by Eliza Both, Editor, Council magazine
All around us in our cities, from the trains we take to the electricity in our home to the traffic lights on our street, smart technology is helping us live better. But with technology playing a bigger role in our lives than ever before, identifying system weaknesses and planning for cyber threats is critical to the resilience of our cities.
According to the Australian Cyber Security Centre (ACSC) Annual Cyber Threat Report July 2019 to June 2020, cyber security issues are estimated to cost the Australian economy up to $29 billion each year.
Following numerous high profile cyber-attacks across the world in recent years – such as the major fuel pipeline cyber attack in the US where Colonial Pipeline paid a hacker $4.4 million in ransom, and the June 2020 cyber attack on Australian business, infrastructure, utilities, educational facilities and government at all levels – it’s clear that cyber security is a crucial issue at the moment.
But it seems that hackers are one step ahead, with cyber security professionals often unaware of a potential attack until it happens. So what can we do to mitigate these types of attacks as our cities continue to become more technologically advanced?
Researchers at the University of Macquarie are tackling this exact issue with the help of a new smart city simulator, which will allow the team at the Department of Computing to run mock cyber attacks to find the best ways to protect our cities and vital assets from malicious threats.
Council magazine spoke with cyber security expert, Dr. Alireza Jolfaei, about how the smart city simulator works and why we need to prioritise cyber security in our ever-evolving cities.
Under a Next Generation Technologies Fund’s Defence Research Accelerator program named D.Start, Dr. Jolfaei is working on the development of security mechanisms for smart water systems to stop hackers from disrupting water supply and wastewater systems, as well as recovery programs that help water facilities return to normal operations as soon as possible following a breach.
Why do we need to defend our smart cities?
“Cybersecurity should be a top priority for smart city leaders. Australia and its cities are just as vulnerable as any developed nation to cyber-attacks that can shut them down,” Dr. Jolfaei told Council magazine.
“We are living in a world entwined with the internet, to the coming age of automation and big data, where almost everything is networked and connected by making use of a wide variety of Internet of Things (IoT) devices for sensing and actuation.
“As technology continues to evolve, the opportunities and challenges it provides will grow.” Dr. Jolfaei said that it is hard for anyone to imagine our society without the utilities we enjoy, like electricity, water and gas, or without other essential services like agriculture and food distribution systems, all of which are interconnected in complex ways.
These services are connected both physically and through technology, which supports these critical infrastructure and assets to operate.
However, Dr. Jolfaei said that these technological connections can present an opportunity for criminals to target our essential services digitally.
“Our reliance on automation makes single points of failure that can have intense consequences if directed at power stations, communication networks, transport and other utilities,” Dr. Jolfaei said.
“This provides cybercriminals with malicious goals in mind with more opportunities to run cyber-attacks against smart cities and disrupt essential services, which could be motivated by personal reasons, financial gains, social or political gains, espionage, or intellectual challenges.”
Worst case scenario
To understand why cyber attacks are a critical threat to our society, we first need to understand how our smart cities work, as well as how and why hackers target our smart technology.
“The operation of our smart cities mostly relies on the use of Supervisory Controls and Data Acquisition (SCADA) systems which use communications protocols designed for the exchange of control messages on industrial networks,” Dr. Jolfaei explained.
“Over the past three decades, several hundred of these protocols have been developed for serial, LAN, and WANbased communications in a wide variety of industries including transportation systems, electrical generation/ distribution, and water supply/ waste management systems.
“Modbus is the most widely used SCADA Protocol, which was initially developed to maintain the system reliability without having a security mindset. Modbus has no security or encryption features, so it can easily be sniffed and modified on the fly.”
Dr. Jolfaei said that the security gaps in the SCADA systems we use make many of our critical assets vulnerable to cyber attacks, with our power and water utilities a major point of concern. This isn’t just a perceived threat, these attacks are happening across the world, each day, resulting in real and damaging consequences.
“A real concern is the resilience of our critical infrastructure that is under a serious threat. Take an example of the current COVID-19 situation where people have gone so crazy about toilet paper. What would happen if our water supply is compromised and impacted? Do we have that level of trust in our water infrastructure? How long would it take to restore that trust?
“What would happen if our energy supply is being targeted and there is no electricity for running factories, no operations in hospitals?
From the hacking of the dam control system in Florida to Iranians targeting and poisoning the chlorine level of Israeli water supply, these are real events that are taking place.”
While little is known about who hackers are and why they target certain cities, what is clear are some of the most common steps they take to bring down systems.
Dr. Jolfaei said that hackers often target the low-hanging fruits with the aim of creating the largest impact to an operating system and causing an adverse economic impact.
“Hackers’ mindset usually follows a predictable series of steps: reconnaissance/information gathering; scanning/vulnerability identification; exploitation; and maintaining access/ covering tracks.
While these steps are often followed linearly, they can also be more cyclic in nature, as hackers may engage in further reconnaissance or scanning after attempting many failed exploits.”
