Smart cities could revolutionise public transportation – by implementing innovative technology to monitor and support interaction between vehicles, humans and infrastructure – so long as we can secure them says Gary Hayslip, chief information security officer, at Webroot.

Whether it’s more accurate sensors that prevent collisions or weather patterns predicted using AI that have unprecedented accuracy, the future is within reach. Yet the rise of smart cities also requires larger, more integrated systems, and poses the challenge of fusing new and old technologies together. However innovative, this integration of new and legacy systems has the potential to open the entire network up to risk.

If one part is compromised, it could lead to more services, systems and citizens being impacted by paralysed transport. And as cities become more connected and intelligent, government and security officials must learn how to effectively protect networks from malicious cyberattacks.

It is incredibly rare for cybercriminals to possess tools that can break into a completely secured network. Time and time again, breaches are the result of basic security controls, frameworks, and policies not being implemented correctly, or worse, not being followed at all.

The threat landscape for transport

Critical industries such as healthcare and transportation have proven their susceptibility to cyberattacks, so it’s increasingly important for stakeholders to prioritise building resilient networks to keep these industries afloat. In December 2015, hackers physically controlled breakers to stop electricity distribution in Ukraine, which resulted in the software being overwritten and permanently damaged.

The San Francisco BART ransomware attack of 2016 disrupted internal computer systems and email, allowing free rides while ticket machines were down, but it could have been debilitating without the proper staff to restore systems and decline paying the ransom.

The 2018 attack on Colorado’s Department of Transportation resulted in 2,000 computers shutting down and employees being forced to use personal devices for work tasks (which opens up another area of cybersecurity complexities). The attack compromised data stored on devices as well as the company payroll and vendor contracts.

This attack didn’t affect how transport in the city was run, but it crippled the team working within the department for several weeks, and served as a warning to other operators within the industry to strengthen their defences. In the UK, a cyberattack in September 2018 left Bristol Airport without digital screens to display flight information to travellers. The airport took its digital displays offline to contain the attack, and claimed it did not pay the ransom.

Increase in targeted attacks

Gary Hayslip

To defend against these types of attacks, organisations need to practice good cyber hygiene at all times. This means any employee or contractor with access to city networks should go through extensive and regular security-awareness training in basics like network segmentation, patch management, backups, data encryption, password security and phishing awareness.

These best practices also need to be supported and funded by the organisation’s leadership and should be integrated into the businesses culture as normal operations, not something done occasionally to keep auditors happy.

Cybercriminals only need one opening in the defence wall to break through and cause havoc, so security professionals must secure all possible entry points. Often that entry point is an employee: cybercriminals are getting smarter through spear phishing attacks, which use information from social their media profiles to create targeted, personal emails that trick the recipient into believing the email is genuine.

Users need to be vigilant and spot an email that doesn’t seem quite right. Misspelled URLs, requests for sensitive information or lack of personal greeting could be signs of phishing scams, which employees should always double check before responding to or clicking on a link or attachment.

Advanced technology such as machine learning and intelligence about historical threats are essential components within a modern organisation’s defence set-up, but that’s only part of the solution. To combat common and persistent attacks like email phishing, businesses and governments alike will need to raise the bar, making data breaches much more difficult by training employees and continuously covering all cyber hygiene basics.

See Webroot for more information.

The author of this blog is Gary Hayslip, chief information security officer, at Webroot

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow