Cities are becoming smarter

Population growth, urbanization trends and climate change are driving a process of continuous urban development in cities worldwide. This is not only having an impact on how and where people live and work but also on matters such as energy, water, mobility, the environment, finance and public administration.

The collection, analysis and intelligent use of data is what turns cities into smart cities: cameras and sensors register and measure movements, temperature changes, air pollution, traffic, power distribution and much more. Public administration and many forms of transportation systems are networking extensively. The data collected by internet and web-based services is evaluated at a central point and then forwarded to the appropriate stakeholders. Cities are becoming more cost-efficient, more environmentally sustainable, and the quality of life and safety of residents are being improved.

The benefits are impressive. However, the systems which send, receive, store and analyse the data are vulnerable should, for example, their data streams be manipulated.

The IT security challenges for smart cities

Smart cities are no longer smart when, for example, their sensors communicate with each other across inadequately secured or unencrypted wireless networks. Networked healthcare services, emergency control centres, smart grids, industrial control centres, intelligent transport systems, the Internet of Things and traffic control systems are some of the key areas for IT security. Cyber attacks are increasingly becoming a reality.

It is therefore extremely important that smart cities and IT-security go hand in hand. A balance has to be struck between the intelligent use of data on the one hand, and ensuring the security of sensitive or security-relevant data on the other. This is a challenging task, which public bodies and institutions often cannot tackle on their own.

Incidents have already been in many parts of the world

As diverse as the IT systems of smart cities are as versatile the attack scenarios can look like.

  • 2011/Germany. The server of the German Customs Investigation Bureau and Federal Police was infected by a trojan. Consequently, GPS data, telephone numbers and registration numbers of suspects were accessed.
  • 2012/USA. As a result of a computer glitch, the court in Placer County, California, summoned 1,200 people to appear for jury duty at the same trial. Traffic chaos ensued.
  • 2013/USA. Thousands of passengers were kept sitting for several hours in 19 trains operated by Bay Area Rapid Transit (BART) near San Francisco. The cause was a software error that crashed the entire system.
  • 2013/Turkey. The airports in Istanbul were the victims of an attack. A malware infection shut down the passport control system.
  • 2013/Latvia. Attackers used SQL injection to attack an employment agency and gain access to 3,077 user accounts containing private information and plain text passwords.
  • 2014/Singapore. Following the arrest of several Anonymous members, a number of Singapore government servers were attacked and the personal information of government employees was published.
  • 2014/Finland. Unknown attackers compromised government servers and stole a considerable number of documents over a period of years.
  • 2015/USA. The US government and a number of defence industry companies were spied on in a large-scale attack. Several billion bytes of data were stolen.

Rethinking the approach to IT security

IT security managers know that measures designed to fend off attacks from the outset are always incomplete. The wide variety of attack options, the rapid development of attack methods, misconfigured security tools, or missing adjustment to changing conditions, are some of the reasons why a high level of IT security is not achieved.

Conventional IT security solutions are unable to provide adequate protection for complex IT infrastructures and systems. Take signature-based antivirus solutions, for example: they only provide protection when the viruses or malware are known, when a “definition” has been issued by the anti-virus software vendor and when the security software is properly configured and perfectly adjusted to current conditions. If one of those preconditions is not met, the anti-virus software will not work and will therefore not provide any protection. Purely defensive measures in this context are always incomplete.

A rethink of the approach to IT security is needed. Smart cities have countless potential gateways for attackers. There needs to be a refocusing of attention away from notional risks and towards the detection of real dangers. The large number of autonomous systems must be checked in a timely, effective and efficient manner for attacks and anomalies; vulnerabilities and abnormalities must be analysed, acted upon and patched.

The implementation of an “IT early warning system” does not imply that new tools work alongside of old tools. Actual protection is only achieved if functionality and results of various monitoring programs are continuously analysed by experts, configuration is constantly adapted to current conditions and programs are continuously developed. The human being as a resource even in IT security can still not be substituted by any program.

The “IT early warning system” administered by humans and technology delivers all necessary information in order to minimize potential damages caused by attacks. It entails three components: a continuous vulnerability analysis from the inside and the outside, a constant analysis and correlation of logs of individual systems and continuous supervision of all gateways for malware and all communication channels beyond organisational boundaries.

The log data analysis and correlation

Attackers try to make their network activities look as normal as possible. Nevertheless logins from one user onto various systems with different IPs at the same time could be suspicious. All logs from servers, network devices, applications and other central facilities have to be analysed centrally and correlated with the results of the Intrusion Detection Systems (IDS).

The continuous vulnerability analysis

Every day attackers try to come across yet unknown vulnerabilities within the IT of an organisation. The continuous tracking of these problems from the internal (within the network of the organisation) and the external point of view (from the internet) is the prerequisite to detect missing or insecure encryption.

The monitoring of gateways for malware and communication channels

An attacker will sooner or later transfer data from the affected organisation to external targets in the internet. This will become apparent through a comprehensive security monitoring of all systems, the data traffic and access to all sensible systems and data. Data transfer from internal to external IPs with which no business relation exists, has to be observed immediately and needs to be analysed by experts. This requires the application of Instrusion Detection Systems (IDS) and other tools as well as the support of experts that correctly configure these systems, adapt them to current conditions and analyse their results.

