As the number of devices and systems within Smart Cities will increase dramatically over the next ten years so will the number of vulnerabilities and weaknesses open to exploitation. Yet it may well be that the weakest link in Smart Cities will be the citizens themselves either as inhabitants, tourists or employees.
As new threat scenarios unfold in the future these will very likely focus in some way around making money for the attacker. Whether that is directly related and targeted to a victim or indirectly where details are harvested and sold to other attackers to exploit. The “smarter” cities become the more likely they are to attract the attention of attackers developing new campaigns or looking to copy shared tactics and techniques used in other cities. The more open connectivity, services and technologies smart cities create the more attractive they become.
To use and quote Schneier’s Law – Anyone can invent a security system that he or she cannot break. Smart Cities will procure a variety of systems to equip the city to function with varying degrees of security. The resilience and testing of the solution and its security will be dependent upon the thoroughness of the vendor and rigour of the buyer. It is often the sheer ingenuity of the attack actor and their means to find vulnerabilities that surprises the system or service owner. So Smart Cities cannot become complacent nor underestimate the effort attack actors will go to find and exploit a weakness or vulnerability. An attack actor will look at all options and may well conclude that the weakest option to exploit is the humans involved as administrators or users of the system.
An attack actor will conduct reconnaissance for an attack by either physically visiting the intended site / sites or conduct research remotely through their tools and services such as Google Maps, Streetview etc. They are looking for opportunities and vulnerabilities to exploit and that will involve observing how people use and interact with a system. Often the easiest route for the attack actor is to compromise the account of a user or administrator through a phishing campaign – email, sms or message format. Other options may include spoofing, bribery or coercion.
I plan to look at the features and criteria of a Smart City Threat Model which will include how humans will play a significant part in the cyber threat to Smart Cities. This work will be found in the Smart City Threat Model Research.
Smart City Cyber Security 