[BSL2024] From Buzzword to Battlefield The Cybersecurity Challenges Smart Cities - Marina Bochenkova

hi everyone I appreciate you all being here today and I hope that you hear something that is both interesting and useful preferably both I know this isn't a common cyber security topic but uh it's something that I care about so a short introduction about me if I can there you go so my name is Marina and I'm a digital forensics investigator and incident responder at a biotech company headquartered in Amsterdam nothing I'm talking about today is related to my work this is just something I do in my free time because I like it uh which should tell you something about the state of my social life but if I do happen to have time for

hobbies I usually spend it stalking my neighbor's cats because my apartment is too small to have one uh or kickboxing so the first all right two screens this is fun um so to be honest I did have some trouble with this presentation because there are so many cyber security risks that uh if I were to just go and kind of contextualize and explain them all it would take over an hour which we don't have and I wouldn't be able to listen to that presentation either uh but if I were to just give you a summary that would end up with me reading you a list off of a slide and you would be sitting in the audience thinking this could have

been an email so uh what I'm going to do instead is just look at two threads uh I'm going to start with defining smart cities as I'm using it today and then I'm going to walk you through S sort of two possible attack paths uh as well as examples of things that have already happened and my goal is to show you the the interconnected and overlapping risks that smart cities face that we don't address enough so smart cities I know we don't like raising our hands but has everyone heard the term Smart City all right cool well there are a couple of definitions the original term was intelligent cities but that one was scrapped because the marketing

department thought that intelligent seemed elitist uh so they moved to Smart which is more user focused and user friendly so uh the intelligent definition it focused very much on technology but not enough on people in my opinion and then you also have uh definitions that focus on the community and social and political aspects of smart cities but again in my opinion those don't focus enough on the the impact and consequences of technology so I made my own which is that a smart city is an urban territory that uses ubiquitous it and ot to digitize as well as stakeholder Partnerships sorry to digitize and improve its its running its efficiency so the reason that this definition is so broad is because smart

cities are where a lot of it and OT overlaps um and we also have the competing stakeholders that bring their own assets to Smart cities so a risk that affects one of them can affect them all now I know I know this is a cyber security conference but I want us to start with a creative exercise so imagine for a moment that you're a terrorist bear with me imagine your name is Pete I don't know so uh imagine you're a terrorist named Pete and you want to launch an attack on Amsterdam because you just really hate tulips so if you're Pete the terrorist and you're planning an attack on Amsterdam what kind of information do

you think you would need what would be most helpful is it a the uh Mac addresses and movement of every single smartphone in an area is it the name and contact information of every single Dutch police officer officer including those undercover or is it C the quality and location of every underground cable and the metro and Amsterdam uh Rail lines in the city well the good news is you have option D which is all of the above and this is the first thread that I want to pull on which is data smart cities run on data of all kinds collected by many different parties processed by many different parties and also stored in different places Amsterdam where I live

has a long running open data project it has everything you might want to know about a city including things that you probably didn't uh so for instance you can find every single Bridge uh they're all tagged and registered and there's over a thousand of them apparently you can also find every tree not sure why you would need to do that uh if you're a history buff you can see the location of every single bomb that was dropped by you know during World War II and then we've got useful stuff so we have for example the parking availability in real time for locations and garages uh you also have public transportation information you've got housing and construction plans and these

are the things that you would use in a smart City application uh or for your own you know business and personal decision making but then we have things that if you have a hacker mindset raise some eyebrows so for example you can find within each block of the city what kinds of underground cables there are how long they are what's the quantity and quality of them and you can also see a map that highlights every single Metro and rail section which includes the length where they stop and start all the switches all the intersections and as of regular citizen there's no need for me to know any of that it's just available all the time and you could probably

request it if you're doing a construction project or you're an engineer but a motivated threat actor could probably use that information in a variety of creative ways and you know this idea of misuse isn't purely theoretical in the 2010s Amsterdam held an app development conation where developers could use this information this open data to build applications to improve the lives of residents and citizens so someone did you know useful things like a public toilet finder but then someone else triangulated the data of Street lighting the most expensive houses and their distance from police stations to build an app that would show you the best places to Rob it's been scrubbed from the internet so so don't you know don't try looking

for it but you know these are just a few data points and there's there's so much more information available and Pete the terrorist can misuse this data as we've already seen but what about stuff that isn't open to the public like information about people for instance last September the Dutch police was hacked by an identified but undisclosed nation state actor this isn't a purely municipal or you know City issue because in the Netherlands the Dutch police is nationally managed and then they have uh you know stations in all the different cities so this was a sort of global hack but it's still a smart City issue because including in Amsterdam there have been a lot of

projects focusing on the the security and safety of citizens that that use iot like you know crowd and device tracking they use CCTV footage they use police databases they send you know real-time information and data analyses to the police so that then they can go more quickly respond to crimes so there is a strong connection there uh and we don't know if the nation state actor was a friend of Pete's but if one group could do it uh they stole all the Outlook data for every single Dutch police employee including like I said undercover officers but also Dutch government employees from different agencies who just cooperated with the police then it's really likely that someone else can do that too and take

something else as well but Pete the terrorist doesn't even necessarily need to hack an IT system himself to get something useful he could just wait for that information to be leaked due to a you know poorly configured database or bad Access Control policies or even an inside Threat all of which happened during covid so in one case a couple of employees who had access to the Dutch Corona testing and tracking system knowingly uh sold they leaked and sold the information of thousands of Dutch people that were registered there uh in case uh an access control misconfiguration at a different Municipal Health Service uh ended up with every employee in the entire company having access to every record of

every person in the the database that's not great Linda from HR doesn't need to know what my covid test is and then someone else a security researcher discovered a database of a testing company this private company containing it was on the internet there was no password and it contained the data of over a million people not just uh Dutch people but also tourists and visitors as well and after being notified it took them 3 weeks to take it down and it was just chilling so these were all Insider threats either accidental or malicious no outside help needed Pete could theoretically just you know take his Bitcoin wallet and go online shopping on dark web breach

forums and if we take all of these actual incidents and you know potential techniques and tactics and then we combine that with the complication of data ownership issues in different stakeholders we get another just one attack path with more invasive consequences so there's a company in the Netherlands that manages veral thousand car Parks tens of thousands of uh traffic lights Smart Ones and more than half a million smart lamp posts all across the Netherlands now it sold these devices to the cities so the municipalities own the hardware but they don't own the data which is owned by the company and is about City residents and their movements often times the city doesn't even get access to the data because the company

owns it and doesn't want to share for competitive reasons these traffic sensors and smart lamp posts can do things like track your phone's MAC address even if you're not connected to City Wi-Fi uh no one's asked or warned about this it just happens uh if you happen to have Wi-Fi enabled your phone will just send out burst of packets and it'll be collected by the smart lamp posts that data is then collected and stored by this private company and because it owns it it could theoretically you know sell it to third party advertisers or data Brokers or even Pete the terrorist masquerading as one of them is it's anonymized but if you take that and you can combine that

data with all of these linked databases and others then it's really ARB to De anonymize so that's a possible attack path and it's just one and that's that's the problem is that there's much more open data there are many more leaks of private and public companies sorry organizations and it's you know you just spend a few hours thinking about all the ways you can abuse that and if you're you know well funded like Pete happens to be there's a lot that you can do with that it's just one possible way I'm really thirsty and I left my water bottle so would have been a good point um I don't know what happened here I'm missing a few slides

but okay cool we're just rolling with it so um that's enough another thing that Pete the terrorist could abuse is water oh Lord sorry about that guys I don't know what happened here but yeah um in an OT environment at the lowest level you have sensors and you have actuators and sensors are the things that sort of they passively monitor things and they send all sorts of data to something else um that then sends it on forwards and there's more complicated layers on top of that but sensors and actuators are the things that actually interact with an industrial process or environment um so an actuator you know a sensor in a water management system for

instance will monitor the water pressure water temperature quality whereas an actuator is the thing that does stuff so it will you know in a parking garage for example example it will raise and lift the barrier or in a water management system it will open and close pipes just as an example and OT Hardware is designed to be resilient and redundant so it's supposed to run for 30 years without needing to be replaced and survive impact temperature changes physical damage but this often means that critical facilities are running really old Hardware that can't support software that is secure uh or reliable because they just physically can't support it so also due to low latency requirements protocols used in

industrial control environments often use PL Tex Communications uh and those can be EES dropped literally dropped or even modified in transit and within a closed bubble this is fine um but the problem is that smart cities like to create internet connections and external facing you know external interfaces and oh thank you very sweet um so suddenly you have industrial devices that are finding themselves increasingly open to threats that it devices face but with even less protection and vendors tend to be as we've heard vendors tend to be slow to respond to these vulner V abilities because it costs money to secure your hardware and software and customers aren't really asking for it unless they themselves need to be compliant with

standards or regulations that require it so without staff at these facilities that are properly trained in security uh glaring issues can go unnoticed for extended periods of time for instance in early 2021 Florida Sou referred a Cyber attack on one of their they've had many but this was one on a water treatment plant where somebody discovered a long forgotten team viewer installation and used it to change the sodium hydroxide levels in water if you drink sodium hydroxide you will die uh luckily a plant employee noticed the onscreen activity and he changed the levels immediately stopped the attack every everything was fine but that initial access point was already there for 6 months and if this weren't a

script Kitty but you know an advanced persistent threat they could have done things like disable reporting or you know reconfigured the network or done something else to actually cause harm to people as another example Israel has suffered multiple really clearly politically motivated attacks over the years uh almost always these these are OT devices like human machine interfaces or programmable logic controllers that are open to the internet using default passwords sometimes even no passwords um and no one knows you know no one knows that this is an issue like these these groups are undertrained these facilities are underfunded under staffed so they're just there uh and irrigation systems that's this picture where damaged by a politically motivated

