Securing the Cyber City of the Future: Our Urban Infrastructure Is Now under Constant Threat of Cyberattack and a Growing Range of Disasters-Both Natural and Man-Made. Our Privacy Is under Threat from Overzealous Response. Real Places and City Services Are Vulnerable to Hackers, but We Can Protect Our Water, Power, Transportation, and Other Vital Systems

Article excerpt

On October 11, 2012, on board the USS Intrepid aircraft carrier, then--Secretary of Defense Leon Panetta warned Americans that the nation faces the prospect of a "cyber Pearl Harbor"--an attack that could come with devastating losses.

"An aggressor nation or extremist group could use ... cyber tools to gain control of critical switches to ... derail passenger trains or--even more dangerous--derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shut down the power grid across large parts of the country," he said, pulling no punches. Panetta's challenge to Congress was primarily aimed at passage of new legislation to impose new cyber-security standards, but a number of experts confirmed his warnings to be far from hyperbole.

We think of cyberterrorism as a threat that affects only national governments or perhaps large corporations--a problem of "zeroes and ones" of concern only to IT departments--not as something that could affect the neighborhoods where we live and work. A wide range of databases and command centers control smart electrical grids, water purification and sewage processing plants, and nuclear power plant cooling systems. Unless these critical systems are sealed off from electronic networks, they are all vulnerable to cyberattack.

UNSEEN VULNERABILITIES

One of the biggest cyber vulnerabilities to urban infrastructure comes from the many supervisory control and data acquisition (SCADA) systems that play a critical role in infrastructure functioning around the world. These systems are used almost ubiquitously to control pipeline flows and to command power substations and electrical power flow through the grid. SCADA even performs such mundane tasks as traffic-signal timing.

Many SCADA systems operate with their original security codes, unchanged from those created by the manufacturer, and thus can be wirelessly controlled by a hacker to do pranks--or much, much worse. Recently in a mid-sized city in the United States, when a citizen advisory group asked for a review of the security on all the SCADA systems, it was found that the systems that controlled the flow of water and sewers and the timing of traffic lights were all operated via wireless SCADA equipment with rudimentary security in place.

These systems were operated by different divisions of the local government, with no independent oversight or security review. Today, all of the SCADA systems in that city are re-equipped with sophisticated new security codes. An independent consultant, under the supervision of a single technology-savvy agency, reviews security on new and existing SCADA systems. The problem is that numerous other cities have not yet conducted this type of security review.

The striking point of this particular case study is that the city in question is one of the most educated communities in America and has even dealt with terrorist attacks. Its advisory commissions are loaded with PhDs and experts with many years of industry expertise. If any city administrators should have had the know-how to avoid these problems, it should have been these!

There are a number of security-review services that focus almost exclusively on SCADA systems that control power substations, oil, gas, sewer and water pipeline flows, traffic signals, and even operations within large factories, power plants, and military bases. In some cases, these ubiquitous systems still lack rigorous security oversight. When Secretary Panetta issued his warning about the United States being potentially vulnerable to cyberattack, he had these systems in mind.

The good news is that this is a cyberthreat that can be fixed. It's important for city officials to inventory all of the SCADA systems within their city and ensure that they are protected. Their security codes should be routinely updated, and the entire SCADA networks for the city should be independently reviewed by a third-party security auditor at least every two years. …