From Buzzword To Battlefield: The Cybersecurity Challenges Of Smart Cities - Marina Bochenkova

Thank you, Martin, for the introduction. So, I'm trying something new. I know it's always a good idea to push to production before testing, but I noticed that the Q&A's are generally a little quiet, so I wanted to just make this QR code. Um, in case anyone has any questions during the presentation, uh, you can either scan that or if you're paranoid, uh, you can go to that website and then input the code and that should join this session. So without further ado, um, thank you very much to Bides Prague for having me today. Uh, and also for planning the conference during spring because like the weather here is honestly amazing. I think this has been

great. Um, a very short introduction about me. My name is Marina Bushenova. I live in Amsterdam. I'm a digital forensics investigator and incident responder at a biotech company. So, nothing I do in this talk is at all related to or endorsed by my employer. This is just something I do in my free time because I'm interested uh and I don't have a social life. So, to start, uh, can we get a show of hands for people who have heard the buzz term smart city? Cool. Leave your hand up if you're confident you know what it means. All right, we've lost a few. That's fair. The original term was intelligent cities which was pioneered by this MIT professor who really saw a

technological utopia and private companies and and their devices would send us into the future and AI was going to be there too. Um, that term was scrapped by the marketing department in favor of smart because intelligent seems elitist whereas smart seems more user focused and userfriendly and there's not really an official standardized agreed upon term. Every government or academic paper or other marketing department kind of creates their own. So uh I did too. My definition is a smart city is an urban territory that uses ubiquitous IT and OT as well as stakeholder partnerships to digitize and improve its functioning. And the reason this definition is so long is because smart cities are a convergence of variable

hardware and software and variable stakeholders. which means that they're also a convergence of all the risks they individually bring to the table. So, there's a lot to talk about when it comes to smart city cyber insecurity. We're not going to go through everything you deserve to have a social life. So, instead, what I'm going to do is use Amsterdam, where I live, as an example for why this is something we need to address. I'm going to use actual real incidents that have happened and build on top of those with future potential attack paths. So, uh we will start by looking at public sector initiatives, how those overlap with private companies and their interests and then how those make

themselves known in the personal sphere. So, kind of going from general to to more specific. But first, I know we're tired. It's been a long day. We've had a lot of great sessions. Um, probably, you know, the coffee, the caffeine has worn off at this point. We're all ready to go home. But I want to wrap up with a creative exercise. So, imagine for a moment that you in the audience are a terrorist. Bear with me for a moment. Let's say theoretically your name is Pete and um you Pete the terrorist wants to launch an attack on Amsterdam because you just really hate tulips. So as Pete the terrorist launching an attack on Amsterdam, you

need to gather data and intelligence to plan your attack. Luckily the city can help you with that. Amsterdam is a smart city pioneer. Uh, and they've had a long-running open data project from way back, like early 2000s, I think, was when it started. And, uh, you can find lots of stuff on there. For instance, did you know that every single bridge in the whole city is marked and tagged and named? You can find them on a map. You can also find every tree on a map if that's your thing. And uh if you're a history buff, then you can see cool historical facts like where every bomb was dropped during World War II. Then you have more useful information

like the real-time availability of parking garages or housing construction plans in different areas. And these are things that a smart city app developer would use to make an application that you know residents or visitors could use. This is information that you might use for business strategy or personal decision making. But then we have things that if you have a hacker mindset lead to some raised eyebrows. For example, you can see every single underground cable in all the different uh hectares in the city. So you can see the quality, you can see the quantity, you can see where there are and how many. And um this is helpful, you know, if you're planning a construction project of some

sort, but I don't know why I, as a regular citizen, would need to see this. You can also see the metro and tram rails for the whole city. So, this gives you all the intersections, where they stop and start, uh all the switches, all the intersections. Um, again, if you're an engineer, you're planning a construction project and you need to dig some of these up, it's important for you to know what to do, but this information is just there all the time. And uh, there's way more like there's there's way more than this. And um, it's available very freely, which is good. Like we want to have information sharing. We want to be able to know

what's happening in our cities. We want to be able to improve upon that, but but I mean it's a little sketchy. And uh this concern of misusing open data isn't theoretical. Uh back in the 2010s, Amsterdam used to hold a development competition where people could use this open data to create applications. Uh, and then they get tested and, you know, they get raided. And somebody did something, you know, useful like there was a public toilet finder that came out of that. But then someone else triangulated open data about public street lighting, the most expensive houses, and their distance from police stations to show you the best places to rob. So, uh, that's my city, but it just so

happens that Prague also has an open data project. And Pete, you know, he's not just a terrorist, he's a world traveler. So, if Pete wants to replicate this kind of attack or, you know, wants to do something in Prague besides sightseeing, uh, what does he need to do for that? So, step one, he needs to speak Czech because like honest to God, none of my translators could deal with any of these open data portals. It was such a pain. Um, but I'm I'm sure he's you know, we say like a persistent threat for a reason. Um, but you know, security by obscurity aside, uh, Prague has a lot of similar open data. So you can see things

like housing statistics, you can see metro exits, you can see water quality. Um, again like really useful stuff. But for someone like Pete, this gives him knowledge. This gives him insight about what areas he could target and in what way. And Prague, for example, takes data from uh third party applications as well, such as Ways, the transportation app. That way it can track traffic congestion and people's movements. It also takes data from hospitals and ambulances to track things like wait times and treatment lengths. And it takes data from schools as well to track things like school attendance, how many kids are going uh or repairs in the schools. So there's a lot of transparency, but it gets a

little concerning um when you look at that with nefarious goals. And this data sharing overlap brings me to my next point which is which is kind of a data ownership problem. So you have a lot of organizations working together to improve life, which is great. We love it. But um again when we think of smart cities as a convergence of different factors, different players, these are all organizations that also have their own vulnerabilities. They maybe have their own bad security practices. They may be using insecure things in their tech stack. They may be using, you know, outdated modules or libraries in their software development. like they all they all bring their own basket of of baggage

essentially and there's kind of no way to detect or deal with that on a large scale just you know as an obvious example there are 23 different data contributors just for Prague so this includes governments uh both national and municipal this includes private companies both local and foreign and yeah it's kind of it's kind of a great melting pot you've You've also got NOS's as well contributing. You've got academic institutions. So, everyone's kind of doing their part to create over I think it's almost 400 different data sets. That's that's what we have. And what I found interesting is that at the center of pretty much every single smart city project is this one company, Operator ICT. And um this is a private

company. It's a joint stock company. uh but it's primarily owned by the municipality. So it does have restrictions on what it can do, where it can operate, which is good, but it is, you know, it's still it's still a private company, so it's like it's kind of it's kind of blurry. And um their plan is to kind of transform life in Prague. And their last financial report that was available was for 2023 and they talked about all the things that they're planning to do which is um like they want to create a platform for startups and entrepreneurs and businesses lots of commercial entities so that they can connect and exchange and I guess I don't

know transfer funds or make deals or things. Um they've also created uh a you know citizenf facing portal where you can do things like pay for your municipal waste. 10 minutes already. Okay, cool. I don't know where that happened, but um yeah. So um they're they're really at the center of everything basically. That's the point. and uh the the con you know nothing bad has happened yet but um it could and having this centralized vulnerability this one point of entry into all of these different organizations is less than ideal. So that's what we can do with open data. What about private data like about people for instance? So um last we'll go back to the Netherlands for a

moment. Last September, the Dutch police got hacked by an identified but undisclosed nation state actor and they exfiltrated uh the outlook data all of the outlook data for every single employee which included undercover officers and Dutch government employees that worked with them. So it was it was bad. And um this isn't purely a municipal issue. was kind of another overlap this time between government, local government and municip national government because the Dutch police are nationally managed and just have stations in all the cities. Um, and the the police officers are citizens as well. They're residents of those cities and they they have lots of projects in Amsterdam for instance. There have been many projects that use data collected by

IoT devices. They send them to the police for processing analysis and oftentimes response uh in relation to crowd control security things like that. So we don't know if you know this actor was a friend of pets but if they could do it probably someone else could too. But he doesn't even need to you know hack a system himself. He could just wait for you know these uh this data to become available like through a database misconfiguration or access control issue or even an inside threat. Theoretically not so theoretically all of this happened during CO. So in one case uh a couple of employees knowingly stole and leaked the personal information of thousands of Dutch people

mostly celebrities. They went and sold this online uh in the same the same organization. A different access control misconfiguration allowed every employee uh to see every record of every person registered in the Corona track and trace system. Not great. Linda from HR doesn't need to know my COVID status. It also had device information to track the spread of Corona. So, it had your MAC address. that had other stuff as well for your smartphone. And uh the last example is a breach from a private company where a security researcher found a database open to the internet, no password, just chilling with the co health data of a million people which didn't just include residents. This was

