Tag Archives: hacking

“Creating Smart Cities” workshop videos: Session 1

We had a great Creating Smart Cities Workshop last September and we will be making the video recording of the presentations available from today, and on the following Mondays!

OPENING TALK

Reframing, reimagining and remaking smart cities
Rob Kitchin, Maynooth University

Abstract
Over the past decade the concept and development of smart cities has unfolded rapidly, with many city administrations implementing smart city initiatives and strategies and a diverse ecology of companies and researchers producing and deploying smart city technologies. In contrast to those that seek to realise the benefits of a smart city vision, a number of critics have highlighted a number of shortcomings, challenges and risks with such endeavours. This short paper outlines a third path, one that aims to realise the benefits of smart city initiatives while recasting the thinking and ethos underpinning them and addressing their deficiencies and limitations. It argues that smart city thinking and initiatives need to be reframed, reimagined and remade in six ways. Three of these concern normative and conceptual thinking with regards to goals, cities and epistemology, and three concern more practical and political thinking and praxes with regards to management/governance, ethics and security, and stakeholders and working relationships. The paper does not seek to be definitive or comprehensive, but rather to provide conceptual and practical suggestions and stimulate debate about how to productively recast smart urbanism and the creation of smart cities.

SESSION  1 “GOVERNANCE AND REGULATION”

1. Governing the City as a System of Systems
James Merricks White, Maynooth University

Abstract
Vital to the nascent domain of city standards is an understanding of the city as a system of systems. Borrowed from urban cybernetics, this conception imagines and describes the city as comprised of distinct fields of operation and governance. While this might have previously served a pragmatic purpose, allowing a compromise to be found between centralisation and specialisation, critics argue that it has produced institutional path dependencies which, in the era of big and open data, are a source of interruption and inefficiency. Put another way, information, action and responsibility are seen to be bound-up in vertically integrated silo-like structures. By breaking down or reaching across these silos, it is hoped that new synergies in urban governance might be unlocked. In this paper I will explore the mechanisms by which three city standards naturalise and respond to the system-of-systems problematic. First, City Protocol Anatomy offers a conceptual model for thinking, communicating and coordinating action across city systems. The city is reconfigured as a body, each of its systems become that body’s organs, and a whole linguistic framework emerges for talking about the city at all manner of scales and time frames. Second, ISO 37120 enacts an set of verification and certification mechanisms in an effort to build up a database of robust urban indicators. Within cities this translates into greater communication and information exchange between the departments of a city’s authority. Finally, while only a set of policy recommendations PAS 181 is quite explicit in bringing matrix management concepts to urban governance. It imagines small, agile, tactically- specific units capable of acting across legacy governance structures. Although operating in distinct ways, each standard attempts to open up new terrain of and for urban governance. The ramifications of these new state/spaces are only beginning to emerge.

2. Hacking the Smart city and the Challenges of Security
Martin Dodge, Manchester University

AbstractThe ways that technologies are enrolled in practice and come to shape our cities is often paradoxical, bringing promised benefits (such as enhanced convenience, economic prosperity, resilience, safety) but beckoning forth unintended consequences and creating new kinds of problems (including pollution, inequality, risk, criminality). This paradox is very evident when looking back at earlier rounds of transformative urban technologies, particularly in energy supply, transportation, communication and electro-mechanical systems of automation. The paradox is arguably even more pronounced in relation to the development of smart urbanism and will be examined in terms of the trade-offs around security.
This talk will consider how complex software and networked connectivity at the heart of smart cities technologies (both current, near future implementations and imagined scenarios) is opening up new risks and seems inherently to provide threats to established modes of urban management through security concerns and scope for criminal activities. I will examine how cities are becoming more vulnerable to being ‘hacked’ in relation to weaknesses directly in the technologies and infrastructures because of how they are designed, procured, deployed and operated. Then I will look at the cyberattacks against the data generated, stored and being shared across digital technologies and smart urban infrastructures. The second half of the talk considers how to defeat (or at least better defend against) those vandals, criminal and terrorists seeking hacking the smart cities, and will focus on available practical means and management approaches to better secure infrastructure and mitigate the impact of data breaches.

