Lax computer security is something everybody complains about, but no one does anything to fix it. Witness the egregious examples of security lapses ranging from Equifax to Yahoo that have compromised the personal data of billions of people.
But that lackadaisical attitude toward cybersecurity is going to have to change if smart cities are going to succeed. As more of a city’s physical infrastructure relies on connected services to control everything from traffic lights to the power grid, the more vulnerable it potentially becomes—and the more dangerous it becomes for citizens walking its streets.
Until now, the compromised security at businesses like Dunkin’ Donuts, Marriott’s SPG loyalty program, and Quora has been, for many people, a mere annoyance. True, the breach at Marriott involved as many as 500 million customers and their passport information, a costly mistake that could run into billions of dollars if the documents have to be replaced. But in general, cyber fraud and identity theft has become an accepted cost of the convenience of leading a digital life.
However, such security mistakes could prove fatal in smart cities of the future where everything from public transportation to water filtration systems rely on the integrity of a municipality’s cyber connections.
Perhaps nowhere is the threat more keenly perceived than in the nexus between self-driving vehicles and a city’s traffic infrastructure. What would happen, security researchers worry, if such communications were interrupted or, even worse, falsified? Could cars and buses be sent careening at each other at full speed or remotely directed to speed over sidewalks into pedestrians and buildings?
Fortunately, several security focused companies, such as Argus and Upstream, have been working for some time in the connected car space, trying to button down automotive systems. Argus demonstrated some of the vulnerabilities to Digital Trends by using a known hack to remotely turn on a Jeep’s headlights, windshield wipers, and even brake the car while this reporter was driving the vehicle. It’s an unnerving experience, to say the least. But imagine hundreds of cars all being remotely controlled by digital pirates looking to cause citywide mayhem.
Such scenarios are the stuff of engineers’ nightmares. So automakers have been building out their own security operation centers, anticipating the connected future. Major parts suppliers have also been expanding their offerings. (German auto systems company Continental acquired Argus, for example.) In general, such security work has focused on watching for nefarious communications with cars, anticipating hacks before an incursion can occur.
But beyond self-driving cars, smart cities require a broader approach.
So last month BlackBerry announced it was going to make a security credential management system (SCMS) freely available to cities and automakers working on smart city projects. The idea: use a public key-based certificate system to authenticate transmitted instructions and information between transportation systems and the municipal infrastructure. It would ensure, for example, that a message from the city’s traffic system that a light ahead was turning red was genuine, so that self-driving cars would stop in time. Conversely, an ambulance could turn lights ahead green and send warnings to other vehicles on the road. Such vehicle-to-infrastructure and vehicle-to-vehicle (V2X) communications need to be virtually instantaneous and reliable to ensure safety.
Jim Alfred, the head of BlackBerry’s Certicom product group, told Digital Trends during a press conference that such certificates would be generated on the fly, so that they couldn’t be spoofed or faked. Furthermore, the cloud-based approach would be fast enough to accommodate the needs of such V2X systems, including alerts about accidents or sudden changes in road conditions ahead.
BlackBerry, which has arguably more experience with in-car systems via its QNX division than any other company, also said that the communications between vehicle and infrastructure would remain anonymized to maintain privacy. The initial tests of the company’s system will take place early this year in coordination with the Invest Ottawa development program and its supported 10-mile autonomous vehicle test track in Canada’s capital.
[Toronto wants to get smart, but citizens are concerned about privacy.]
The need for such a secure communications system has been noted by the U.S. Department of Transportation, but no standard has yet been proposed. That means municipal governments are on their own when it comes to ensuring the reliability and safety of such systems.
Further underscoring the issue, cybersecurity is a moving target. As new services like smart city integration come online, it opens up new attack vectors and more opportunities for new hacking techniques. Mozilla, for example, recently noted the lack of security on popular drones from DJI and Parrot, a concern as cities look to such unmanned aircraft to assist first responders and law enforcement–never mind the kind of disruptions caused by rogue drones at London’s Gatwick airport. And as has been painfully demonstrated over the past couple of years, larger companies have been unable to stay ahead of such threats on their own. So many businesses and governments are looking to smaller security startups for help.
In New York City, a new Global Cyber Center is being created for just such a purpose under the direction of the New York City Economic Development Corporation. Last fall, the city selected the Israeli firm, SOSA, to establish and manage the center, which will bring together venture capitalists, security startups, and Fortune 500 companies seeking solutions to tomorrow’s digital threats.
“The biggest worry is about autonomous vehicles where one single hack can go global,” Uzi Scheffer, SOSA’s CEO, told Digital Trends. He said the fact that New York is also a global financial center makes it an even more attractive target for hackers.
SOSA expects the 15,000-square-foot Global Cyber Center will open in Manhattan’s Chelsea neighborhood by the spring. It’s intended to be a launching pad for new security initiatives that larger corporate and municipal clients can tap into. But it’s also going to take a significant amount of money: $30 million from the city and a reported $70 million from private partners.
Obviously, not every municipality can attract such substantial investments or afford such vertically oriented technology initiatives. Hence, the need for a security standard is rapidly becoming one of the more pressing problems for smart cities looking to integrate intelligent systems. Whether we’ll see the adoption of such an industry standard or see a service like that from Blackberry become a de facto standard for cities to build on, remains to be seen.