By Zac Amos

Critical infrastructure like electrical, emergency, water, transportation and security systems are vital for public safety but can be taken out with a single cyberattack. How can cybersecurity professionals protect their cities?

In 2021, a lone hacker infiltrated a water treatment plant in Oldsmar, Florida. One of the plant operators noticed abnormal activity but assumed it was one of the technicians remotely troubleshooting an issue.

Only a few hours later, the employee watched as the hacker remotely accessed the supervisory control and data acquisition (SCADA) system to raise the amount of sodium hydroxide to 11,100 parts per million, up from 100 parts per million. Such an increase would make the drinking water caustic.

The plant operator hurriedly took control of the SCADA system and reversed the change. In a later statement, the company revealed redundancies and alarms would have alerted it, regardless. Still, the fact that it was able to happen in the first place highlights a severe issue with smart cities.

The hacker was able to infiltrate the water treatment plant because its computers were running on an outdated operating system, shared the same password for remote access and were connected to the internet without a firewall.

Deadly exposure

Securing critical infrastructure is crucial for the safety and comfort of citizens. Cyberattacks on smart cities aren’t just inconvenient — they can be deadly. They can result in:

•Injuries and fatalities. When critical infrastructure fails, people can get hurt. The Oldsmar water treatment plant hacking is an excellent example of this fact, as a city of 15,000 people would have drank caustic water without realizing it. Malicious tampering can cause crashes, contamination and casualties.

Amos

•Service interruption. Unexpected downtime can be deadly when it happens to critical infrastructure. Smart security and emergency alert systems ranked No. 1 for attack impact because the entire city relies on them for awareness of impending threats like tornadoes, wildfires and flash floods.

•Data theft. Hackers can steal a wealth of personally identifiable information (PII) from smart city critical infrastructure to sell or trade on the dark web. While this action doesn’t impact the city directly, it can harm citizens. Stolen identities, bank fraud and account takeover are common outcomes.

•Irreversible damage. Hackers irreversibly damage critical infrastructure. For example, ransomware could permanently encrypt Internet of Things (IoT) traffic lights, making them unusable. Proactive action is essential since experts predict this cyberattack type will occur every two seconds by 2031

Security level of smart cities

While no standard exists to objectively rank smart cities’ infrastructure since their adoption pace and scale vary drastically, experts recognize most of their efforts are lacking. Their systems are interconnected, complex and expansive — making them highly vulnerable.

Despite the abundance of guidance, best practices and expert advice available, many smart cities make the mistake the Oldsmar water treatment plant did. They neglect updates, vulnerabilities and security weaknesses for convenience and budgetary reasons.

Minor changes can have a massive impact on smart cities’ cybersecurity posture. Here are a few essential components of securing critical Infrastructure:

•Data cleaning and anonymization. Cleaning and anonymization make smart cities less likely targets — de-identified details aren’t as valuable. These techniques verify that information is accurate and genuine, lowering the chances of data-based attacks. Also, pseudonymization can protect citizens’ PII.

•Network segmentation. Network segmentation confines attackers to a single space, preventing them from moving laterally through a network. It minimizes the damage they do and can even deter them from attempting future attacks.

•Zero-trust architecture. The concept of zero-trust architecture revolves around the principle of least privilege and authentication measures. It’s popular because it’s effective. Over eight in 10 organizations say implementing it is a top or high priority. Limiting access decreases attack risk.

•Routine risk assessments. Smart cities should conduct routine risk assessments to identify likely threats to their critical infrastructure. When they understand what they’re up against, they can handcraft robust detection and incident response practices.

•Real-time system monitoring. The Oldsmar water treatment plant’s hacking is a good example of why real-time monitoring is effective since the operator immediately detected and reversed the attacker’s changes. Smart cities should implement these systems to protect themselves.

Although smart city cyberattacks don’t make the news daily, they’re becoming more frequent. Proactive effort is essential to prevent them from growing worse. Public officials must collaborate with cybersecurity leaders to find permanent, reliable solutions.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

April 22nd, 2024