3. Coordinated Management and Emergency Response Systems and the Smart City
Aoife Delaney, Maynooth University

Abstract

This paper maps out the historic and current organisation of the Irish Emergency Management System and its potential intersections with the Smart Dublin Initiative which could create a truly Coordinated Management and Emergency Response System (CMaERS). It begins with a brief overview of the Framework for Major Emergency Management in Ireland- an unlegislated guidance framework used foremost by the Principal Response Agencies but also by other responding agencies. Further, the paper addresses key barriers which the current Emergency Management System suffers from and which the framework inadequately attempts to overcome, in order to situate the current system. These barriers include: institutional tensions and the historical legacy of agency mandates, organisation, technologies and practices. Finally, the current system is brought into conversation with Smart Dublin to unravel whether the smart city is a barrier or whether it can be an enabler of the current Emergency Management System evolving into a CMaERS. The Smart Dublin initiative is organised across the four local authority agencies which govern Dublin County. This provides four significant opportunities for the merging of the Irish Emergency Management System and the smart city in so far unseen ways. The first opportunity is that the local authorities are, simultaneously, Principal Response Agencies (PRA) for crises and the drivers of Smart Dublin. Secondly, the governance of Smart Dublin could allow for stronger inter-agency collaboration and coordination. Thirdly, there is potential to develop an Incident Command System and finally, the Framework is unlegislated. These opportunities would help to position Dublin to be one of the first smart Emergency Management Systems –a CMaERS which could, potentially, result in better inter-agency coordination, standardised technology across agencies, interlinked control rooms, and a more resilient emergency response system.

4. Dumb Democracy and Smart Politics? Transitions and Alternatives in Smart Urban Governance
Jathan Sadowski – Delft University

Abstract
First, I will set the stage with an overview of smart urban governance: How is the city managed and administered? What are the policy and development goals? What actors are involved (and benefit)? What ideologies inform implemented and envisioned governance models? While (smart) governance is often touted as pragmatic, neutral, and non-ideological, I will establish that it is in fact thoroughly political, partisan, and value-ladened.
Second, I will argue that the “smart city,” not only as a set of initiatives, but as a political event, is reviving classically important topics in political theory, which, in modern liberal-democratic society, have been largely taken for granted—implicitly operating in the background of political society and life—but are now being resurfaced, reexamined, and redefined. I make this argument by providing a survey of contemporary tensions and transitions occurring at the level of political society. These are not deterministically caused by the smart city, however, urban governance constructs a platform for these tensions and transitions, encouraging and amplifying their effects. They include: 1) consent and legitimacy => terms of service agreements; 2) citizenship => “citizen sensing”; 3) public services => X-as-a-service (or, Uber for X model); 4) political deliberation and discretion => data-driven, algorithmic decision-making; 5) social contract => corporate contract.
Third, I will end by sketching a series of principles and processes that contribute towards alternative arrangements of the smart city. By directly engaging with the above transitions, I aim to push back against neoliberal governance, technocratic pragmatism, and repressive use of technical systems. My goal is not to advocate for a conservative position: a stale maintenance of the status quo that is anti-change, anti-technology, anti-prosperity. Rather, I argue that if we are to embrace the smart city, it should be accompanied with a politics founded on equity, emancipation, and empowerment. As Rob Kitchin said in a recent report from the Irish Government Data Forum, “Ignoring or deliberately avoiding smart city technologies is not a viable approach; nor is developing smart cities that create a range of harms and reinforce power imbalances”.

Do come back next Monday! The next session awaits!

How vulnerable are smart cities to cyberattack?

trafficSmart city solutions utilise complex, networked assemblages of digital technologies and ICT infrastructure to manage various city systems and services.  Any device that relies on software to function is vulnerable to being hacked.  If a device is networked, then the number of potential attack points multiples across the network, and the hack can be performed remotely (1). Once a single device is compromised, then the whole assemblage becomes vulnerable to cyberattacks that seek to ‘alter, disrupt, deceive, degrade or destroy computer systems and networks or the information and/or programs resident in or transiting these systems or networks’ (2).

There are three forms of cyberattack: availability attacks that seek to close a system down or deny service use; confidentiality attacks that seek to extract information and monitor activity; and integrity attacks that seek to enter a system to alter information and settings (such as changing settings so that components exceed normal performance, erasing critical software, or planting malware and viruses) (3).  The vulnerability of smart city systems is exacerbated by a number of issues including weak security and encryption; the use of insecure legacy systems and poor maintenance; large and complex attack surfaces and interdependencies; cascade effects; and human error and disgruntled (ex)employees (19).  The result is that the process of making city systems and infrastructures ‘smart’ has also made them vulnerable to a suite of cyber-threats (4,5,6).

Cyberattacks can target every type of smart city solution and particular system components. There are a number of weak points – including SCADA systems, the sensors and microcontrollers of the Internet of Things, and communication networks and telecommunication switches.

