Upload
merryl-ross
View
214
Download
1
Embed Size (px)
Citation preview
1
Cybersecurity and Privacy Issues Facing Smart Cities
Challenges and Policy Responses
Nir KshetriUniversity of North Carolina—Greensboro
Cyber Infrastructure Protection Conference (CIP’15)
October 15, 2015Cyber Infrastructure Protection Conference (CIP’15)
Cyber Infrastructure Protection Conference (CIP’15)
2
What is SC?Involves the use of tech. to gather/analyze data
and take actions: enhance efficiency and improve the quality of life (HL Chronicle of Data Protection 2015).
IHS: narrow definition: Cities that deploy (or are piloting) the integration of
ICT solutions across at least three functional areas: mobile/transport energy/sustainability physical infrastructure governance safety/security
21 SCs in 201388 or more by 2025 (ihs.com, 2014).
Cyber Infrastructure Protection Conference (CIP’15)
3
Smart cities as a global phenomenon
2025: 58% of the world's population in cities. South Korea: plan to build about 15 U-Cities:
New Songdo City: built from scratch. China: plans for 103 SCs, districts and towns. India: plans to build 100 SCs. Saudi Arabia: investing US$70b to smartize
cities. Singapore, Hong Kong, Dubai, and European
countries: efforts to introduce SCs.Japan: u-Japan since 2004. Global SC market: US$1.6t in 2020.
Cyber Infrastructure Protection Conference (CIP’15)
4
CS issues not adequately addressed 2013: U.K.'s Department of Business, Enterprise
and Skills (BIS): privacy and system integrity major barrier to SC projects
Systems: sophisticated features and functionality: high deg. of vulnerability to cyberattackscomplexityhigh degree of interconnectedness high volume of information
Infrastructures: broadband/Wi-Fi/satellite --entry point for hackers. Successfully hacked device: pivot and bypass
defense mechanisms.
Cyber Infrastructure Protection Conference (CIP’15)
5
CS in SC: low priority but increasing focus
Manufacturers of devices and systems: no adequate CS.
Cities: rigorous testing/analysis of for functionality and resistance to weather conditions: no attention to CS
Cyberattacks serious consequences and outcomes
Malware and worms capable of causing a physical damage
CS spending growing Pike Research: CS spending on smart cities
$1.3b in 2015
Cyber Infrastructure Protection Conference (CIP’15)
6
CS issues: physical damage
Malware/worms: target Industrial Control Systems (ICS)
Stuxnet: centrifuges to overspin/self-destruct. Operators console: falsely showed normal
parameters/values. Duqu: looked for useful info to attack ICS. Flame: searched for drawings, specifications, and
other technical details about systems. Recorded audio, screenshots, keyboard activity,
network traffic. Capability: recording Skype conversationsInfected computers into Bluetooth-- download
contact information from Bluetooth-enabled devices.
Cyber Infrastructure Protection Conference (CIP’15)
7
CS issues: physical damage
BlackEnergy: targeting ICS exploited by Stuxnet.Shamoon: wiped out the hard drives of 30k
computers85% of Armco’s devices. Tried to attack oil and gas flow networks: disrupt
international supplies. Spread to other computers: exploit shared hard drives.
2014: Germany's Federal Office for Information Security (BSI): hackers caused physical damage to a steel plant. Spear-phishing and social engineering: gain access to
network-- subsequently penetrated production network.
Cyber Infrastructure Protection Conference (CIP’15)
8
IoT botnetsAttractive targets for IoT botnets. First attack involving IoT: a botnet > 100k devices
Sent over 750k spam during Dec. 23, 2013-Jan. 6, 2014.
Break into automatic doors heating and lighting systems vending machines, cameras security alarms WiFi router boxes entertainment gadgets smart TVs
Easy to have access to broader networks (e.g., corporate networks).
Cyber Infrastructure Protection Conference (CIP’15)
9
Building automation systems (BAS)BAS: “centralized, interlinked, networks of hardware
and software, which monitor and control the environment in commercial, industrial, and institutional facilities”. > 15k BAS in the U.S. accessible via the Internet 9% have CS vulnerabilities.
Permanently available, no security, rarely patched. Attractive for botnet operators, cybercriminals, insiders.
Incorporated into networks: easy to penetrate. Successful attack: penetrate other devices and
computers. Attacks coming from inside the network: trusted/ignored
Cyber Infrastructure Protection Conference (CIP’15)
10
Energy management systems and building management software
DHS: 2013, hackers targeted EMS. EMS connected to networks and to the Internet
Automate lighting, heating and air conditioning. Can unlock doors and turn off lights.
Temp. changed by 5-6 degrees: computers cannot process transactions at normal rate. Can damage data centers by turning up heat.
