Smart Cities, Smart Buildings and Smarter Cyber Criminals

smart-cities-buildings-cybercriminals-blog

The Internet of Things (IoT) has spurred the evolution of “Smart Cities;” urban areas that use IoT sensors to collect data about various devices, citizens and assets, to analyze and monitor things such as traffic, utility usage, parking, transportation systems, etc. Such cities are able to analyze Big Data, to improve services and to better understand their constituents’ needs. However, one big disadvantage is that the IoT is not inherently secure from cyber criminals; because the vast majority IoT devices are not secure, from a cybersecurity perspective. When IoT devices are not built with security by design, cybercriminals can very easily exploit them and often recruit them into botnets which can launch damaging distributed denial of service (DDoS) attacks.

According to HelpNetSecurity, Dimitrios Pavlakis, an Industry Analyst at ABI Research said, “Lack of cryptographic measures, poor encryption key management, non-existent secure device onboarding services, weaponized machine learning technologies by cyber-attackers, poor understanding of social engineering, and lack of protection versus DDoS attacks are just are some of the key issues contributing to the amplification of cyber-threats in smart city ecosystems. This is further exacerbated by the lack of digital security investments and will, unfortunately, jeopardize the key elements of intelligence, efficiency, and sustainability of future smart city deployments.”

With so many IoT devices in the world now and with that number continuing to increase significantly in the near future, (Statistica predicts there will be 75.44 billion IoT devices worldwide by 2025, a fivefold increase in ten years.), the attack surface is growing exponentially. For Smart Cities, that means a significantly increased risk of cyber-attacks that could impact critical infrastructure such as water and power utilities or transportation systems. Volumetric DDoS attacks can cripple a network, and short, sub-saturating attacks can be used to distract IT security analysts from other damaging infiltrations. And, the impact is not just from being on the receiving end of attacks, as IoT devices recruited to launch attacks are often severely impeded from carrying the task for which they were designed, when they have been compromised with botnet malware.

Similarly, “Smart Buildings” use automated electronic devices, which are often connected to the Internet, for managing their mechanical, heating, electricity, ventilation, air-conditioning, security, and fire control systems. Smart buildings offer advantages such as energy efficiency, reduced staffing needs, increased comfort and predictive maintenance. Unfortunately, smart buildings share a similar vulnerability to cyberattacks because of this reliance on IoT devices.

Recently, this proved to be glaringly true, as evidenced by an article in ZDNet, which reported that cybercriminals have launched DDoS attacks against smart building access control systems. In this specific case, the manufacturer was allegedly advised of the security weaknesses in their product nearly 10 months ago, but has not currently issued security patches, according to an Applied Risk security advisory.

The risk to companies who use such systems is two-fold: 1) their network can be harnessed into a botnet that could harm other networks, besides their own, and 2) hacking of an building access system could serve as an entry point into the corporate network for other nefarious purposes such as theft of intellectual property, or propagation of malware.

IoT is here to stay and the lesson to learn is that it is fraught with cybersecurity weaknesses that IT professionals across all sectors—government and corporate— must be aware of. Even if an organization does secure all of its own IoT devices, and purchases IoT products from reputable vendors, they won’t be safe from botnet attacks unless they have real-time DDoS protection. Organizations have multiple DDoS protection deployment options, including on-premises, cloud, and hybrid protection; or, they may be able to obtain it from their service provider.

Organizations should lock down their assets by selecting IoT devices from reputable vendors, who are committed to delivering secure products, and by performing regular firmware upgrades and auditing IoT systems to ensure they are not compromised. More importantly, to protect your networks from botnets sourced from the IoT devices of others, who have been less diligent, it’s essential to have real-time DDoS protection, that stops DDoS attacks before they have a chance to cause you any damage.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments, without the downtime, or hassle, associated with other solutions. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.