Checkmarx Launches Infrastructure as Code Scanning Solution to Secure Cloud-Native Applications: KICS

Internet of Things (IoT) – Hack My Smart City

The modern metropolitan is becoming more and more computerized. Mega computers are running the show in more ways that can be comprehended – traffic signals, electricity networks, water supply pipes, public transport services and other civil utilities. While the Smart City concept is improving the standards of urban services, how safe really is it for us? How can these automated systems stay safe from hackers and cyberattacks?


Due to the complex nature of the Internet of Things (IoT) implementation in today’s metropolitans, this article will focus primarily on the backbone of the smart city – the Supervisory Control and Data Acquisition (SCADA) system. This is the core system that’s becoming the hackers’ favored target, since it connects the various computerized aspects of modern urban life.


The Smart City Hacking Storm Is Brewing


Hacking into SCADA systems is still not a common occurrence (as far as we know). But we have already heard of state-initiated raids and criminal/personally motivated hackings.


Iranian Nuclear Program Hackings – While Israel and the US have not acknowledged these operations to this day, it’s a widely agreed upon fact that the Mossad hacked and planted the Stuxnet malware to disrupt Iranian SCADA systems related to their nuclear facilities. Their nuclear program was seriously disrupted and put back by a few months, if not more, as per multiple reports.


Power Shutdowns in Ukraine – There were a series of blackouts in Ukraine during December 2015. The energy ministry investigations revealed that it was not a matter of regular malfunctioning/failures. Cyber attacks on local provider Prykarpattyaoblenergo, involving the planting of crafted malware (BlackEnergy Trojan), caused the SCADA system to crash.


Hacking Traffic Control Systems – Researcher Cesar Cerrudo has shown how it’s possible to hack into wireless traffic control systems and cause traffic-jams/accidents. He launched his malicious payload (fake data) via a drone that flew at a height of around 650 feet. To make matters worse, today’s smart city has no effective way to detect intrusions. especially when the hackings are at a remote location.


The aforementioned exploits indicate that cybercrime will eventually lay its vicious claws on the Smart City. Its safe to assume that SCADA systems are going to be targeted extensively going ahead.


Smart City HackingTraffic jams can now be initiated with the help of malicious software.


SCADA – An Evolving System That Hacker’s Love to Target

As mentioned earlier, SCADA is the backbone of all IoT operations in the modern smart city. This computerized system monitors and helps operate complex systems including but not limited to power transmission, water distribution/regulation, transportation operation (i.e – traffic signals) and dozens of other public facility processes. The SCADA system typically consists of the following components:


  • Remote Terminal Units (RTUs) – These electronic units are responsible for converting sensor information from the urban field into digital data and sending them to the supervisory system.
  • Programmable Logix Controllers (PLCs) – Unlike RTUs, these have embedded control capabilities (work with the various IEC 61131-3 programming languages) and are more versatile.
  • The Telemetry System – This system, consisted of telephone lines and WAN circuits, basically connects the RTUs and PLCs to the control centers. Satellite (VSAT) telemetry media is also becoming common.
  • The Data Acquisition Server – This software service allows workers and administrators to access data from the field via RTUs and PLCs. It basically hosts all the data relevant to the operation of the smart city.
  • The Human-Machine Interface (HMI) – The software service provided by the Data Acquisition Server is presented with the HMI. It is with this hardware that the controller interacts with the SCADA system.
  • The Historian – The Historian collects all time-stamped data and Boolean information from the various terminals in the SCADA system. This data can be queried and accessed on demand.


All of the aforementioned data is beamed up to a central computer center, which is typically accessed by the civil engineers and technical staff in-charge of the smart city operations. This computing hardware is driven today by dynamic web applications. But as shown in the POC below, cybercrime looms even with legacy connections/systems (dial-up modems, radios, etc).


Sniffing SCADA. Courtesy: Wall of Sheep


Secure Application Development for Safer SCADA Operation

While Smart City IoT security is a broad concept that requires a multi-layered security approach, the software driving the various systems has to be secure and robust.


This is where secure development enters the picture. Organizations have to make sure that their dedicated applications are capable of dealing with cyberattacks. These attacks typically involve the exploiting of application-layer vulnerabilities such as buffer overflows, SQL injections and other coding flaws mentioned in the OWASP Top 10 and SANS 25.


Where Penetration (Pen) Testing and Manual Testing are still going strong, more modern application security techniques are gaining popularity due to their inherited characteristics. One such methodology is Static Code Analysis (SCA), which basically involves the scanning of the application code during the development process and catching vulnerabilities early.


The top benefits of implementing SCA involve:


  • Better ROI – Vulnerabilities are mitigated early, which makes applications more robust prior to release. Fewer hacking exploits means lesser post-release maintenance.
  • Automating of the Security Process – Everybody is involved in the security process and vulnerabilities are virtually fixed on the go. A secure SDLC (sSDLC) is thus created.
  • Great for Agile, DevOps and CICD – The scanning is fast and results are available for quick remediation, which suits these new and efficient development methodologies.


American marketing and research firm Gartner is projecting a big future for IoT in modern urban environments. In a recent press release, it claims that Smart Cities will use 1.6 Billion “connected things” in 2016. Smart commercial buildings will supposedly become the rage with over 518 million “connected things”. The cyber-risks will also rise accordingly.


OWASP is currently working on a SCADA Security Project. When ready, it will become a comprehensive SCADA security benchmark for application developers. But while there is no real security standard to work with right now, IoT application developers must make sure their software is immune to the leading application-layer vulnerabilities.


Only a pro-active approach to application development will help secure the modern Smart City.



To Read Our “OWASP Top 10 for IoT Explained” Whitepaper – Click Here


Jump to Category