Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Are Smart Cities Secure?

Planning and oversight have the most significant impact when securing a smart city utilizing Internet of Things and RFID technologies.
By Guy Rosefelt
Jan 20, 2019

Recently, I participated in several tenders for smart-city projects around the world. I also partook in CEO roundtable discussions at Telecom Exchange LA, including one about what Los Angeles would look like in 10 years for the 2028 Summer Olympics. From those projects, I realized there are several issues that may impact making a smart city secure.

Although the tenders originated from different countries, they had a lot in common. All were published by a single government agency, all were requirements specific to that agency and all asked for the standard set of security products: next-generation firewalls, intrusion-prevention systems, Web application firewalls, anti-DDoS, APT protection and so on.

The TexLA CEO roundtable, titled "Get Ready for the Olympics LA: IoT, Smart Cities, & Infrastructure Predictions," was interesting. It asked what cyber-threats and protections would be like in 10 years when L.A. hosts the Olympics, what infrastructure would be like and what could be done to prepare.

What struck me about all of the above was that cybersecurity technology was not the issue; the smart-city requirements and the discussed roadmaps covered those rather well. What I saw not being addressed were the deployment of multiple Internet of Things (IoT) devices, conflicting or singular requirements for solutions, and organizational self-interest.

Deployment of Multiple IoT Devices
Most cities deploy a lot of IoT devices. Traffic cameras are the most noticeable, but there are also sidewalk and building cameras. Industrial control systems (ICS) abound for water, power, traffic, transportation and more. Parking meters now accept credit cards; so far, there are IoT devices with PCI-DSS implications.

It is common knowledge that IoT devices are built for functionality and not security. Even IoT devices that have protection do not have good security. Earlier this year, one of my research teams found a number of vulnerabilities in Schneider Pelco Sarix Professional Cameras, a popular IP camera used for surveillance. All but one of the vulnerabilities were considered "high" or "critical," as they could disclose information, allow privilege escalation or command execution.

Some interesting papers propose using RFID to create intelligent traffic-control systems in smart cities. None discuss the security implications of their proposed solutions.

There were many ICS-related vulnerabilities disclosed this year. Siemens disclosed that some models of SICLOCK central plant clocks had several vulnerabilities, some deemed "critical." SICLOCK clocks are used at industrial plants to synchronize time across devices within the plant. Then there are IoT devices in smart buildings for heating, ventilation and air conditioning (HVAC) and environmental controls, as well as physical security and perimeter access, elevators and more, which most people don't think about but which could be used to jump air-gapped systems. There are several "ICS villages" around the world to promote awareness and education about ICS security. You should visit their sites to view information on or demonstrations of ICS cyberattacks.

None of the tenders in which I participated had any significant requirements related to IoT security. The government agencies offering the tenders had to be using the IoT, as all were related to specific infrastructure areas.

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations