Ever since research into packet switching started in the early 1960s, the evolution of the internet has been a steady force pushing the world into ever deeper realms of connectivity. Smartphones and tablets provide a window view of what lies ahead, as the internet penetrates into every corner of our living spaces and utilities. We are at the dawn of – ‘The Internet of Things’. The IoT combined with the power of data analytics and cloud computing fuels the ability to infuse intelligence into every dimension of our environment, hence giving rise to ‘smart cities’. IBM calls an intelligent city a data environment with instrumented, interconnected and intelligent (IN3) components. However, such a paradigm shift is fraught with peril. As the end points of information gathering fly out of control, the challenges involved in balancing privacy and security with service delivery are immense.
The risks of advanced technology without appropriate attention to secure communication channels have already manifested in a big way. The sophistication of the 2007 cyberattacks on Estonia crippled organizations ranging from the Estonian Parliament, banks, ministries, newspapers, and broadcasters. The incident triggered a number of military organizations around the world to reconsider the importance of network security to modern military doctrine. This was in 2007. Consider the damage that could be unleashed on a world where communicating devices power every aspect of living.
The nature of the cyber threats to a smart city could be internal, external or even environmental. The Estonia attacks were mostly denial of service (DOS) based, achieved through methods like ping floods from botnets usually used for spam distribution. In a successful DOS attack on a smart city, all billing and payment transactions could be brought to a complete standstill. Another type of attack a smart city can anticipate is a ‘Watering Hole’ attack. In this kind of attack, a frequented website called the watering hole is identified and infiltrated with malware. However, in a smart city, attacks from hackers are just the tip of the iceberg. The now iconic Edward Snowden is hailed as a whistleblower who lifted the veil on American espionage. Nevertheless, he is also an exemplification of internal attacks which may implode from within organizations tasked with being the custodians of sensitive information. Furthermore, in an environment where transmission of data across networks is central to the functioning of the city, the impact of a sustained power outage due to a natural disaster would be devastating. Thus, a comprehensive security policy must entail not only electronic security, but also extend to emergency management and distributing network topology.
Broadly, the kernel of security concerns for any computing environment must cover three general areas:
- The privacy and confidentiality of information
- The integrity and authenticity of information
- The availability of information
Consider, for example, the case of instrumented transportation. According to market intelligence firm Allied Business Intelligence (ABI), 60% of cars worldwide will have connected capabilities by 2017. On-Board Diagnostic Computers (OBD) like event data recorders and GPS navigation systems can be used to record speed, vehicle status, location, etc. Most modern OBD can be easily compromised using simple Bluetooth dongles for external monitoring. Tracking automobile information makes homes more susceptible to burglary, drivers more vulnerable to stalking, etc. The usage and visibility of information collected from event data recorders are also subject to privacy concerns. Legally, this data is bound within the control of the vehicle owner. Consider the question of whether manufacturers should be allowed to use EDR data in court cases against their vehicles. General Motors controversially proposed to share its monitoring data with related third parties to offer maintenance and other services. GM has since withdrawn the proposal; however the take home is really quite transparent. Corporate liability for the privacy of data must figure prominently in policy and regulation dialogue of the Indian Smart City Initiative.
Bisinfotech spoke exclusively with Mr. Dinesh Chand Sharma, Director of Standardization for SESEI (Seconded European Standardization Expert in India). ‘When you talk about one vertical, the security is integrated into it. For every solution or every product, security is built in,’ said Mr. Sharma. However, he also emphasized the need for stakeholders to come together in order to stay ahead in the arms race against hackers whose intelligence grows with the environment around them. ‘Now, what we need to make sure is the holistic approach. When you connect all these dots under a horizontal solution, you have to make sure under an umbrella there is a security solution. For cyber security, we need an umbrella policy.’
A manifestation of this umbrella policy is government restriction on import, regulation on features and products before they enter the network. Aanad Bankar, General Manager of UTStarcom Sales comments on the organization’s commitment to the government’s policies – ‘There is a huge penalty of about Rs 50 crore for any instance of any malfunction or malware entering your network.’ In addition, UTStarcom will also assist in growing the number of public WiFi hotspots in the country. ‘WiFi has multiple levels of security,’ said Mr. Bankar. There are sim-based customers and non-sim based customers. A sim based customer normally gets authenticated through the same system that a mobile customer gets through. For a non-sim based customer authentication happens through mobile number, credit card or some other gateway. So a KYC (Know your customer) route is always taken before you take a non-sim based customer on board.’
The writing is quite clearly on the wall. With the dazzling potential of the IoT, the urge to march onwards retrofitting our cities to connected hubs, is undeniable. However, a note of caution is in order. Unregulated development will leave our cities open to attacks on the fifth dimension of warfare. The Estonians will testify to as much.