Govciooutlook

New tsunami of vulnerabilities heading toward the smart city evolution.

By Michael T. Dent, CISO, Fairfax County Government

Michael T. Dent, CISO, Fairfax County Government

Let common sense be your guide.

21st century cyber security means more than Enterprise network security. In recent years SCADA Operational Systems have been integrated with IT networks to improve convenient access to SCADA information, sadly the OT systems have little to no built-in security to help defend against the threats and malware that reside within the IT Enterprise networks.

“When are the manufacturers going to be held accountable for rushing to market the next latest and greatest technology without certifying to a risk assessment”
 
As more SCADA like systems are provisioned in cities, think Internet of Things (IoT) more thought has to be given to developing a skill-set that becomes deeply familiar with the evolving threat model of the city. How do the combination of existing SCADA systems such as Traffic Signals, in combination with advanced smart vehicles, create a perfect storm scenario for existing vulnerabilities. What is the fallback plan when these systems are suffering a successful cyber-attack? Can there be a less smart fail-over option? Is it now critically important for smart city governments to mothball the old CISO role model where one person is constantly arguing for compliance with best practices, one voice often not heard until major incident occurs and begin to appropriately focus the government’s responsibility toward empowering the CISO with a Cyber Emergency Response Team comprised of multiple person with multiple cyber security and technology skill sets, i.e., traffic signals, smart vehicles, IoT, OT, IT, etc.
 
All the disciplines that have been applied to IT Enterprise security must now also be applied to the new technology components being provisioned in today's Smart City. With all the breaches that have recently occurred it appears that common sense has been thrown to the wayside as these critical business leaders are more focused on the conveniences of remote access and less stress on their operators using the technology. It is a reality and an unfortunate sign of the times that we would take the risk of these critical systems and open them up to external threats all for the sake of making it easier for an engineer to login from unknown sources just so they would not have to come into the plant to check an alarm.

Please do not think I am saying secure remote access cannot be obtained, that's the problem, as soon as a business leader with responsibility over these systems decides, they can cut budget with less onsite support, the faster they press the for the quick and easy access. When pressed to employ Two Factor Authentication, they balk as now any savings they envisioned would go to securing the remote access. So they complain to elected officials, or IT Leadership that security is yet again stonewalling their ability to advance their endeavor, their ability to streamline, etc.

It seems an everyday occurrence now that we hear about a new cyber-attack against an enterprise system. This growing number of threats and attacks you would think make the business leaders turn security into a priority. However, having recently attended a major conference hosted by a very large IT consulting firm, and largely underwhelmed to hear their VP of research say that everyone has been compromised, that everyone should just plan for that inevitable compromise, I was less than mildly enthusiastic that he would say anything about how the world should demand better of our technology manufacturers or that we should strive to push our business contacts to pursue only proven secure systems. That flash of brilliance never did arrive! So we are destined to only be prepared for the hack that is certain to get us. As with SCADA, all data that you are entrusted with should be treated as sensitive unless otherwise noted at time the data is turned over to you, via citizen portal or on forms that ask us for SSN's, dates of birth etc.

In an article released earlier this week, it was reported that an estimated 900 CCTV cameras were turned into a botnet and essentially caused a denial of service to its over 1 million customers. The cameras were from multiple manufactures and proves the point that those companies all had little to no security built into their products. As with the majority of the IoT and critical systems, if we as professionals and private citizens do not start requiring better standard security practices and configurations from the manufactures/vendors for the sake of convenience then getting hack will be a reality we have to live with.  

Lack of common sense or complacency with technology, “as is” when delivered to customers today means we have given up the fight or desire to ensure we perform due diligence when it comes to securing the technology. Simple tasks, such as applying basic security principles like; Least Privileged, Two Factor Authentication, Changing Default Administrative Accounts configured in new technology should be considered the standard not the above and beyond. We shouldn’t be sitting back accepting statements like: “We have all been hacked, get used to it,” or from a recent article regarding traffic light vulnerabilities in the Nation’s Capital an official from Department of Transportation(DDOT) stated: “50 of 1,650 D.C. traffic controlled intersections have the wireless technology,” that allowed a security researcher to change lights. If someone with a laptop can change the lights with no authentication or challenge, who do you think can do the same, at what time would they want to do it to cause mass confusion etc.

How much more of this goes on in our world of the IoT? Are users aware that for convenience they by default are giving up their rights to privacy in a lot of cases? When a user buys a “smart home appliance, a smart anything for that matter, are they aware of the manufacture’s default phone home configurations”? Are we not going to make it a responsibility of these manufactures to stop this risky bad practice? When are the manufacturers going to be held accountable for rushing to market the next latest and greatest technology without certifying to a risk assessment?

Common sense says this should be a no brainer and that with the IoTs and smart city initiatives, manufacturers have a responsibility to sell quality, secure solutions. Common sense says the consumer or customers of these solutions should educate themselves to the level they feel they can accept the risks associated with the solutions that are on the market. As a business or government, when we are entrusted with data from those we serve, we have a duty to use common sense and to challenge the manufacturers and vendors to apply best practices and security measures to protect and mitigate the risks.

Read Also

Empowering the Public Sector and the People

Empowering the Public Sector and the People

Tanya Acevedo, CIO, Travis County
Creating a Cloud Culture

Creating a Cloud Culture

Gary Barlet, CIO, USPS OIG
Security of Cloud Solutions

Security of Cloud Solutions

Mike Maier, CIO, Certified Security Officer, CTO, City of Fort Lauderdale
Reigning the Cloud in a High-Velocity Digital World

Reigning the Cloud in a High-Velocity Digital World

Srikanth Karra, CIO, Jefferson County Commission