iot security in smart cities - isaca.org smartcity... · software craftsmanship where architecture...

IoT Security in Smart Cities

SIRUS

Belgian software company

Small and agile company focused on innovation

Software craftsmanship where architecture and design are key elements

Technology is our DNA

Focus on Smart Cities, IoT & Cloud

Microsoft gold partner

Who Am I?

Passionate about

• Technology (IoT, AI, chatbots, blockchain, big data)

• Startups & entrepreneurship

Background

• CTO @ Sirus

• IoT Architect @ Digipolis Antwerpen, Digipolis, Imec

• Architect on Smart Meter, Grid & user

Contact

• gert.detant@sirus.be

http://www.flabber.nl/linkdump/plaatjes/toen-en-nu-28-fotos-van-wereldsteden-die-ongelooflijke-transformaties-hebben-onder

In 2014, 54 per cent of the world’s population lives in urban areas, a proportion that is expected to increase to 66 per cent by 2050. Projections show that urbanization combined with the overall growth of the world’s population could add another 2.5 billion people to urban populations by 2050, with close to 90 percent of the increase concentrated in Asia and Africa, according to a new United Nations report launched today.

Challenges for a City?

Mobility

(Transport and ICT)

Economy(Competitiveness)

People

(Social and Human capital)

Environment

(Natural Resources)

Governance(Partcipation)

Living(Quality Of Life)

Giffinger (2007)

City IoT Platform

302 KWProduced

RainIn 2h 43m

490 KWProduced

Fine Dust50 µg/m³

Field Gateway

Wifi Hotspot

Trash Level75%

FeedbackCity feels save

FeedbackPerson in distress

Smart Light

Smart Traffic

DiningFully Booked

Bike Rental2 Available

What is a Smart City?

A smart city is an urban place that uses Information and Communication Technologies (ICT) and their role in economic development, building an infrastructure to enable greater connectivity between businesses, citizens or government, or all three

How to build a Smart City?

• TOP DOWN

• holistic

• total solution

• government in driving seat

• technology-driven

• Bottom UP

• experimental

• small scale

• smart citizen holds central position

The smart City Platform

User Centric

Co-Created

Service OrientedData-Driven

Cloud Enabled

Pluggable

Communications patterns

Non-functional requirements

Distributed & Decoupled

Interoperability Scalability

Legacy &

heterogeneousRobustness

Open

Standards

SecurityOpen Source

Privacy

Current Cases in Antwerp

• Smart Zone City as a Data Broker• Safe Crossing• Smart Lightning• Smart logistic (last mile)• Smart Trashbin• Food Surplus

• Synchronicty European project around an API for the City• Smart Transportation

• Circular south enabling renewable energy• New City Development

• Select4Cities• European Smart IoT City Platform

Basic Sensors

Smart Sensors

City Network

Uncontrolled Area

Basic Sensors

Smart Sensors

City Network

Gateway

Gateway

Uncontrolled Area

LPWAN

Sigfox (uplink 12 bytesDownlink 8 bytes)

LoRa (max 51 to 222 bytes))

Basic Sensors

Smart Sensors

City Network

Internal Network

Data Lake

City Network

Gateway

Gateway

Uncontrolled Area

Basic Sensors

Smart Sensors

City Network

Internal Network

Data Lake

City Network

Gateway

Gateway

Uncontrolled Area

The hacker news

WIRED

Hackers Remotely Kill a Jeep on the Highway

Security

• Firmware updating

• Bad implementations

• Default passwords

• Tampering with devices

• Tampering the measurements

• Battery exhausting

• Interpreting the signals

• Vendor out of business (new markets)Basic Sensors

Smart Sensors

City Network

Uncontrolled Area

https://www.pentestpartners.com/blog/hacking-defcon-23s-iot-village-samsung-fridge/

Security

• Jamming the communication

• Spoofing sensors

• Man in the middle attacks

• Evesdroping

• Replay attacks

• Disconnecting the sensor

• Location determination

City Network

Uncontrolled Area

Basic Sensors

Smart Sensors

Gateway

Gateway

https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-LoRa-security-guide-1.2-2016-03-22.pdf

• DOS attack on the wireless gateway

• DOS attack on the internet facing server

• Weak passwords & broken authentication

• Injection

• Eavesdropping on the gateway

• Tampering the gateway

• OWASP

City Network

Internal Network

Data Lake

City Network

Gateway

Security

Keys everywhere

Basic Sensors

Smart Sensors

City Network

Internal Network

Data Lake

City Network

Gateway

Gateway

Uncontrolled Area

http://www.tweaktown.com/news/43448/nation-states-launching-cyberespionage-attacks-becoming-normal/index.html

Challenges for Privacy

Building Trust

• How to ask specific consent to the citizens, visitors?

• How to handle temporary consent?

• How to implement the transparency?

• How to protect the data at rest and in transfer?

• How to prevent data attacks?

Regulations

• What will the GDPR bring?

Challenges for Privacy

Example data attack

• 3 months of credit card records

• 1.1 million people

• 4 spatiotemporal points are enough to uniquely reidentify 90% of the individuals

• - de Montjoye et al, 2015

Privacy by design – 7 principles

1. Proactive not Reactive : Preventative not Remedial.

2. Privacy as the Default Setting.

3. Privacy Embedded into Design.

4. Full Functionality : Positive-Sum, not Zero-Sum.

5. End-to-End Security : Full Life Cycle Protection.

6. Visibility and Transparency : Keep it open.

7. Respect for User Privacy : Keep it individual and user-centric.

https://www.iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf

How we started

• Gathered information internal & from the community• Network security & Security officer• IMEC & Marc Vael• Meetups around IoT & Security

• From the feedback we decided to build a treat model for security & privacy • We tried to make the treats as clear as possible with

examples and real cases• For each treat we identified a mitigation method

• Wherever we can we choose standard and proven technologies

• For each project we take into account the privacy by design principles

• We are building classifications for the different projects• Re-assess with each iteration

Conclusion

• Smart cities can help cities to tackle a number of the challenges it faces

• Implementing Security and Privacy right, still poses some challenges and is best implemented as an iterative process.• Always ask if you should not if you could!

Dr Ian Malcom --https://youtu.be/304Lcn0nU3c

gert.detant@sirus.be

Thank You!