Dr. Jolfaei said that there are a few systems of concern in our smart cities where hackers may take advantage of weaknesses to launch attacks, including our telecommunications networks, emergency alert programs, healthcare databases, as well as our transportation systems.
“There are lots of interdependencies between our critical infrastructure and the supporting telecommunications network which are not currently well understood.
This leaves our cities vulnerable to more attack surfaces which could be used by hacker and cyber criminals to create damage or a major disruption,” Dr. Jolfaei said.
“Some of the cybersecurity risks for smart cities are falsified emergency alerts (bushfire, COVID alert, flood), loss of personal privacy due to the use of smart micro-services in healthcare, transportation, and smart traffic signals (traffic jams, traffic safety hazards).”
Identifying these vulnerable points is the first step in preparing, planning and defending against cyber attacks, and ensuring our smart infrastructure and assets are able to withstand and recover from attacks as soon as possible.
Planning, preparing and defending against attack
Understanding how and why cyber attacks occur allows cyber security experts to safely test vulnerabilities and prepare our critical infrastructure to deal with these threats.
Macquarie University Department of Computing’s new smart city model aims to provide experts with a safe environment to demonstrate how smart cities can be affected by hackers, what kind of impact an attack may have, as well as provide experts with ways to mitigate these threats to ensure our cities can recover and remain resilient.
With the use of white-hat hackers – authorised professionals whose job it is to legally break into an organisation’s computers and devices to test its defences – the Department of Computing’s cybersecurity lab is able to run mock hacking scenarios on a model of a smart city to test defences against cyber attacks.
“Using our smart city models in a controlled environment, we provide a platform to demonstrate how cyber attacks could happen in a smart city, what the physical impact of a cyber attack would be, and how we can detect and mitigate attacks to uplift the security and maintain the operational resilience,” Dr. Jolfaei explained.
“Our smart city model includes various districts such as rail network and railroad switch, road network and traffic signalling, water system, electricity network, and satellite communications.
“Through these models, we will look into various cyber security issues within industrial automation and control systems. Industrial automation and control systems are everywhere in our modern society.”
Dr. Jolfaei explained that these control systems can be located all across our cities, from traffic lights, rail networks and power systems, to our water treatment plants – all services that would be disastrous if they were to be taken down by hackers.
Dr. Jolfaei added that with more and more automation and connection across control systems in recent years, more of our assets are vulnerable to cyber attacks than ever before.
“In the last couple of years, the industrial control systems have been linked to the internet where normally they have not been, so it means they are exposed to cyber attacks.
If people were to hack into these control systems it means that they can control them, they can monitor them and see what is happening, and then they can actually come in and turn things on and off.”
For Dr. Jolfaei and the team at Macquarie University, identifying and detecting vulnerabilities in systems and understanding how hackers operate is integral to their work, and the new smart city model provides a safe way to test real-life scenarios.
“Here at Macquarie University, we look into securing these systems against cyber attacks. We are looking for vulnerabilities in the systems. We want to find out what the hackers can do to the systems so we can understand what the extent of our exposure is.
“Once we have gained a good knowledge of what they can do, we study how we can detect that they have penetrated into the system and that they have started to change the system.”
With the use of intrusion detection systems, the team is able to look for suspicious activity in numerous different scenarios. This helps the department to design and develop systems that are better secured against potential attacks.
“We will consider various attack scenarios such as spoofing, ARP poisoning, denial of service attacks, rail network and railroad switch, road network and traffic signalling, water system, electricity network, and satellite communications,” Dr. Jolfaei explained.
“It is likely that many of our water, power, rail and traffic systems currently harbour lurking hackers who are waiting for an opportunity to strike.
Our smart city model within Macquarie University’s cybersecurity lab will let us explore not just how cyber attacks could happen in a smart city, but also what the physical impact of these cyber attacks would be.
Making cyber security a top priority
With so much of our everyday lives being improved by automation and smart technology, it’s integral that governments and organisations at all levels take the steps to ensure their systems are protected against cyber threats, and are able to withstand and recover from attacks.
Dr. Jolfaei emphasised the importance of cyber security, saying that it should be a top priority for smart city leaders, and warned that Australian cities are just as vulnerable to hackers as anyone else.
It is up to leaders and place makers to set the standard in cyber security and support our cyber security experts to safeguard our essential infrastructure and assets.
As the digital world becomes increasingly connected, it is no longer possible for infrastructure owners and operators to remain agnostic in the face of evolving cyber threats,” Dr. Jolfaei said.
“We need to actively monitor the evolving landscape and revisit our standards and policies regarding the safety and security in our smart cities.
“Australia and its cities are just as vulnerable as any developed nation to cyber-attacks that can shut them down. Targets are everywhere. It is likely that many of our water, power, rail and traffic systems are currently being targeted by hackers who are waiting for an opportunity to strike.
“Ultimately, we need to continue to support and train cybersecurity experts and make sure their skills are deployed widely. Being able to understand and predict the actions of our opponents and install self-defence mechanisms to guard against these, is the key to protecting our smart cities.”