Is identity critical in the quest to make smart cities safe?

Cybersecurity for the IoT is the name of the game

Smart city

Anyone who's read the predictions for the Internet of Things – namely that there will be 25 billion connected things by 2020 – might be forgiven for thinking that the floodgates have opened.

In New York, floodgates are the very reason why many in the IT industry are giving the smart city idea a rethink after it became public that the Bowman Avenue Dam in Rye Brook, New York state, was attacked by hackers in Iran back in 2013.

Nothing serious happened – they took control of the floodgates by hacking into industry-standard software used in many embedded systems, but caused no damage. But it was too close.

NASA servers and drone systems were accessed by hacktivist group AnonSec, and the smartest, most IoT-saturated cities on the planet – among them Santander in Spain, NYC, Songdo in South Korea, Hong Kong and Tokyo – are rated as the most vulnerable, too.

It's likely that in the future hackers, hacktivists and terrorists may be tempted not only to cause a major incident in a city, but to compromise the emergency services' ability to cope with it. And all that by hacking into connected lights, RFID tags, traffic control systems, smart meters and smart parking systems.

Could smart city transport systems be open to hackers
Could smart city transport systems be open to hackers? (Image Credit: Transport for London)

Critical infrastructure under attack

"Public infrastructure will always be a highly attractive target for criminals and terrorists," says Simon Moffatt, EMEA Director, Advanced Customer Engineering, ForgeRock. He suggests that a hacker could access a city's traffic flow system to turn all of the traffic lights around the city centre to red during rush hour, while simultaneously interfering with all local radio stations to prevent drivers being warned.

"The entire city could become gridlocked in minutes … not only would this cost the city money from a productivity perspective, but it also means the emergency services cannot get to call-outs quickly, potentially costing lives," he says. Hacked electricity grids, gas pipes, water infrastructure, traffic systems or public transport could cost billions and cripple cities. So how do we make the smart city safe?

All about connectivity

Until now, the IoT has been all about connectivity; making one thing talk to another. The ways IoT devices talk to each other changes from project to project – from Bluetooth and Wi-Fi to Sigfox and low-power ultra wide-band radio – but the devices themselves remain relatively dumb.

"Giving objects such as televisions, light bulbs and thermostats network connectivity was a huge technical achievement," says Moffatt. However the stakes are being raised.

"Attackers are getting bolder and coordinating their efforts," says David Goeckeler, Senior Vice President and General Manager, Security Business Group, Cisco. "The industrialisation of hacking is putting businesses on the defensive against a growing group of adversaries that steal information for profit."

So great are the rewards from getting new 'things' on the IoT that one crucial feature has been overlooked in the rush: identifying which devices are talking to each other.

Should smart city platforms use identity management tech
Should smart city platforms use identity management tech?

Giving the smart city an identity

Digital identity management tech is trying to create an IoT system where all the devices within it are identifiable. Hackers can get into a system via an unguarded IoT device's power source, sensors, actuators, local storage, CPU or wireless connectivity, and for the most part, embedded systems collect data and analyse it without knowing exactly which data comes from which sensor or device.

However, if you know exactly where data is coming from, down to individual IoT devices, it's much easier to make the system safe. "Identity is key to smart cities because it provides a means to understand where potential threats are coming from," says Moffatt, whose company offers the open source ForgeRock Identity Platform. "If a device can be identified, it becomes that much easier to confirm that the data it is generating is genuine and can be trusted."