UC-Berkeley survey shines light on cybersecurity concerns surrounding smart-city technologies

Sensor-based Internet of Things (IoT) technologies can introduce significant cybersecurity vulnerabilities to jurisdictions, and this risk factor should be considered by decision makers as they determine whether to proceed with smart-city initiatives, according to researchers from the University of California-Berkeley.

Entitled “The Cybersecurity Risks of Smart-City Technologies: What do the experts think?” the white paper—written by an interdisciplinary team of UC-Berkeley cybersecurity and civil-engineer academics—outlines the results of a survey with 76 cybersecurity professionals conducted between July 2020 and October 2020.

“According to our survey, not all smart city technologies pose equal risks,” the white paper states. “Cybersecurity experts judged emergency alerts, street video surveillance, and smart traffic signals to be riskier than other technologies in our study.

“Local officials should therefore consider whether cyber-risks outweigh the potential gains of technology adoption on a case-by-case basis, and exercise particular caution when technologies are both vulnerable in technical terms and constitute attractive targets to capable potential attackers because the impacts of an attack are likely to be great.”

Alison Post, a co-author of the white paper and a UC-Berkeley associate professor of political science and global metropolitan studies, said she does not believe cybersecurity risks should undermine smart-city strategies entirely, but they deserve more nuanced consideration than they have in many cases in the past.

“For a local government or a special district that’s interested in thinking about adopting one of these technologies, rather than having a blanket approach to thinking about cyber risk, they really need to evaluate technologies on a case-by-case basis,” Post said during an interview with IWCE’s Urgent Communications.

“In doing so, they need to think not only about the underlying technical vulnerabilities of the system—what does the attack surface look like, how many interdependencies there are within the system, etc.—but they also need to think about whether the most effective actors, like nation-states or insiders that might want to wreak havoc, would be interested in the sort of impact that a cyberattack on that type of system could have.”

With this in mind, the cybersecurity measures for smart-city technologies may not need to be as strong in some areas as others, according to Post.

“You could have a system that may be vulnerable, but no one is drawn to it—in terms of an attack—because the impact is not likely to be very great,” she said. “When you’re thinking about these risks, you need to be thinking about these three things together: who is likely to be interested; what the potential impact of an attack would be; as well as the underlying technical vulnerabilities.”

With this in mind, the top technology of concern was a potential hack of emergency and security alert systems, with associated comments from the respondents explaining why, Post said.

“The comments that we received in the open-ended responses really highlighted the potential impact and mayhem that the attacks on the systems could produce,” Post said. “Particularly for the emergency and security alert systems, there was both a concern about the immediate impact—a panic in which everyone is trying to leave a city right as there is some sort of warning about an emergency that is, in fact, not happening.

“Then there is a second-order effect on public trust. If there is a fake alarm and then people learn about it, then they become less trusting of the system overall. We had a large number of comments pointing in that direction.”

One concern raised by some in the technology communications about smart-city initiatives is the procurement process followed by many jurisdictions. With many of these projects focused on functionality, efficiencies and costs savings, security factors may not be emphasized—or ignored entirely—and vendors may submit bids that skimp on cybersecurity measures in an effort to submit the lowest-cost bid, sources have said.

“One of the recommendations that we would make … is to make sure that cybersecurity figures very prominently in the evaluation criteria for procurement and that you have in-house expertise to be able to evaluate the proposals that come in from vendors,” Post said, noting that agencies should coordinate their procurements with the jurisdiction’s IT department rather than conducting it on their own.

“That’s a matter of utilizing the expertise you actually do have more effectively.”

Post said the survey respondents were targeted cybersecurity professionals who were asked to provide opinions from their experiences.

“We basically did not let them rate cybersecurity risks for technologies with which they said they were unfamiliar,” Post said during an interview with IWCE’s Urgent Communications.

Because the survey was conducted from July 2020 to October 2020, the survey responses do not include the context of high-profile cybersecurity incidents, including increased ransomware activity, the attack on a water-treatment plant in Oldsmar, Fla., and the massive SolarWinds compromise that have become public after the survey was finished. If the survey was conducted today, knowledge of these incidents could impact the results, Post said.

“I think—quite understandably—people are much more aware, because of these prominent cases that have emerged,” Post said. “As a result, they’re much more concerned; it’s much more on the radar. At the same time, I think the basic message of our report—that cyber risks actually vary pretty significantly across different smart-city technologies—still holds.”

Post said the UC-Berkeley team has no plans to conduct a follow-up survey, but they are continuing to pursue the topic of the impact of cybersecurity on smart-city efforts. The team is in the process of writing a full report about the survey results—a report that will feature more of the comments provided by survey respondents—and getting more details about the highest-risk use cases.

“We’re doing case studies on particular technologies and speaking with individuals who have expertise in particular technologies, as opposed to continuing the survey approach, because we thought the case studies would complement the survey analysis,” Post said.

“We are focusing on smart metering within the water sector and these emergency and security alerts that came out as the top ranked among the nine technologies that asked cybersecurity experts to characterize.”

As alarming as some of the cybersecurity concerns are, Post said she does not believe they will cause jurisdictions to halt smart-city initiatives entirely.

“That’s a good question, and we’ll have to see,” Post said. “But there are some forces that push in the direction of adopting these technologies—the shift to remote work and the push toward transparency in government operations, which means putting more things online. Both of those push in the direction of utilizing more of these technologies than previously.

“Also, some of these technologies can assist with conservation, while others potentially can introduce cost savings. So, there are both pluses and minuses, with the minuses being potential obsolescence and variety of other things. Again, it’s going to come to a consideration of the costs and benefits in the case of particular technologies.”