The host of the session is Mirko Ross, of Asvin.io and DigitalWorx in Stuttgart. It is the 3rd cybersecurity talk he has hosted in 2020. The topic today is Cybersecurity and Smart Cities – Where are we now, and where are we going.
Mirko Ross: Hi and welcome everyone to this talk and to our three guest speakers: Antonio Skarmeta Professor at University of Murcia, Rob Tiffany – Head of Iot strategy at Ericsson in Seattle and Giuliano Liguori, Cybersecurity expert from GLWeb.eu in Naples Italy.
First I’ll say a few words about how I feel about smart cities and IoT. We see the numbers of IoTdevices being sold, are growing from maybe 30 billion devices one year to say 130 billion the next year. And in this area I think the industry is failing, to provide cyber security. But IoT within the area of smart cities are different. We will talk about cybersecurity in public spaces which is different than when we talk about IoT in general. What impact has this had on the development so far? For one, I think we are experiencing a life-cycle problem.
Right now we are in a lock-down. Would it be possible to imagine a different lock-down? One introduced by computer viruses? It doesn’t seem unreasonable, if cities have problems keeping the smart infrastructure needed on a proper level.
How can we manage that?
Rob: It’s been interesting following the smart city space over the years. As it’s tied into the IoT and other things and here there was certainly a lot of excitement about Smart City projects when it started. I’ve watched quite a few things happen in my time. And quite a few problems along the way, and cyber security is just one of them.
Certainly old infrastructure is one problem. That realization with IoT is, a lot of people imagined it is all going to be green field, futuristic projects and when they realized if you’re going to have success with that space you’re going to have to be preoccupied with old things, and especially old infrastructure. It doesn’t seem as fun and exciting when we’re told, you’re going to spend the next 10 years retrofitting old things.
It’s the same no matter what country we’re in, there never seems to be enough money for the projects that should bring us all the way. It’s like in an IT department. We are told we should buy some new, cool thing, even though they know they should want to modernize and secure whatever old software they have, but it’s not what they end up doing. Everybody wants what’s cool and new. Old things get left behind, and I think we see that across the board. You certainly see it in cities. If you want new and sustainable cities, well good luck.
How is the situation in Naples?
We are perhaps not so much up to speed as many cities in Europe and the US. Italy have many small and medium cities, and then of course Rome, Milan and Naples, which are very big cities. We know in Naples that the major efficiency improvements are necessary. We are up against poor connections between physical and digital systems, we are challenged in areas of transportation, water, power grid and waste management, among other things. In the previous stages of smart cities, have made extensive use of information technology and computing, now we talk about IoT and how we hope this will bring us forward in transforming the urban spaces. We will build a link to the physical world and we’re only at the beginning of this.
But the question for today is not whether the smart cities of the future will be smart, but whether they will be cyber safe. , all of these cities want to use these advanced technologies, to improve things like their cargo and service but also people. All these end-points could be… (All of these cities want to use these advanced technologies, to improve their infrastructure and their public service?)
Mirko: Antonio. How do you work with this agenda in Murcia? Murcia may not be a big city, but it is a really innovative place in terms of smart technology. It is advanced in terms of practical execution is it not?
Yes, Murcia is a very innovative city despite its size. For the last 3 – 4 years we’ve seen many Smart City projects. There is a big initiative that has been going on for a while, building the smart city focusing on the end-users, building a smart city platform and this is possible primarily because of the a collaboration between University of Murcia and the city.
But, we were talking about cyber security. Clearly there is a radical change happening since we started talking about smart cities, where now the focus has moved to the management of the data of the city and how it is collectively used. There is a need of taking into account how it is used by the municipalities and also the impact of the deployment of these technologies.
A lamppost that is maybe 30 years old can have a second life, as a fixture for new smart devices. (The lamp post is an example often used in this context, how a construction which is maybe 30 years old can have a second life, as a fixture for new smart devices.) It creates this wonderful image of what is happening in the city. You are creating new infrastructure over an old one, that needs to be updated. And this is creating problems, not only through the impact of the technology in itself, or adding functionalities in the form of sensors to an existing structure, but also because of the pressure it introduces in terms of increasing power and data infrastructure. It puts a lot of pressure on the city.
You have to imagine and design the process of how the buildings and structures are being created, also how the existing ones are update taking into account how the additions of technologies are managed making a path for the new technology and the management of the data it provides.
It is important not to focus just on the technology side, even though this is what I work with. In this effort, we must take into account how other people work (e.g. people employed by the city work). They have completely different priorities. You have to want to engage them and make them see the possibilities and see the difference it could make to the city and the daily lives of the citizens. Especially when we talk about security and cyber security. We work with the local police and there we can clearly see these two trends. We have the younger generation of policemen and women, who are pushing for the introduction of the technology, because they see how it will help them. It could be in their work with cyber crime, here it is really obvious to them how technology can help them work more efficiently, faster yes, but also with a much higher success rate. The older generation on the police force may see it differently. They don’t see really how this is making such a difference, and more reluctant to embrace it.
Mirko: Compared to the US. Is there a difference in terms of acceptance of technology? Can we trust it? Will people accept the physical appearance of new antennas?
I for one can compare it to Germany where we are struggling with applying physical designs, and it may stop the development. Was it in the UK we’ve seen people burn cell towers?
Rob: Yes! You’d be surprised what people believe. It’s horrible how people have spread misinformation just during the Covid-19crisis. People will believe a network signal can be the cause of that. Some people think that because cruise ships have 5G, that it may be the reason people get sick, which is of course ridiculous.
I can relate to what Antonio is saying. In the 5G is very different and it will face potential issues. A lot of people don’t understand why it is necessary to invest in new things like 5G. In the US we have a lot of small cities, and in each city you’d have to face city hall and convince them why we should invest in this new infrastructure. Many of them don’t want to change, they think things are fine the way they are. In some cases they just have very specific budgets, that don’t apply to investing in cool new things.
And 5G is very different than the other generations of network. Normally you’d just update excisting network towers, that are already everywhere. You could update them to go faster and farther and things like that, like you saw with LTE. But you can’t with 5G. It will face issues when you talk about having multiple dense small cells in urban areas.
I’ve heard 5G described as the top of a layer cake of different frequencies.
So here’s a crash-course on wireless technology: When you listen to music you have stereo equipment and speakers. You have your tweeter your high-frequency sound, which is very directional and goes in one direction and not very far. Then there is mid-band, which will go further. You have a woofer or bass which goes much faster much further, and then you may have a sub-woofer in your house and you’ll notice that you can put that anywhere you want and the sound goes everywhere. The same applies to wireless networks for your phone and for IoT devices.
There is low-band frequencies for 5G and others, which is below 1.5 Ghz, which will travel many kilometers, but it will not be as fast. There is mid-band between 2,5 Ghz., which is kind of like the sweet spot in the middle, which goes much faster, much further and then we have the 5G network which is the super high frequency. It goes incredibly fast, but it doesn’t go very far, and it can’t penetrate buildings very well either, which is why we need the many small cell towers.
So it becomes a real-estate issue, and money and leasing and “I need to put this here.” It should be interesting to see how this plays out.
Antonio: This reminds me of a conversation I had a couple of weeks ago in the Smart Cities community (of different European Cities) we are part of. They are preparing exactly for this topic and they’re creating a white paper regarding the impact of 5G. There are worries about the deployment, who should do it and who will own it, what is the cities expected to provide in terms of infrastructure, should the citizens be made aware of is, is the electropollution an issue and all this kind of stuff. But in the area of cyber security there is a challenge that should be taken into account which is that the 5G impact also means an added risk of cyber attacks or vector attacks, which has to be considered in an increasingly decentralized world.
5G can introduce this. So possibly a new component is needed to address this. We are moving from a centralized world to one that is much more dispersed. How will the cities react to these new challenges is an obvious worry.
Rob: The same things you need for creating a smart city is the same things you need in rolling out a mobile infrastructure. Again you can view it in terms of layers. All the things we want to do starts with electricity.
The next layer you need to build a smart city is fiber optics everywhere: The smart city has to have this incredible high-speed infrastructure for it’s data going underground before you can build on top of it.
Mirko: It’s a multi-dimensional challenge. The more we go into it, the more we are exposing the threat landscape. You can’t keep hold of all stakeholders. It would be nice if everyone did their best to be mindful of cybersecurity, but we already see in industry that things are not really working like that.
I had this revelation in California, where the tech-companies pain this picture of them creating this brave new world and they consume ¾ of the band-with in the state, and where does that leave the cities? The gap between tech industry and cities are growing.
We have Spain and Italy who may have even more work to do yet.
Giuliano: We have different layers of development of infrastructure. We have one situation in the north and another in the south. Our country has done nothing for too long, and it has created two realities. Milan is like a virtual creation of a smart city, here they are far along with 5G and fiber. But in the south it is much different. Much work still needs to be done. 5G needs a lot of service. 5G needs high power. It demands investment on a level we haven’t seen yet.
Mirko: Antonio what would you say is the bottle-neck so to speak in Murcia?
Antonio: You always need more fiber, right? There is no end to the needs of fiber and connectivity like Rob was saying. No really. The deployment of the IoT part is the most relevant we are facing at the moment, I would say. And really deciding which solutions are more helpful and more adequate for the best possible data collection. A lot of cities are already doing this with the network that they have, but it will not be enough. All cities need a new infrastructure for this. We are already working towards and improved understanding of what lo-band technology is needed. We experiment with LoRaWAN networks, we are talking about narrowband IoT, and we are looking into the companies who can provide that. Murcia covers a lot of land, it’s kind of wide-spread, so that’ll make it difficult. We are even looking into using satellite communication for the IoT.
Mirko: Coming back to you and your project the IoTCrawler; like you said you have many assets in your city, you have many data points and with this you are looking into how these devices can be searched that are different from Shodan, which is a different crawler which can look for IoT devices. Shodan will try to figure out if there are open ports or open data and other privacy unaware stuff. And you try another way of crawling IoT data right?
Antonio: I think what you said, makes a good starting point for describing the IoTCrawler project. Because, with this you can search for everything that wants to be searchable, and not just that the devices are open and that they are there. We are going in the opposite direction from what you described: How to embed into the IoT devices some capabilities that allow them to control who are trying to get information from them, if they are able to get all or part of the information, we put in place this kind of control system so that allows the communication to be secure and at the same time we can control efficiently how the information has been disclosed. And most importantly, now we are trying to embed this at the device level in order to really test this in real scenarios in the city. So we are working on solutions, for instance Mirko is working on this innovation on how to boot-strap secure the devices, when you make the deployment, how to securely update the software of the devices taking into account that you are using wireless technologies, which are traditionally constrained in terms of band-with and reach, and also the connectivity should be resilient.
We are using these experiences of the municipalities and companies to test and then evaluate what are the best solutions that we have, what should we deploy first? And secondly how do we increase the security of the entire procedure, from the bootstrap to the commissioning and the operational part? Basically, the life cycle of the device operation.
And it is difficult to describe just how vast an improvement we are talking about here in terms of security. The present situation is that sensors are being used out of the box by cities, with ordinary admin/ password security settings. The security agenda is being set by the manufacturer, and that is not exactly securing anything.
Mirko: Rob this should be interesting for you or the US if you will. Is it not true that California has issued a statement that a IoT device cannot be deployed for a city using only the company setting?
Rob: You may agree or disagree, but it is widely recognized that the IoT device is always the weakest link in the chain, when we talk about security. Always. It doesn’t mean that there can’t be other weak links, whether it be default passwords, or whatever. When I worked with Microsoft working with Azure, we had a simple design principle saying a devic2e can be outbound only as far as connectivity. There was no such thing as a device that will ever be listening. I’ve seen stupid people basically create open access devices, and it’s like having a device online saying come: “I’m open, Come hack me.”
Mirko: But that’s a engineering problem. Before it was a non connected world, and suddenly we use the same thinking applied to a new reality. I can only say: take care of your supply chains.
Antonio: The problem is in a way linked to the democratization of the IoT. It is now cheap and easy to buy the devices and start sending data to the rest of the world. Everyone can now do it. But what is the security impact? Normally people will not share their mobile data, but when we talk IoT devices, people will do all kinds of things, they will put a sensor on their roof or front door and start sending information about his home out to the world. It is a question of changing the paradigm. It can easily be set up, but it can also easily be subject to attacks.
Mirko: Do we need a proactive instance to turn off insecure devices in these kinds of networks? Do we need a device police? You don’t have to say yes, but what do think of the idea? What are your thoughts.