SCADA systems
Various forms of urban infrastructure, including the electricity grid, water supply, and traffic control, rely on SCADA (supervisory control and data acquisition) systems that are used to control functions and flow (4).  These systems measure how an infrastructure is performing in real-time and enable either automated or human operator interventions to change settings.  SCADA systems can be traced back to the 1920s, but were extensively rolled out in the 1980s (12).  As a consequence, many deployments are quite dated.  Many have been found to operate with their original security codes (13).  In some cases, while the infrastructure is relatively secure, the communications network is vulnerable (4).  A number of SCADA systems have been compromised, with hackers altering how the infrastructure performs, or causing a denial-of-service, or have stolen data.  Probably the most infamous SCADA hack was the 2009 Stuxnet attack on Iran’s uranium enrichment plant in which the system was infected by malware that destroyed a number of centrifuges by running them beyond their design specifications (12).  By 2010 over 90,000 Stuxnet infections were reported in 115 countries (5).

Internet of Things
The Internet of Things refers to the connecting together of machine-readable, uniquely identifiable objects across the Internet.  Some objects are passive and can simply be scanned or sensed (such as smart cards with embedded RFID chips used to access buildings and transport systems).  Others are more active and include microcontrollers and actuators.  All kinds of objects that used to be dumb, such as fridges, thermostats and lights, are now becoming networked and smart, generating information about their use and becoming controllable from a distance.  Moreover, sensors can be embedded into the urban fabric and throughout critical infrastructures to produce data concerning ‘location, proximity, velocity, temperature, flow, acceleration, sound, vision, force, load, torque, pressure, and interactions’ (13).  Sensors and microcontrollers are hackable as they often have little effective security, encryption, or privacy protocols in place.  RFID chips, for example, can be hacked, jammed and spoofed (13).

Communication networks and telecommunication switches
The Internet of Things are linked together via a number of communications technologies and protocols such as 4G LTE (Long Term Evolution), GSM (Global System for Mobile communication), CDMA (Code Division Multiple Access), WiFi, bluetooth, RFID (Radio-Frequency Identification), NFC (Near-Field Communication), ZigBee (open wireless standard), and Z-Wave (wireless communication).  Each of the modes of networking and transferring data are known to have security issues that enable data to be intercepted and provide access to devices.  Likewise, telecommunication switches that link together the local and long distance Internet infrastructure are known to have vulnerabilities including manufacturer and operator back-door security access and access codes that are infrequently updated (4).

Transport management systems and vehicles
There have been a number of cyberattacks on transport management systems in recent years, as well as proof-of-concept demonstrations of possible attacks.  For example, a cyberattack on a key toll road in Haifa, Israel, closed it for eight hours causing major traffic disruption (9).  A research team from the University of Michigan managed to hack and manipulate more than a thousand traffic lights in one city using a laptop and wireless radio (15).  Likewise, IOActive Labs have hacked traffic control sensors widely used around the world and altered traffic light sequencing and interactive speed and road signs (16).  A teenager in Lodz, Poland, managed to hack the city tram switches, causing four trams to derail and injuring a number of passengers (1, 13).  In the US, air traffic control systems have been hacked, FAA servers seized, the personal information of 58,000 workers stolen, and malicious code installed on air traffic networks (13).  Vehicles themselves are also open to being hacked given that a new car contains up to 200 sensors connected to around 40 electronic control units and can connect to wireless networks.  A recent Wired article details how two hackers were able to remotely hack a car through its Internet computer that controls entertainment and navigation systems, facilitates phone calls and can provide a wifi hotspot, using it as a route to replace firmware that enabled them to take control of the car’s internal computer network.  The hackers could then take over the driving of the car from over 10 miles away, turning the driver into a passenger (17).

Electricity grid and smart meters
The generation, transmission, and distribution of electricity are monitored and controlled using SCADA systems (12).  In addition, the electricity grid consists of a range of other networked devices.  In the case of the US energy grid over 70 percent of components are over 25 years old, including many SCADA systems (13).  Given the potential cascade effects of shutting down the electricity grid, it has been a key point of cyberattack. Electricity grid utilities in the US report being under near constant cyberattack, with one utility recording that it was the target of approximately 10,000 cyberattacks each month (all five commissioners of the Federal Energy Regulatory Commission agree that the threat of a cyber-attack on the electric grid is the top threat to electricity reliability in the United States) (8).  The Israel Electric Corp. reports that its servers register about 6,000 unique computer attacks every second, with other critical infrastructure also under continuous cyberattack (9).  As smart grids and smart meters are installed, the number of potential access points to grid networks increases enormously (12).  Smart meters themselves can be hacked with low-cost tools and readily available software to alter proof of consumption or to steal energy from other users (1, 14).

