Last month India’s largest container port JNPT was hit by a malware attack that crippled the operations of one of its terminals. After the problem was resolved, the port has initiated steps, including a special IT audit and staff training by a Big 4 consultancy firm, to prevent cyber-attacks in future.
“The state government has also asked for cyber support from Indian Computer Emergency Response Team (CERT-in), the national team for cyber security. The additional manpower will be helpful to find solution. We are trying to shift some work to manual as we need to streamline the ships and their scheduled arrival, stay and departure,” Brijesh Singh, Maharashtra state cyber cell chief, said.
The attack not only exposed the vulnerability of our cyber infrastructure, but it also highlighted the lack of trained manpower to handle such incidents.
As the government is working to create 100 smart cities, there are some uncomfortable questions that needs to be answered by the authorities.
According to Stephan Neumeier, managing director of Kaspersky Lab Asia Pacific: “Countries like India are developing so fast, it opens the doors for more cyber-attacks,“
What will happen when there is a cyber-attack? Do we have enough trained personnel to handle such crisis? Is our police system well-equipped to handle cyber security threats? Who is responsible when a smart city crashes? How well prepared are the city administration to respond to any kind of emergency situation? These are the questions that require detailed scrutiny before we move towards creating smart cities.
Internet of (Insecure) Things
While technology can be used to safeguard our cities, technology itself can be a security nightmare. The fact that everything from traffic lights to public transport, from power plants to water supply go on the internet, there is a catastrophic risk. For example two months back someone used mobile phone to run porn clips on the display board at Rajiv Chowk metro station. The incident may seem like a prank by some nasty mind but hackers will find any vulnerability to tap into and the risk can be greater. In 2008, a 14-year-old Polish student hacked into the Lodz tram system with a modified TV remote and derailed four trams and injured 12 people.
Another example was when Ukraine suffered power cuts during Christmas in 2015, following a series of cyber-attacks on three local energy companies. The hackers were suspected to be from Russia and their identity remains unclear. Another serious example is when hackers infected 70 percent of storage devices that record data from D.C. police surveillance cameras, eight days before President Trump’s inauguration, forcing major citywide reinstallation efforts. The ransomware attack left police cameras unable to record between Jan 12 and Jan 15 and affected 123 of 187 net-work video recorders in a closed-circuit TV system for public spaces across the city. Such incidents can have serious political implications, especially when the hacker is from a rival nation.
This makes for an instructive case study illustrating the multifaceted nature of today’s cyber-attacks, and the vulnerability of organisations and cities. Even a hacked traffic control system can turn the city into chaos. Cities across the world are facing such attacks.
With technology, even nature of crime is changing and getting digital. Thieves can walk away with an ATM’s stash by just a laptop and some wiring and a hole in the ATM and such incidents are already happening in across Russia and Europe. Connected devices and internet has exposed the city infrastructure and services to new set of security threats which are lurking in the cyberspace, right from international hackers and terrorist organizations.
A report out by Cyber Security Ventures predicts that global annual cybercrime costs will grow to $6 trillion by 2021 which includes destruction and theft of data, stolen money, lost productivity, theft of intellectual property, fraud, damage of infra-structure data.
One of the most notorious case is the distributed denial of service (DDoS) attack on DNS services supplier Dyn last October that hijacked IoT devices to temporarily shut down popular web services, including AirBnB, Amazon Web Services, Netflix and Zendesk. The recent ransomware attack which affected 123 countries including India, just exposed our vulnerability. And stakes are higher.
Reportedly, the Blackberrys clothing brand has fallen prey to a ransomware attack. The company’s servers were hacked by the attackers, who demanded Rs 25 lakh to be paid in Bitcoins.
Hackers can tamper with traffic control systems, smart street lighting, city management systems that control work orders or other facilities, public transportation, cameras, smart grids, wireless sensors that control waste and water management or mobile and cloud networks, according to a report from Cesar Cerrudo, chief technology officer of the Seattle-based security company IOActive Labs and cyber security expert.
This all may look at a remote possibility but the vulnerability cannot be ruled out. Imagine a situation in which hackers take out the smart grid and demand a ransom in return for restoring power or stop our water supply. Last year, a Chinese hacking group was caught infiltrating a water control system for a US municipality.
“Security problems in cities are real and are current. Cities and governments around the world have to get their act together. Governments are not enforcing cyber security in many ways. Vendors don’t have any reason to provide more secure solutions because governments do not test the security. They just have a checklist and believe whatever the vendors say,” Cerrudo added.
Globally government are investing in technology to protect the cities from such high tech threats. For Example Australian government announced the launch of its AU$730 million “Next Generation” Technologies Fund to incubate “creative solutions” to protect the nation from new threats. India also require to invest in future technology as our cities are going online. We have to ensure that our infrastructure is safeguarded against the possible threat. Cities need cyber security leadership to do vulnerability assessment and incident response planning. Lack of security standard for the vendors are exposing our city infra-structure and public services to huge security risk.
The Smart city concept note highlights a smart grid to be resilient to cyber-attacks and the government has already pro-posed a National Cyber Coordination Centre. Some initiatives are taken in this direction. National Cyber Safety and Security Standards has been started with a vision to safeguard the nation from the current threats in the cyberspace, and to prevent cyber-crimes.
One of the main ingredient for safety is city surveillance. Our cities are vulnerable to multiple risk of terror attack, increasing crime rates, rising incidents of crime against women and various communal clashes and social unrest. According to Anand Navani, country manager, Verint Systems, a company providing video intelligence solutions “technology can be a key enabler in making our cities safe. Modernisation of police force and enabling them to have access to latest technologies will go a long way to increase the efficiency of the whole system in smart city,” says Navani.
Verint Systems has collaboration with Surat, Pune and Mumbai. “All of these projects aim at providing CCTV coverage at critical points across the city with trained officials stationed at a centralised command control centre to view and analyse data collected. Then they can implement their analysis on a real time basis, not only to punish criminals but also to prevent future crime,” says Navani.
According to a report ‘Role of Surveillance in Securing Cities’, released by the Smart Cities Council, “Indian video surveillance industry is expected to grow at 13 per cent from 2016-2022. Apart from Mumbai, other cities like Pune and Surat, Nagpur, Bhubaneswar and Jaipur are already installing CCTV camera for effective city surveillance and are adopting a command and control system. However, security experts claim that just installing cameras are not enough. The cities still has a long way to go, so far security planning is concerned. There is still no coherent blueprint for surveillance and there is lack of unified vision for the emergency response system in case of any possible threat. Cities require smart analytic which can use the real time data to give timely warning to the concerned authorities.
“Cities have a shortage of workers with security skills as well as inadequate budgets, training, and resources to help workers develop these skills. And investing in security is a money well spent. Private investor will invest only when the city is safe. A safe city in itself is an important parameter of investor’s confidence for long term,” Nanvani added.
It is important to ensure that our infrastructure is secure, surveillance is effective and there is an action plan in place in case of a cyber-attack. Security audit is a must. For safer cities, every stakeholder, which includes many government departments, police, emergency response system and citizens must work in sync. Cities need to develop emergency plans and trained professionals to handle such crisis, otherwise these smart cities will turn dumb in the course of time.