security and data encryption; insecure legacy systems and poor maintenance; large, complex and diverse systems, with many interdependencies and large and complex attack surfaces; interdependencies creating cascade effects and human error and deliberate malfeasance of disgruntled (ex)employees.

There are so many vulnerabilities and weak spots that guarding against them all is impossible. Even if systems were once secure, systems can be put at risk if updates aren’t installed promptly.

"People talk about [updates] being a great weak underbelly of our infrastructure," said Rick Gordon, a cybersecurity investor.

One of the problems is vendors not communicating effectively about the updates, or not offering them at all. Vendors, especially smaller startups, aren’t always focused on security, yet implementing security correctly right out the gate is the best way to protect critical systems.

"We believe the security has to be built in," Sharma said. "It can’t be built on."

Best practices

The industry knows it must be proactive on cybersecurity. Earlier this year, Microsoft called for a digital Geneva Convention to tackle cybersecurity problems with a global perspective, as many attacks cross international borders and need cooperation to solve.

There are also many ways to mitigate risks. Some are obvious like strong cryptography, automating system updates and having alerts for unusual events built in. Limiting human error, from bad passwords to mitigating fishing scams, is also a way for cities to strengthen systems.

From blockchains to multi-factor verification, technology is also offering solutions to the exact problems that technology causes. One of these solutions is open standards, or best practices and tools developed by a large group of stakeholders. Sharma describes open standards as creating a system that allows critical upgrades to be deployed widespread. Along with future proofing, open standard enables transparency.

Segmentation, or micro-segmentation, is another new solution. Breaking down digital systems into segments makes hackers take over systems piecemeal and a much slower process.

"It’s going to be a big boon for security," Gordon said.

Non-technological solutions for technological problems might be the last line of defense, such as kill switches, or reset buttons that have to be activated in person. It might not be as easy as clicking something on a computer, but physically flipping a switch can be a great failsafe.

"While it certainly isn’t efficient, it’s important," Gordon said. "And it’s doable."