Antonio: Maybe not to shut things down, but to show people what is happening. Something that shows you the consequences of having an open port, like a video camera on your property and make it obvious, that people can see through it, everywhere anytime and that they can use it later, then people will understand. Making more examples showing people with the consequences, will be important.
Mirko: You could compare it to a living body. The immune system is able to protect you, and to detect malicious outside dangers. If a smart city is like a living organism, we may be able to protect ourselves, but are we able to defend ourselves?
I Suppose it’s like the insane number of American cities which have been hacked and huge ransoms have been demanded, and this does not even involve IoT but regular IT. So, you can see what I am getting at. Do we shoot the bad elements off the roof before they are used for evil? There are terrible things you can do with IoT on a sensor level. Most of the time you can fix these devices, but sometimes you’ll think: “I can’t fix this, this device must be blocked. We see these things coming, how do we prepare?
Rob: You have to have device management on your IoT devices, because they are only secure at a certain point in time. Moving forward you no longer know if they’re secure. Back to your IoT police, or Smart City police. Because, you’re right. It is a very big deal, if you have a smart city where trains, traffic lights everything is online and connected, it’s much more dangerous to have this hacked. You have to have an awareness to mitigate them, almost in an automated fashion. We can’t expect people to be able to manage this anymore. We’re past the era of people looking at web dashboards managing a city.
Antonio: I agree with that. We’re saying everything can be hacked. But in Europe we are countering it on different levels. Work has already started on a certification or labelling of IoT, which is going in a bit in the right direction. The main problem we’ve established is that you have no guarantee that a IoT device is secure, and what we are now hoping to achieve is to have sensors for cities, but also for homes and hospitals, tested and validated, acquiring a certificate of trust. And then in the future they will be retested and revalidated. That would really be fundamental to make people confident in buying and trusting privately sold devices.
Mirko: Let me bring both your points together and take it to the next level.
We can do what you are suggesting Antonio, that is achievable. But the way we are also talking about it in the IoTCrawler project is, that in a fully automated IoT world, devices have to trust devices.
Gentlemen, we are almost at the end.
I would like to give each of you an opportunity to give a final statement.
Rob: Where we are is a bit chaotic. We have devices that come from all over the place, we don’t even know if we can trust those devices. Am I really who I say I am? There are so many things to do to get us where we want to go. And it’s all about modernizing infrastructure. Power, fiber, connectivity, ensuring devices secure and that they are updateable and can be secured over the air. Having enough fiber, and – one of the features people rarely talk about when we talk about – 5G with an extra 100x capacity which is what we need actually in order for IoT to work in a smart city. You need that extra capacity at a wireless level and a fiber level. Trusting not only devices but an AI operating a network on our behalf. It sounds crazy, and it sounds like a fun challenge.
Giuliano: As smart cities grow, we have to have more cybersecurity awareness. We must create an awareness program regarding data protection and security by default. And also as a user of the technology, it is our responsibility to ensure that it is designed, deployed and manufactured with the same strategy in mind.
The way I see it, the Smart Cities are our banks, we have to put money in it and to make as many precautions to keeping them secure as our banks.
Antonio: I would like to be more trusting (or not trusting) in the future, and there can be a reason to be optimistic. (I am cautiously optimistic about the future.) Especially because of IoT new functionalities that are needed will be introduced. I think we can assume that IoT will create many valuable a valuable impact in the welfare for many citizens. It is important that we work actively towards implementing these technological leaps, to design the cities in a secure way. Just like planning infrastructure for water, for electricity and so on, the infrastructure for IoT also has to be secure for the citizens. Just like in the IoTCrawler, in Smart City solutions you have to strive to leverage the existing solutions that are available in security and IoT in broad scale, with the goal of making the cities IoT data easily available for those who need it.
Mirko: Whenever, I do this tech talk about funny IoT fails, there is usually someone in the crowd, who try to call me out to be a hypocrite. So I am this tech guy, I create IoT products, but I also call out the challenges and limitations of the technology. So I don’t see why I can’t do both. I work with IoT solutions, but I am also a father. I think it is my duty to talk of the failures and the limitations and I want to make sure for the sake of my kids that we create a world that is safe for them.
Thank you for your time.