group uh there popups got to love them um and then there was a different so so this incident actually physically damaged irrigation systems so farmers were no longer able to use them and they had to manually water their crops uh in another instance uh this one was also stopped but attackers tried to change chlorine levels if you drink Chlor too I mean it's a gas but you'll die so don't do that either um this one was also stopped so no one was hurt but again we have really two close calls on critical infrastructure that power smart cities that's a focus of smart City projects but so so we've seen that Pete the terrorist has his pick of vulnerable

devices that can be remotely accessed but we just saw in the last thread that external threats aren't the only things things that we have to worry about and we had an incident in Amsterdam almost exactly a year ago actually during Hurricane Kieran where so so some context the Netherlands like a good third of the country should be completely underwater like where I live Amsterdam is below sea level uh so the Dutch have this really really cool system of huge floodgates that you know open and close to keep the cities from drowning and what happened was during Hurricane Kieran um an employee an employee noticed that water levels were too high and what happened was that a computer glitch turned the

control for those floodgates from automatic to manual so instead of the sensors detecting Rising water levels that being sent to actuators that would then close the gates themselves they were waiting for human input and this control center is miles away from Amsterdam so nobody knew that this was an issue um but what ended up happening was after a few hours you know someone noticed they checked it out they saw that the gates were wide open and then they closed them and by the time that was done the water and the canals of the entire city had RIS by over 30 cm which is billions of extra liters of water again this was a close call and

they've added some additional Technical and human measures to improve monitoring and response but if one guy hadn't noticed where I live would have been totally flooded and that's that's kind of scary and the Netherlands is in a good position here because we have a lot of train Tred educated cyber security staff we've had a really strong community in presence there many of these other centers they don't have the knowledge to be aware of these kinds of issues and then also do something about them they're understaffed underfunded sometimes they're blocked from the right information resources because of language barriers or they just don't know where to look and with the huge cyber security Workforce Gap it's not

going to be fine hard to find multiple weak links and they're not prepared to deal with an ADV advanced persistent threat like Pete and these examples they're just the ones that we know about there's probably others that aren't reported in our usual media sources or languages uh there's probably others that just haven't been reported and then there's still others that just haven't been noticed so uh I didn't talk about the connection to to Smart wearables um I also didn't talk about you know Internet connected medical devices or the wild west that is smart home Technologies I also didn't talk about all the iot devices that you can find on showan or how Chinese sponsored attackers have regular regularly

infiltrated US Energy infrastructure Ure in companies or how significantly more people die in hospitals that are hit by ransomware there's a lot to talk about when it comes to Smart City insecurity as you've seen it's not just the vulnerabilities in individual devices or systems but the interconnections between them they can cause unexpected Ripple effects they can have unintended consequences and threat actors like Pete the ter terorist aside there's so much potential for things to go wrong unintentionally that also have serious consequences the whole point of smart cities is to make people's lives better so we need to talk about these risks we need to have skilled professionals that know how to build secure systems and

keep them that way we we need to have people in discussions making decisions that that understand these risks and also care about them because if we don't we put people at risk uh I don't want to just give you all insomnia about the impending apocalypse I mean maybe a little bit but my point here is to bring awareness and also share some resources so what can we do as end users of smart cities let me give you three starting points the first is that you can talk to people so friends neighbors countrymen uh other work colleagues you can reach out to your own City and ask them what they do if they have any problems uh if you do

bug bounties this might be a good chance to apply some pressure uh if you have a social media presence you could share incidents vulnerabilities and also helpful resources and it's true that your sternly worded email to an iot manufacturer about data security practices isn't going to radically change anything but if we as a community do nothing we will change nothing we also have had efforts to sort of standardize Smart City architectures and have some Frameworks so for instance nist and friends have created uh technical guidelines for smart city implementations that look at the different sectors you'd find um you have the cyber security agencies of the five eyes Nations they've made some best practices for securing it and OT as well

as their overlaps and you've also got Ana they have a cool interactive risk assessment tool and uh iot in smart City's best practices framework and you can access that with an EU login and lastly if you want to learn about OT security there are some great places to start so siza in the US has made a bunch of introductory IC training available completely for free you just sign up with a business or Academic email uh dros has an Ott that shares different resources each month and the legendary Robert M Lee has a really great list if you're going to photograph any QR code do that one because he's got a really great list of different

resources different trainings conferences that you can attend and learn more about to get involved so I don't have a social media or blog because I'm tired but this is my LinkedIn now that I've had you scan some QR codes um you can reach out to me there I will be very happy to answer messages get connections and please also find me afterwards if you want to talk more more about this I'd really love to connect and yeah I like talking about it I like listening and learning about it so please find me afterwards uh with that I'd like to end on this practical note by sharing some resources I'd like to thank you for your attendance and

your attention and answer questions if there are any