tourists from abroad as well. Uh, and it took them three weeks to take it down after being notified. Again, not great. And these were all inside threats, either accidental or malicious. No outside help needed. Pete could theoretically just take his Bitcoin wallet and go shopping on dark web breach forums. So far, we've been focusing on IT systems. So, we'll talk briefly about OT. uh we heard yesterday in the skate exploit talk about you know why OT is designed a little differently. So it needs to withstand different stressors than it does. So what it gains in uh physical longevity and endurance it loses in software vulnerability and fragility. So in an effort to modernize facilities and operations, more and more plants are

connecting devices like programmable logic controllers or human machine interfaces to the internet without really thinking about securing them. So for example um kind of connecting that to the data ownership issue. Dutch energy providers in the Netherlands have applications that their customers can use to track their energy data. For a long time, these were completely unauthenticated, meaning that all you had to do, all Pete had to do was download the app, input a postcode and house number, and then he could see almost in real time the energy usage of a building. This has been fixed eventually, but you know, and it doesn't seem like it has a a bad impact on a large scale, but again, if you're

planning an attack, if you want to cause harm, if you want to make impact, then it's helpful for you to know who's home. You want to know which population, like which areas are more densely populated, where are there going to be more people? And unlike it which is becoming more nebulous and distant as we move to the cloud, OT actually interacts with the world around us. So we have sensors that uh passively detect impulses or environmental conditions, convert that to a digital value that can be processed and then whatever the result of that gets sent to an actuator that then makes an action, does something in the world and operator ICT has uh done many

projects like for RFID or sensor enabled municipal waste. Um they've also built the platform for the Prague transportation system so that you can pay. And um the the this idea of uh interacting with the world brings me to my next point which is uh also in Amsterdam. So a good third of the Netherlands is actually fake land. It's been reclaimed and it should be underwater. So the Dutch have a cool system of floodgates that keep the cities from drowning. And uh these floodgates operate, you know, by themselves. So they detect the they have sensors that tell them the water levels and then that gets sent to actuators that automatically close the floodgates. At least that's what's supposed to

happen. But about a year and a half ago during Hurricane Kieran, this control changed from automatic to manual. So, while we were having this giant storm, the sensors were detecting water levels that were rising. They weren't sending like they were sending that on, but the the floodgates weren't reacting because they were waiting for human input. So, the control center for this is miles away from Amsterdam. So, nobody could see that this was an issue. It was one guy that noticed that water levels were way too high to be explained by rainfall. So he went and checked the gates for Amsterdam, saw that all of them were wide open to the sea, just letting in water. And by the time it was

closed in a few hours, the water in the 75 km of canals in the city had risen by over 30 cm, which is billions of liters of extra water. And if it weren't for this one guy, if he were sick, if it was someone new, if there was something else, then my city would have been totally flooded. And uh it was a mistake. Like this this was a computer glitch. This wasn't this wasn't a threat actor. This was an accident. And since then, they've added more human and technical measures like extra training and cameras and things like that so that this doesn't happen again. But it was possible for a long time. And it took a

near miss to notice and fix it. So, uh, this this is another risk that's unique to smart cities is this overlap of it and OT because when something threatens one environment, not only can it affect the other, but it can have an impact in the real world. According to Waterfall Security, there were 70 cyber attacks last year that resulted in physical damage in OT environments, and there were over a thousand that affected operations in general. a thousand. The year before it was 412. Attacking OT environments isn't a temporary trend. We see nation state actors investing more and more into offensive operations against critical infrastructure. We see more malware being developed that's ICS and OT specific. So, not only is this threat

vector not going away, it's actually getting worse. for example, something that, you know, we can do as a create event. So, this is where we build on top of existing incidents to throw a potential attack path. There's a company in the Netherlands that manages several thousand car parks, uh like thousands of uh traffic lights, smart traffic lights, and over half a million sensors, you know, street lamps, smart street lamps all over the Netherlands. and it sold all of this to municipalities. So the cities own the hardware, but the cities don't own the data, which is about city residents and their movements. So these devices, again, they track your MAC address and smartphone movement, even if