Building management systems
Building management systems are often considered an aspect of property services rather than IT services and cybersecurity is not a key issue in purchase or operation (18).  The consequence is weakly protected systems, often still configured with manufacturer codes.  Moreover manufacturers often do not have processes in place for responding to vulnerabilities or a notification process to inform customers about security threats (18).  The vulnerabilities of building management systems pose two main threats.  The first is that if they are hacked building operations could be disrupted and safety risks created.  The second is that they provide a potential route for breaking into enterprise business systems and critical company data if they share the same network.  In the case of the Target data breach in which over 100 million customer details were stolen it appears that the retailer did not properly segment its data network, with hackers gaining access through the company that maintained its heating, ventilation and air conditioning (HVAC) system (18).

Cameras
Cities are full of a plethora of CCTV cameras; some owned and controlled privately, others by public authorities and police services.  The security of these cameras is highly variable, with some lacking encryption or usernames and passwords, and others open to infection by malware and firmware modification (20).  Accessing a camera provides a means to spy on individuals, such as viewing home presence or using a bank ATM camera to monitor the digits being pressed.  Demonstrating the scale of the issue, one website provides access to the feeds of thousands of unsecured or poorly secured cameras (uses admin passwords) from 152 countries (21).  Cameras can also be turned off, with some lacking the function to be restarted remotely (19).

Many cyberattacks are relatively inconsequential, such as probes and address scans, and are unsuccessful, while a small number are much more significant and involve a security breach.  In a 2014 study of 599 utility, oil and gas, energy and manufacturing companies nearly 70 percent reported at least one security breach that led to the loss of confidential information or disruption of operations in the previous 12 months; 78 percent expected a successful attack on their ICS (industrial control systems) or SCADA systems in the next two years (10).  In 2012, 23 gas pipeline companies were hacked and source code and blueprints to facilities stolen (7).  Between 2010 and 2014, the US Department of Energy (that oversees the US power grid, nuclear arsenal, and national labs) documented 1,131 cyberattacks, of which 159 were successful (11).  In 53 cases these attacks were ‘root compromises’, meaning that the attackers gained administrative privileges to computer systems, stealing various kinds of personnel and operational information (11).

Cyberattacks can be performed by hostile nations, terrorist groups, cyber-criminals, hacker collectives, and individual hackers.  Former FBI director, Robert Mueller, details that 108 nations have cyberattack units, targeting critical infrastructure and industrial secrets (13).  The majority of attacks are presently being repulsed using cybersecurity tools, or their effects have been disruptive or damaging but not critical for the long term delivery of services (3).  Indeed, it needs to be recognised that to date, successful cyberattacks on cities are still relatively rare and when they have occurred their effects generally last no more than a few hours or involve the theft of data rather than creating life threatening situations.  That said, it is clear that there is a cybersecurity arms race underway between attackers and defenders, and that more severe disruption of critical infrastructure has been avoided through the threat of mutually assured destruction between nations (22).  This is not to suggest that smart city initiatives should be avoided, but rather that the cybersecurity challenges of creating secure smart cities should be taken seriously.  It is likely that cyberattacks will increase over time, they will become more sophisticated, and that they have the potential to cause significant disruption to city services and the wider economy and society (5).