2012: vulnerabilities in Tridium Niagara software. Open garage gate/front door.Penetrate into corporate network.
2012: exploited Tridium vulnerabilities at least twice. NJ manufacturing co.: system was accessible from the
Internet. A state government facility: temperature settings changed.
Cyber Infrastructure Protection Conference (CIP’15)
11
Cybercrimes targeting peopleMonitor residents’ movement and create profiles:
sold in underground markets. China: database containing specific type of information:
> US$1,500 on the black market. Criminals charge clients: US$1,500-US$150,000
Private investigation Illegal debt collection Asset investigation Kidnapping
Vehicles and people as sensors. Information not available: trustworthiness of the
receivers. People acting as sensors: adverse consequences if
information is misused
Cyber Infrastructure Protection Conference (CIP’15)
12
Privacy issues Surveillance and dataveillance (tracking the trails
created by a person's activities): big brother society. NSC: a smartcard--personal key to do everything. Relational nature of activities: conjoin/combine datasets.More concerns in cities with strict cyber-control
measures. 2011: China’s plan to introduce "platform of real-time
citizen movement". Stated goal: tackle congestion by monitoring the flow of
people. Human rights activists: suppress activists. Civic societies hold positions of less power.
Brazil’s Rio de Janeiro’s attempts to smartize: drew concerns related to privacy violations from citizens.
Cyber Infrastructure Protection Conference (CIP’15)
13
Average cybercrimes vs. attacks on SC Av. Cybercrimes Cyberattacks targeting SC
Seriousness of threats
Mostly low level of seriousness
Low to high levels of seriousness including existential threats.
Likely perpetrators
Mainly cybercriminals Cybercriminals, terrorists and adversary governments
Modus operandi of perpetrators
Relatively older virus, malware and worms and social engineering tools.
Relatively newer virus, malware and worms such as IoT botnet and BAS botnet.
The defenseresponses
To some extent: developed technological, behavioral and cognitive defense mechanisms.
Underdeveloped defense mechanisms
Little guidance to configure IoT
Not enough attentions from device makers, governments and organizations for security flaws.
Cyber Infrastructure Protection Conference (CIP’15)
14
BD and security/privacy in SCCharacteri
sticExplanation Privacy and security implications
in SCVolume Huge amount of data from
many sources (e.g. transactions, images, audio, voice, VoIP, video, TV sensor).
Great deal of attention from cybercriminals.
Some (e.g., transmitted by smart meters) are often high value data
Velocity (Fast Data)
Some data time-sensitive: collecting real-time data from roads/ traffic lights based on traffic volume.
High degree of reliance on real time data: calamity and severe consequences in case of data breaches or privacy violation.
Variety Data comes in multiple formats: structured and unstructured
Of special concern: PII in unstructured data.
Variability Data flows can vary greatly with periodic peaks and troughs.
May lack capabilities to securely store huge amounts of data and manage the collected data during peak data traffic.
Complexity
Data from multiple sources which require linking, matching, cleansing and transforming across systems.
Data from multiple sources (e.g., smart meters, car sensors, trash cans): easy to track residents and their actions in great and minute detail.
Cyber Infrastructure Protection Conference (CIP’15)
15
Discussion and conclusionCyberattacks on SC: deeper/more dangerous
consequences. Educate consumers: value of various categories of
information. Whose agenda and interests are served?
Data in authoritarian regimes: spying on citizens rather than providing services to residents.
Desired level of privacy of consumers. NSC: core technologies developed in the U.S. Supportive institutions: first implemented in Korea. RFID to automate tracking/monitoring: concern in the WestA research director of Palo Alto: "There is an historical
expectation of less privacy [in Korea]”.
/
Cyber Infrastructure Protection Conference (CIP’15)
16
Discussion and conclusionU-computing: controversial in the West-- privacy
concerns and widely feared as a surveillance societyKorea and other Asian nations: opportunity to attract
investment by showing off technological prowess. Technology experiences in Asia.
Strong legal protections for privacy in the EU: clear laws--how data can be collected, stored, and reusedPrivacy is a “new luxury” in Asia. Authoritarian regimes of the Gulf: surveillance and
data mining--power and control over terrorists, criminal outfits, minority groups, and migrant workers.
Cyber Infrastructure Protection Conference (CIP’15)
17
Discussion and conclusion
Heterogeneous laws/views/interests/opinions globally. Alternative SC models/utopias (e.g., centralization and
decentralization)A “one size fits all” approach: ill‐advised/ineffective. Perfectly controlled, perfectly efficient, safe SC
Taken over by computers: like a machine. Efficient but poor on privacy protection. Suitable in societies in which privacy is less of a concern. NSC: Koreans-- higher tendency to trust corporations. U.S. companies: exported u-systems for experimentation.