you aren't connected to city Wi-Fi. No one's asked about this. Nobody knows. It just happens. And the cities often don't get access to the data because the company doesn't want to share for competitive reasons. And as the owner of that collected data, it could theoretically take it and I don't know sell it to third party advertisers or data brokers or even beat the terrorist registered as one of these. And even though it's anonymized, when we put it together with all these other data points that we've just gotten from open data, from leaked databases, it's pretty arbitrary to bypass. So if we go back to our smart city definition, we can see how overlapping risks overlapping risks

exacerbate vulnerabilities. Just makes things worse. And then we have the next frontier of the smart city dream which is invading your personal space. Uh and this I don't know this is just a personal pet peeve but this this pervasiveness of tiny computers and internet connected devices in all aspects of our lives whether we need them or not it just it ends up creating an even larger attack surface for actors like Pete the terrorist. Although I have the feeling that in this room the number is lower. The average household has 21 internet connected devices which ranges from I don't know cameras and routers to smart TVs and smart plugs all of which are are vulnerable to various things. I even saw

a smart like a Wi-Fi stove one time but I I didn't get to do anything with it. But even printers and baby monitors and smart watches like the one I'm wearing right now, they're all vulnerable to remote code execution, buffer overflow attacks, denial of service, and these are things that we trust and use in our daily lives and the most personal fears. And when we go to hospitals, for instance, this has life ordeath implications. Hospitals attacked by ransomware actually have higher mortality rates than than those that don't. Like this is this is scary stuff. This has very important like very I don't know like life or death consequences. So just like with operational technology. Did I get cut out? Oh, okay.

Oh, we're back. Just like with OT, IoT is not designed to do the things it's supposed to do in a cyber secure or resilient manner. And we heard uh in a great talk today, also one yesterday about IoT hacking, IoT vulnerabilities. Uh and when we're looking at the big picture, we can see how all of this compounds. So just, you know, I didn't call this buzzword to Battlefield for the clickbait of it, although it does sound kind of good. Um, but it's because we have increasing numbers of attacks against increasingly delicate, complicated systems with increasingly severe consequences. And we need to start acting now. Like the the topic of this conference is looking, you know,

looking at the future. What is the future going to hold? It's not great if we don't start working on this. So, we no longer have airbags between homes and businesses and industrial contexts. Security isn't we don't have perimeters anymore. Like, it's just it's just a mess. So, what do we what do we do about it? Um, if the whole point of smart cities is to improve people's lives, how do we make sure that like whatever this is doesn't happen? So, I think that I'm just skipping stuff. I think that for starters, it's important to start having these conversations in all spheres of life because smart city affects all spheres of life. And I don't just mean

when talking to vendors or governments or, you know, other colleagues or co-workers that you work with on a regular basis. I mean also bringing this message to friends and family and I don't know, Linda from HR who might not be aware of all of this. I also personally think that uh cyber security and IT education in schools starting from an early age will have a strong impact uh to get people interested, get people aware. As a society, we don't care enough about our data or what happens to it until someone like Pete does something with it. So there are also some initiatives in the Netherlands. So you have uh Cyberbrain which is an organization that

targets at risk youth to prevent them from getting into cyber crime. You also have hackshield which is partnering with municipalities to bring cyber security educational games into schools. So I don't know maybe you wherever you live you also have local initiatives if you want to get involved see if you can volunteer see if you can be a mentor see if you can do something. So additionally strongly encouraging manufacturers to build secure devices and companies to build secure infrastructure I think is good. You know we can support them on their cyber security road mapap with education and grants and things like that but they're not motivated to uh go along that cyber security road map unless the

consequences for willful non-compliance actually hurt. Oftenimes it's just easier to pay a privacy violation fine than it is to redesign a product or service. So I hope that I've made clear why smart city security is something that we need to redefine and address on a large scale as a community. Uh I also hope you know maybe I've encouraged some of you to have your own thoughts or discussions on the topic. If you want to share any of those with me, this is my LinkedIn. Um, please, yeah, please add me. Please find me there. I'd be happy to connect. I'm also, you know, still around and at the afterparty. So, if you want to talk more, I'm happy to. I

promise I don't bite or scratch, unlike any of these gift subjects. Uh, and also, if you'd like any of the sources that I've used in my research, there are a bunch that didn't make it into the presentation. So, I'm happy to share all of that as well. So with that, I'd like to thank you all for your attention and um I don't think we have time for questions, so my uh yeah, my thing was a little useless, but yeah, thank you so much for your time. It was really great to be here.