Historically, most cyber attacks have been directed toward firms, but as cities continue to grow smarter, they carry more information on their residents, making them more valuable targets for cybercriminals. On June 1, 2022, Costa Rica’s National Health Service was taken captive by ransomware known as Hive. To regain control of its systems, Costa Rica must pay the criminals $20 million in bitcoin. Over the last five years, cities in the U.S. such as Atlanta, Baltimore, New Orleans, and Albuquerque have been the victims of cyber attacks. For the cities of the future to defend their citizens’ data, they need to elevate their approach to cybersecurity.
So how can governments know if their cybersecurity is up to standards? Unfortunately, there is currently no widely accepted measurement for evaluating the strength of a city’s cybersecurity. Governments tend to cite the amount they spend on cybersecurity each year as an indicator of its strength, but there is no way to know if that money is being used properly. However, there are several standards currently in practice across various industries that could be modified for government use, such as the ISA/IEC 62443 system for automation and control system applications, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) system, which secures North America’s bulk electric system, and the UL 2900 series of standards for network-connectable products (UL 2900-1), medical and healthcare systems (UL 2900-2-1), industrial control systems (UL 2900-2-2), and security and life safety signaling systems (UL 2900-2-3). Other resources, like the Lockheed Martin Cyber Kill Chain, are general enough to be used by smart cities with little to no adaptation. Regular vulnerability assessments will also be crucial in determining a city’s cyber strength.
By incorporating elements from various existing industrial cybersecurity standards, cities can develop a concrete plan for evaluating and improving their cybersecurity. That plan might look similar to the following structure:
Cybersecurity is more effective and less expensive when it is factored into decision-making processes, not just tagged on after already making a decision. This could mean choosing not to adopt certain smart technologies if an effective way to mitigate their cybersecurity risk does not exist yet. For example, emergency alerts, street video surveillance, and smart traffic signals are high-risk smart technologies, so they should only be installed if it is determined that their benefits outweigh both the cost of installation and their cybersecurity risk. For all new technologies, cybersecurity must be built in from the beginning, not added on at the end.
City officials must educate their employees on cybersecurity vulnerabilities. This includes, but is not limited to:
- Using multi-factor authentication
- How to properly use WiFi
- Using secure passwords
- How to avoid phishing emails and other online scams
- Requiring anti-malware software
- Staying away from risky websites
A city’s cybersecurity must be regularly evaluated by a third party. This will include live tests, such as vulnerability assessments, as well as other metrics, such as ensuring the city has multiple backups of all essential data and plenty of IT and cybersecurity professionals. To pass this step, those working with sensitive information must use most, if not all of the following measures.
- Anti-malware helps identify, remove, and block malware. This can include IP blacklisting, data loss prevention tools, antivirus/antispyware software, web browsing policies, egress filtering, and outbound-traffic proxies.
- Endpoint detection and response works with anti-malware to perform automated action when a breach is detected. It alerts security analysts when an endpoint is compromised, provides immediate action, such as isolating the infected portion of software, and provides security teams information to help analyze the incident. It also tends to be better at detecting breaches from unknown sources than anti-malware.
- Continuous Vulnerability Management involves constantly scanning for security weaknesses. This includes manual work, such as vulnerability assessments and fixing bugs, as well as automated work, such as application patchwork and scanning for coding bugs that could be exploited by attackers.
- Intrusion detection and prevention systems have two types: IDS and IPS. An IDS detects and monitors threats, but it won’t take action on its own. An IPS decides on its own whether to accept or reject packets based on rules. Both IDS and IPS analyze traffic and compare it to known threats.
- Machine Learning and Artificial Intelligence use behavior analytics to proactively detect threats, assess threats in real-time, and evaluate risk. Artificial intelligence in cybersecurity is still mostly aspirational, but over the coming years, as cities grow ‘smarter,’ it will continue to grow stronger with more user interaction and will eventually become an important capability in cybersecurity.
- Mobile device management software should be installed on each high-risk government employee’s work-dedicated device. The MDM software monitors behavior and critical data. This gives an administrator full control to monitor, troubleshoot, track, and even wipe device data if a breach is detected.
- Network access control sets network policies and prevents noncompliant devices from accessing a network. Paired with anti-malware, it helps avoid an initial breach by keeping government employees away from high-risk websites.
- Next-generation firewalls detect and block more sophisticated attacks than previous generations of firewalls. They include features such as application control (automated whitelisting and blacklisting), IPSs, and sandboxing, which tests potentially malicious software by running a program without allowing it to affect the application, system, or platform it runs on.
- Strong authentication and authorization. This authenticates users and grants them access based on their authorization level. Newer versions provide additional security by using digital certificates and public key infrastructure solutions, like a Secure Sockets Layer (SSL) certificate, which encrypts connections and verifies that the website is trustworthy.
When all these measures fail, cities need to be prepared with a Computer Security Incident Response Plan (CSIRP or just IRP for short) to minimize the damage of a successful attack. Officials must realize that public scrutiny is inevitable, and it does not justify rushing the recovery process. According to the National Institute of Standards and Technology (NIST), the general steps for incident response are the same for companies and cities:
- Before the attack, an incident response team must be established.
- Once the attack occurs, the indicators of a breach must first be detected and analyzed.
- Then, the threat must be contained. Often, this means either sandboxing or disconnecting the attacking force from the data source, but NIST makes it clear that the incident response team should have a specific containment plan for each type of attack they anticipate.
- Next, the threat must be eradicated, which often involves deleting malware and compromised accounts.
- Then, the infected department can start to recover. This will involve restoring data from clean backups, notifying any civilians or employees whose data was involved in the breach and reinstalling defense mechanisms against a future breach.
- Finally, the department’s security plan must be updated, and employees must be trained to ensure immunity towards the same attack in the future.
In addition to using cybersecurity at large firms as a model for smart city cybersecurity, cities can partner with them directly. In August 2021, the Cybersecurity and Infrastructure Security Agency established the Joint Cyber Defense Collaborative (JCDC) to unify the federal government, states, and cities with the public and private sectors in a joint cybersecurity effort. JCDC has 21 private sector Partners, including Microsoft, Google Cloud, and Verizon. By working alongside cybersecurity specialists across the globe to create objective standards, as well as working to integrate cybersecurity into decision-making processes, educating employees on vulnerabilities, evaluating their cyber strength regularly, and recuperating properly from a breach, moving into the future smart cities can elevate their cybersecurity and keep their citizens’ data safe.
More about Cybersecurity
Check out some of these sources to learn more about cybersecurity yourself:
Caleb Cavazos | [email protected]
Caleb Cavazos is an intern at Econsult Solutions, Inc. He is currently a senior at the Haverford School, and will be attending Duke University in the fall. He assists ESI with general research, note taking, and business development.