Nir Kshetri University of North Carolina—Greensboro Cyber Infrastructure Protection Conference (CIP’15) October 15, 2015 Cyber Infrastructure Protection

1

Cybersecurity and Privacy Issues Facing Smart Cities

Challenges and Policy Responses

Nir KshetriUniversity of North Carolina—Greensboro

Cyber Infrastructure Protection Conference (CIP’15)

October 15, 2015Cyber Infrastructure Protection Conference (CIP’15)


2

What is SC?Involves the use of tech. to gather/analyze data

and take actions: enhance efficiency and improve the quality of life (HL Chronicle of Data Protection 2015).

IHS: narrow definition: Cities that deploy (or are piloting) the integration of

ICT solutions across at least three functional areas: mobile/transport energy/sustainability physical infrastructure governance safety/security

21 SCs in 201388 or more by 2025 (ihs.com, 2014).


3

Smart cities as a global phenomenon

2025: 58% of the world's population in cities. South Korea: plan to build about 15 U-Cities:

New Songdo City: built from scratch. China: plans for 103 SCs, districts and towns. India: plans to build 100 SCs. Saudi Arabia: investing US$70b to smartize

cities. Singapore, Hong Kong, Dubai, and European

countries: efforts to introduce SCs.Japan: u-Japan since 2004. Global SC market: US$1.6t in 2020.


4

CS issues not adequately addressed 2013: U.K.'s Department of Business, Enterprise

and Skills (BIS): privacy and system integrity major barrier to SC projects

Systems: sophisticated features and functionality: high deg. of vulnerability to cyberattackscomplexityhigh degree of interconnectedness high volume of information

Infrastructures: broadband/Wi-Fi/satellite --entry point for hackers. Successfully hacked device: pivot and bypass

defense mechanisms.


5

CS in SC: low priority but increasing focus

Manufacturers of devices and systems: no adequate CS.

Cities: rigorous testing/analysis of for functionality and resistance to weather conditions: no attention to CS

Cyberattacks serious consequences and outcomes

Malware and worms capable of causing a physical damage

CS spending growing Pike Research: CS spending on smart cities

$1.3b in 2015


6

CS issues: physical damage

Malware/worms: target Industrial Control Systems (ICS)

Stuxnet: centrifuges to overspin/self-destruct. Operators console: falsely showed normal

parameters/values. Duqu: looked for useful info to attack ICS. Flame: searched for drawings, specifications, and

other technical details about systems. Recorded audio, screenshots, keyboard activity,

network traffic. Capability: recording Skype conversationsInfected computers into Bluetooth-- download

contact information from Bluetooth-enabled devices.


7

CS issues: physical damage

BlackEnergy: targeting ICS exploited by Stuxnet.Shamoon: wiped out the hard drives of 30k

computers85% of Armco’s devices. Tried to attack oil and gas flow networks: disrupt

international supplies. Spread to other computers: exploit shared hard drives.

2014: Germany's Federal Office for Information Security (BSI): hackers caused physical damage to a steel plant. Spear-phishing and social engineering: gain access to

network-- subsequently penetrated production network.


8

IoT botnetsAttractive targets for IoT botnets. First attack involving IoT: a botnet > 100k devices

Sent over 750k spam during Dec. 23, 2013-Jan. 6, 2014.

Break into automatic doors heating and lighting systems vending machines, cameras security alarms WiFi router boxes entertainment gadgets smart TVs

Easy to have access to broader networks (e.g., corporate networks).


9

Building automation systems (BAS)BAS: “centralized, interlinked, networks of hardware

and software, which monitor and control the environment in commercial, industrial, and institutional facilities”. > 15k BAS in the U.S. accessible via the Internet 9% have CS vulnerabilities.

Permanently available, no security, rarely patched. Attractive for botnet operators, cybercriminals, insiders.

Incorporated into networks: easy to penetrate. Successful attack: penetrate other devices and

computers. Attacks coming from inside the network: trusted/ignored


10

Energy management systems and building management software

DHS: 2013, hackers targeted EMS. EMS connected to networks and to the Internet

Automate lighting, heating and air conditioning. Can unlock doors and turn off lights.

Temp. changed by 5-6 degrees: computers cannot process transactions at normal rate. Can damage data centers by turning up heat.

2012: vulnerabilities in Tridium Niagara software. Open garage gate/front door.Penetrate into corporate network.

2012: exploited Tridium vulnerabilities at least twice. NJ manufacturing co.: system was accessible from the

Internet. A state government facility: temperature settings changed.