The key goal: shortening the time span between attack and detection

A proactive security strategy with gapless monitoring and continuous analysis considerably shortens the time span between attack and its detection. Damages of all sorts, may it be damages due to performance interruptions or standstill, due to theft of customer data or other interferences, are thereby minimized effectively.

The appropriate setup of an “IT early warning system”

It is important that the gapless monitoring and continuous analysis comprise the entire IT infrastructure, including the application level, and make a continuous, context-related monitoring in real time happen. All potential risk-relevant information related to the status of IT systems (e.g. vulnerabilities) as well as behaviour of IT systems (e.g. network data traffic) has to be collected and processed. Consequently it is essential to condense this flow of stored risk-relevant information to the indeed essential events. The quality of this condensing process decisively depends on the one hand on the alignment and functionality of the existing correlation system. On the other hand it is crucial to illustrate comprehensive risk detection scenarios in order to recognize complex patterns of cyber attacks.

Blind spots create risks

Modern IT systems are highly networked and dependent on one another. With the degree of integration of the IT environment the risk however also increases, as the weakest link in the system chain often is the point of origin for cyber attacks. It is therefore decisive to produce extensive in-depth analysis. This means that the vulnerability state of all IT systems, applications, of the entire internal network data as well as internet data traffic of all internet accesses and behaviour information of all IT systems (meaning log data of systems and applications) have to be continuously monitored. Configuration changes in IT system should also be taken into account as well as illicit or undesired software. Continuously updated inventory and configuration overviews are necessary in order to derive correct risk remediation measures. Incoming documents and emails should be analysed with modern sandboxing technologies.

The challenge “Advanced Cyber Attacks”

Not every cyber attack can be detected by means of statistical detection rules. For new generations of cyber attacks it is essential to include behaviour-oriented analysis methods. The IT early warning system therefore requires “Advanced Correlation Engines” or “Behavioral Analysis Systems”. For an in-depth analysis of “Advanced Cyber Attacks” these systems have to differentiate between normal and abnormal behaviour of IT-systems by means of statistical modules, recursive methods and self-learning algorithms. Thus for the first time modern detection systems offer effective methods in order to detect complex cyber attacks whose realisation would take weeks or months and would affect various systems.

Permanently operating an effective and efficient “IT early warning system”

The complete set of highly specialised analysis based on humans and technology is rendered resource-efficiently by RadarServices, the European Managed Security Services provider. Services combine the automated detection of IT-security problems and risks as a first step and the analysis of highly specialised IT-security experts as a second step.

For the installation, configuration and the daily operation there is no need for additional capital expenditures or headcount. Compared to an inhouse-solution there are the following advantages: long term investment risk stemming from the acquisition of hard- and software as well as the set up and continuous development of a constantly growing team of highly specialized experts, is drastically reduced.

Based on the work of RadarServices the IT teams in the customer companies receive consolidated and verified IT-risk and security information that is immediately usable for the remediation process.

This way you can concentrate entirely on the immediate remediation and on demand support is provided, either through “Fire Fighting” in case of acute problems or with operative or strategic tasks relating to the entire IT security management.

Outsourcing of the IT security and risk analyses does not mean a surrender of security-relevant data. Automated detection and analyses are conducted on an especially secured hardware appliance that comprises all modules as well as Advanced Correlation Engines. The operation is handled within the customer’s network; with the result that data security is guaranteed and does never leave the customer organisation. Even in case of “manual” analyses by IT security experts of RadarServices data does never leave the network of the customer organisation. All processes are laid out for maximum data security standards – a unique concept among managed security providers worldwide.

Synopsis

Comprehensive data collection, analyses as well as intelligent application are turning cities into smart cities. At the same time the complex IT systems of smart cities are vulnerable through cyber attacks. Thus an important focus has to be put on the security of the entire IT landscape of smart cities.

IT security experts know that measures that serve to avoid attacks from the outset are always incomplete. Conventional security solutions do not offer enough protection for complex IT-infrastructures and systems.

To establish a comprehensive “IT early warning system” is state of the art. It comprises three components: a continuous vulnerability analysis from the inside and the outside, an ongoing analysis and correlation of logs of the individual systems and the constant monitoring of all gateways for malware and all communication channels across the organisational boundaries.

If realised correctly the pro-active security strategy with gapless monitoring and continuous analysis shortens the time span between attack and detection considerably. Any kind of damages, may it be damages due to performance interruption or standstill, theft of customer data or other interferences are thereby effectively minimised.

For the establishment of an IT early warning system high and long-term investment in hard- and software as well as experts and their training is necessary. As an alternative RadarServices, the European market leader in continuous and pro-active IT security monitoring and risk detection, offers a full package as Managed Service. This includes all tools and services that an organisation needs in order to have all indeed relevant IT risk and security information available in a consolidated and verified form for the immediate initiation of a remediation process.

Download PDF