Smart cities: Only as smart as their cybersecurity protections
By Adrian Crawley, VP EMEA, Synack
President Joseph Biden wasted little time pushing an ambitious climate agenda to overhaul American energy policies, invest in green jobs and reduce American reliance on fossil fuels. Since taking office in January, he paused offshore drilling licenses and pledged to rejoin the Paris Agreement to limit global warming. The president still needs the support of a divided U.S. Congress, but clearly, America is on the cusp of a green energy boom.
The UK is pursuing a similar green future with ambitious plans to build more sustainable cities that run on smart, connected technologies. Chancellor of the Exchequer Rishi Sunak said his recently unveiled budget will help “unlock innovation in renewable energy and help us develop the cutting-edge technology we need to reach net-zero.
Plans for smarter, cleaner cities have been years in the making. And ongoing innovation will play a critical role. This year, the expansion of 5G will give green efforts a major boost. These high-speed networks will support the millions of ‘things’ and ‘sensors’ that smart cities will use to monitor everything from emissions to traffic patterns as well as the apps to run driverless trams, car and bike-sharing programs and for commuters to find an electric car charging port.
While the efforts in the UK and in the U.S. are promising, both initiatives raise serious and troubling questions about cybersecurity and how policymakers are planning to secure a more digitally connected future. All of these green efforts need security built-in from the beginning.
The SolarWinds hack was just the latest example of how nation-state hackers can attack the global supply chain and infiltrate utilities. That hack affected the U.S. Department of Energy, U.S. National Laboratories and the U.S. Federal Energy Regulatory Commission -- as well as U.K. government agencies and private companies. In February, more troubling news surfaced of criminal hackers attempting to tamper with the water supply in Florida. And, in April 2019, an American solar and wind provider reportedly “lost connection with its power generation installations as a result of a cyberattack,” according to ZDNet.
Expanding the global threat surface
But unfortunately cybersecurity hasn’t been enough of a priority for policymakers and clean energy producers, setting up both the U.S. and the UK for a future in which malicious hackers are able to carry out even more successful attacks on solar and wind operators, battery suppliers and operators throughout the clean energy supply chain. Jim Guinn, the global managing director for cybersecurity in energy, chemicals, utilities and mining at Accenture, recently told E&E News, a leading energy industry publication, that “[t]he cybersecurity conversation in the renewable energy engineering and construction business is almost non-existent today.”
That’s an alarming statement. It should be deeply concerning to anyone working on clean strategies. If cybersecurity testing isn’t baked into the earliest stages of developing these new technologies, we’re building an insecure future, leaving the door open for more troubling hacks such as SolarWinds or attacks from cyberespionage groups such as Dragonfly that already successfully infiltrated Western energy providers.
There’s no escaping the fact that any form of digital infrastructure -- smart cities, electric cars and charging ports, and internet-connected devices that will become more tied into the grid than ever before -- will vastly expand the global threat surface. The UK’s “Build Back Better” relies on smart sensors and other internet-connected devices. It’s a future powered by apps, connected traffic lights, emissions sensors and electric car charging stations. And every bit of that infrastructure could potentially contain a vulnerability that a hacker could take advantage of to carry out an attack.
It may seem like a daunting -- or even impossible -- challenge to secure all of these new gadgets, devices and the software that will underpin a cleaner future. But it’s not when safety and security is a consideration at the beginning and throughout the entire development lifecycle. The automotive industry is a prime example of this approach. Carmakers consider safety and security throughout the production process and within every component of the most advanced automobiles -- from brakes to infotainment systems. If the highly regulated automotive industry wasn’t meeting these standards, lives would be lost.
Radical new approaches
The same could be said for a more connected future. Cybersecurity should be paramount within any new clean energy initiative. This means taking advantage of platforms that can provide thorough, on-demand testing. It means utilizing the sharpest minds in cybersecurity who can root out vulnerabilities early in the process. And it means that stakeholders should work together, share resources, and exchange information about fixing weaknesses across the green energy landscape.
We can’t wait to think about cybersecurity after green technologies are deployed. At that point, it’s too late. We have to consider these issues now. We need innovative and proactive approaches to cybersecurity that will make smarter and cleaner cities more sustainable, liveable and reliable - it’s what we need to ensure we can truly overcome the climate crisis the world faces today.
Collaboration will be crucial, as will taking a highly effective approach to finding and securing vulnerabilities. Threats to a network are forever changing, as is the nature of digitalization. Security therefore cannot be static. Just as the development of cars and their sophistication will continuously evolve, so must the investment in security testing.
Software will always need to be updated and altered, so testing has to reflect this. You can’t simply test at launch alone.
Yet it’s impractical to have every organization that’s part of the global supply chain testing software all the time. To start with, it’s a very costly approach when done in silos. It’s also inefficient when you consider the scale of duplicated effort. And anything that makes the ecosystem inefficient will add cost to production, erode taxpayer investment and undermine the very green goals the technology is being launched to solve.
Instead, testing needs to be co-ordinated between consortia of stakeholders who can share the findings, target their efforts on addressing weaknesses and ensure that safety and security is always upheld. By using such models, traditional penetration testing is turned on its heads. And why not? After all, it’s only by taking radical new approaches we hope to create the smart cities we need to overcome the crises we face.