11

Cybercrimes targeting peopleMonitor residents’ movement and create profiles:

sold in underground markets. China: database containing specific type of information:

> US$1,500 on the black market. Criminals charge clients: US$1,500-US$150,000

Private investigation Illegal debt collection Asset investigation Kidnapping

Vehicles and people as sensors. Information not available: trustworthiness of the

receivers. People acting as sensors: adverse consequences if

information is misused


12

Privacy issues Surveillance and dataveillance (tracking the trails

created by a person's activities): big brother society. NSC: a smartcard--personal key to do everything. Relational nature of activities: conjoin/combine datasets.More concerns in cities with strict cyber-control

measures. 2011: China’s plan to introduce "platform of real-time

citizen movement". Stated goal: tackle congestion by monitoring the flow of

people. Human rights activists: suppress activists. Civic societies hold positions of less power.

Brazil’s Rio de Janeiro’s attempts to smartize: drew concerns related to privacy violations from citizens.


13

Average cybercrimes vs. attacks on SC Av. Cybercrimes Cyberattacks targeting SC

Seriousness of threats

Mostly low level of seriousness

Low to high levels of seriousness including existential threats.

Likely perpetrators

Mainly cybercriminals Cybercriminals, terrorists and adversary governments

Modus operandi of perpetrators

Relatively older virus, malware and worms and social engineering tools.

Relatively newer virus, malware and worms such as IoT botnet and BAS botnet.

The defenseresponses

To some extent: developed technological, behavioral and cognitive defense mechanisms.

Underdeveloped defense mechanisms

Little guidance to configure IoT

Not enough attentions from device makers, governments and organizations for security flaws.


14

BD and security/privacy in SCCharacteri

sticExplanation Privacy and security implications

in SCVolume Huge amount of data from

many sources (e.g. transactions, images, audio, voice, VoIP, video, TV sensor).

Great deal of attention from cybercriminals.

Some (e.g., transmitted by smart meters) are often high value data

Velocity (Fast Data)

Some data time-sensitive: collecting real-time data from roads/ traffic lights based on traffic volume.

High degree of reliance on real time data: calamity and severe consequences in case of data breaches or privacy violation.

Variety Data comes in multiple formats: structured and unstructured

Of special concern: PII in unstructured data.

Variability Data flows can vary greatly with periodic peaks and troughs.

May lack capabilities to securely store huge amounts of data and manage the collected data during peak data traffic.

Complexity

Data from multiple sources which require linking, matching, cleansing and transforming across systems.

Data from multiple sources (e.g., smart meters, car sensors, trash cans): easy to track residents and their actions in great and minute detail.


15

Discussion and conclusionCyberattacks on SC: deeper/more dangerous

consequences. Educate consumers: value of various categories of

information. Whose agenda and interests are served?

Data in authoritarian regimes: spying on citizens rather than providing services to residents.

Desired level of privacy of consumers. NSC: core technologies developed in the U.S. Supportive institutions: first implemented in Korea. RFID to automate tracking/monitoring: concern in the WestA research director of Palo Alto: "There is an historical

expectation of less privacy [in Korea]”.

/

http://www.salon.com/2013/10/13/your_city_is_spying_on_you_from_iphones_to_cameras_you_are_being_watched_right_now/


16

Discussion and conclusionU-computing: controversial in the West-- privacy

concerns and widely feared as a surveillance societyKorea and other Asian nations: opportunity to attract

investment by showing off technological prowess. Technology experiences in Asia.

Strong legal protections for privacy in the EU: clear laws--how data can be collected, stored, and reusedPrivacy is a “new luxury” in Asia. Authoritarian regimes of the Gulf: surveillance and

data mining--power and control over terrorists, criminal outfits, minority groups, and migrant workers.


17

Discussion and conclusion

Heterogeneous laws/views/interests/opinions globally. Alternative SC models/utopias (e.g., centralization and

decentralization)A “one size fits all” approach: ill‐advised/ineffective. Perfectly controlled, perfectly efficient, safe SC

Taken over by computers: like a machine. Efficient but poor on privacy protection. Suitable in societies in which privacy is less of a concern. NSC: Koreans-- higher tendency to trust corporations. U.S. companies: exported u-systems for experimentation.


18

Thank [email protected]

Documents

Nir Kshetri University of North Carolina—Greensboro Cyber Infrastructure Protection Conference (CIP’15) October 15, 2015 Cyber Infrastructure Protection