The modern metropolitan is becoming more and more computerized. Mega computers are running the show in more ways that can be comprehended – traffic signals, electricity networks, water supply pipes, public transport services and other civil utilities. While the Smart City concept is improving the standards of urban services, how safe really is it for us? How can these automated systems stay safe from hackers and cyberattacks?
Due to the complex nature of the Internet of Things (IoT) implementation in today’s metropolitans, this article will focus primarily on the backbone of the smart city – the Supervisory Control and Data Acquisition (SCADA) system. This is the core system that’s becoming the hackers’ favored target, since it connects the various computerized aspects of modern urban life.
Hacking into SCADA systems is still not a common occurrence (as far as we know). But we have already heard of state-initiated raids and criminal/personally motivated hackings.
Iranian Nuclear Program Hackings – While Israel and the US have not acknowledged these operations to this day, it’s a widely agreed upon fact that the Mossad hacked and planted the Stuxnet malware to disrupt Iranian SCADA systems related to their nuclear facilities. Their nuclear program was seriously disrupted and put back by a few months, if not more, as per multiple reports.
Power Shutdowns in Ukraine – There were a series of blackouts in Ukraine during December 2015. The energy ministry investigations revealed that it was not a matter of regular malfunctioning/failures. Cyber attacks on local provider Prykarpattyaoblenergo, involving the planting of crafted malware (BlackEnergy Trojan), caused the SCADA system to crash.
Hacking Traffic Control Systems – Researcher Cesar Cerrudo has shown how it’s possible to hack into wireless traffic control systems and cause traffic-jams/accidents. He launched his malicious payload (fake data) via a drone that flew at a height of around 650 feet. To make matters worse, today’s smart city has no effective way to detect intrusions. especially when the hackings are at a remote location.
The aforementioned exploits indicate that cybercrime will eventually lay its vicious claws on the Smart City. Its safe to assume that SCADA systems are going to be targeted extensively going ahead.
As mentioned earlier, SCADA is the backbone of all IoT operations in the modern smart city. This computerized system monitors and helps operate complex systems including but not limited to power transmission, water distribution/regulation, transportation operation (i.e – traffic signals) and dozens of other public facility processes. The SCADA system typically consists of the following components:
All of the aforementioned data is beamed up to a central computer center, which is typically accessed by the civil engineers and technical staff in-charge of the smart city operations. This computing hardware is driven today by dynamic web applications. But as shown in the POC below, cybercrime looms even with legacy connections/systems (dial-up modems, radios, etc).
Sniffing SCADA. Courtesy: Wall of Sheep
While Smart City IoT security is a broad concept that requires a multi-layered security approach, the software driving the various systems has to be secure and robust.
This is where secure development enters the picture. Organizations have to make sure that their dedicated applications are capable of dealing with cyberattacks. These attacks typically involve the exploiting of application-layer vulnerabilities such as buffer overflows, SQL injections and other coding flaws mentioned in the OWASP Top 10 and SANS 25.
Where Penetration (Pen) Testing and Manual Testing are still going strong, more modern application security techniques are gaining popularity due to their inherited characteristics. One such methodology is Static Code Analysis (SCA), which basically involves the scanning of the application code during the development process and catching vulnerabilities early.
The top benefits of implementing SCA involve:
American marketing and research firm Gartner is projecting a big future for IoT in modern urban environments. In a recent press release, it claims that Smart Cities will use 1.6 Billion “connected things” in 2016. Smart commercial buildings will supposedly become the rage with over 518 million “connected things”. The cyber-risks will also rise accordingly.
OWASP is currently working on a SCADA Security Project. When ready, it will become a comprehensive SCADA security benchmark for application developers. But while there is no real security standard to work with right now, IoT application developers must make sure their software is immune to the leading application-layer vulnerabilities.
Only a pro-active approach to application development will help secure the modern Smart City.
To Read Our “OWASP Top 10 for IoT Explained” Whitepaper – Click Here
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.