Industry 4.0, Digital Transformation, ‘Smart’ anything, IIoT, or the governing trend behind whatever buzzword you prefer has driven nearly every facet of our lives towards the connected model. From our homes to our manufacturing processes, on-demand connectivity and insights fueled by data help to automate, optimize, and improve our lives. Municipalities and the processes they govern are no exception.
Consider transportation, electricity, and water/wastewater, for instance. Leveraging automated traffic control systems and historical traffic data, municipalities can improve the flow of traffic. As autonomous vehicles inch closer to mainstream reality, it’s possible that a municipality could optimize, in real-time, the flow of traffic through every street. Smart power-generation plants could respond to demand to increase or curtail production as needed. Utility connected smart meters could help optimize utility consumption and reduce spend. Connected water distribution systems already help automate the process of bringing fresh water to our homes. Likewise, similarly connected systems reduce manual overhead in treating our wastewater.
On the other hand, as municipal capabilities increase with connected, integrated systems, so too do their vulnerabilities. Each piece of a connected system, if not properly designed and networked, adds a potential compromise with the capability of crippling an entire process. CISA identifies transportation, electricity, and water/wastewater as the critical infrastructure subsets of a ‘Smart City’, and they identify some risks of poor cyber posture in each.
A team from University of Michigan gained access to an operational traffic light system and were able to alter the logic controlling it. While this is a minor disruption by white hat actors, imagine the potential damage of an autonomous vehicle control system breach from black hat actors. Similarly, Symantec identified a breach by hacking group Dragonfly that accessed control systems of energy service companies. In this case, the hack resulted in a loss of data, but it could have resulted in catastrophic, physical damage to the compromised grid. In another example presented by CISA, an Australian man accessed his local wastewater treatment system and dumped 200,000 gallons of sewage into parks, rivers, and private property.
Each of these events resulted from cybersecurity oversite and likely would have been prevented if best practices were followed. What are best practices? According to WaterISAC, they include:
Smarter cities are meant to improve our lives, but if critical infrastructure isn’t designed with cybersecurity first, the vulnerabilities introduced could do the opposite. Defense in depth requires proactive cyber posture, and all critical infrastructure requires defense in depth. Legacy technology delivers cyber complacency. Say no to legacy tech, and secure your critical infrastructure with a purpose built, OT tool.
Blog post is written by Skylar Dhaese - OT Network engineer helping integrators and manufacturers monetize their digital transformation.