References
(1)    Nanni, G. (2013) Transformational ‘smart cities’: cyber security and resilience. Symantec, Mountain View, CA. https://eu-smartcities.eu/sites/all/files/blog/files/Transformational%20Smart%20Cities%20-%20Symantec%20Executive%20Report.pdf (last accessed 12 October 2015)
(2)    Owens, W.A., Dam, K.W. and Lin, H.S.  (eds) (2009) Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities.  Committee on Offensive Information Warfare, National Research Council, National Academic Press, Washington DC.
(3)    Singer, P.W. and Friedman, A. (2014) Cybersecurity and Cyberwar: What Everyone Needs to Know.  Oxford University Press, Oxford.
(4)    Singh, I.B. and Pelton, J.N. (2013) Securing the Cyber City of the Future.  The Futurist http://www.wfs.org/futurist/2013-issues-futurist/november-december-2013-vol-47-no-6/securing-cyber-city-future (last accessed 19 Oct 2015)
(5)    Townsend, A. (2013) Smart Cities: Big data, Civic Hackers, and the Quest for a New Utopia.  New York: W.W. Norton & Co.
(6)    Peters, S. (2015) Smart Cities’ 4 Biggest Security Challenges, 1st July, InformationWeek: Dark Reading, http://www.darkreading.com/vulnerabilities—threats/smart-cities-4-biggest-security-challenges/d/d-id/1321121 (last accessed 21 Sept 2015)
(7)    Perlroth, N. (2015) Online Attacks on Infrastructure Are Increasing at a Worrying Pace.  Bits, New York Times, October 14th, http://bits.blogs.nytimes.com/2015/10/14/online-attacks-on-infrastructure-are-increasing-at-a-worrying-pace/ (last accessed 16th October 2015).
(8)    Markey. E.J. and Waxman, H.A. (2013) Electric grid vulnerability: Industry Response Reveal Security Gapshttp://www.markey.senate.gov/imo/media/doc/Markey%20Grid%20Report_05.21.131.pdf (last accessed 15 Nov 2015)
(9)    Paganini, P. (2013) Israeli Road Control System hacked, caused Traffic jam on Haifa Highway.  Hacker News. October 28, 2013 http://thehackernews.com/2013/10/israeli-road-control-system-hacked.html (last accessed 29 Nov 2015)
(10)    Prince, B. (2014) Almost 70 Percent of Critical Infrastructure Companies Breached in Last 12 Months: Survey.  Security Week, July 14th.  http://www.securityweek.com/almost-70-percent-critical-infrastructure-companies-breached-last-12-months-survey
(11)    Reilly, S. (2015) Records: Energy Department struck by cyber attacks, USA Today, Sept 11th. http://www.usatoday.com/story/news/2015/09/09/cyber-attacks-doe-energy/71929786/
(12)    The Center for the Study of the Presidency and Congress (2014) Securing the U.S. Electric Grid.  Washington DC https://www.thepresidency.org/sites/default/files/Final%20Grid%20Report_0.pdf (last accessed 15 Nov 2015)
(13)    Goodman, M. (2015) Future Crimes: A Journey to the Dark Side of Technology – and How to Survive It.  Bantam Press, New York.
(14)    Krebs (2012) FBI: Smart Meter Hacks Likely to Spread, April 9th, Krebs on Security. http://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/ (last accessed 21 Sept 2015)
(15)    Leitner, T. and Capitanini, L. (2014) New Hacking Threat Could Impact Traffic Systems. NBC Chicago. http://www.nbcchicago.com/investigations/series/inside-the-new-hacking-threat/New-Hacking-Threat-Could-Impact-Traffic-Systems-282235431.html (last accessed 19 Oct 2015)
(16)    Cerrudo, C. (2014) Hacking US (and UK, Australia, France, etc.) Traffic Control Systems, IOActive Blog, April 30th 2014 http://blog.ioactive.com/2014/04/hacking-us-and-uk-australia-france-etc.html (last accessed 12 Oct 2015)
(17)    Greenburg, A. (2015) Hackers Remotely Kill a Jeep on the Highway—With Me in It.  Wired 21st July 2015. http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ (last accessed 16th Oct 2015)
(18)    Vijayan, J. (2014) With the Internet of Things, smart buildings pose big risk. Computer World, May 13th. http://www.computerworld.com/article/2489343/security0/with-the-internet-of-things–smart-buildings-pose-big-risk.html (last accessed 13 Nov 2015)
(19)    Cerrudo, C. (2015) An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks. Securing Smart Cities, http://securingsmartcities.org/wp-content/uploads/2015/05/CitiesWideOpenToCyberAttacks.pdf (last accessed 12 October 2015).
(20)    Brewster, T. (2014) Smart or stupid: will our cities of the future be easier to hack?  The Guardian, May 21st.  http://www.theguardian.com/cities/2014/may/21/smart-cities-future-stupid-hack-terrorism-watchdogs (last accessed 21 Nov 2015)
(21)    Cox, J. (2014) This Website Streams Camera Footage from Users Who Didn’t Change Their Password.  Motherboard, Oct 31st. http://motherboard.vice.com/read/this-website-streams-camera-footage-from-users-who-didnt-change-their-password (last accessed 22 Nov 2015)
(22)    Rainie, L., Anders, J. and Connolly, J. (2014) Cyber Attacks Likely to Increase.  Digital Life in 2025, Pew Research Center.  http://www.pewinternet.org/files/2014/10/PI_FutureofCyberattacks_102914_pdf.pdf (last accessed 19 Oct 2015)