IoT Security in Smart Cities
SIRUS
Belgian software company
Small and agile company focused on innovation
Software craftsmanship where architecture and design are key elements
Technology is our DNA
Focus on Smart Cities, IoT & Cloud
Microsoft gold partner
Who Am I?
Passionate about
• Technology (IoT, AI, chatbots, blockchain, big data)
• Startups & entrepreneurship
Background
• CTO @ Sirus
• IoT Architect @ Digipolis Antwerpen, Digipolis, Imec
• Architect on Smart Meter, Grid & user
Contact
http://www.flabber.nl/linkdump/plaatjes/toen-en-nu-28-fotos-van-wereldsteden-die-ongelooflijke-transformaties-hebben-onder
In 2014, 54 per cent of the world’s population lives in urban areas, a proportion that is expected to increase to 66 per cent by 2050. Projections show that urbanization combined with the overall growth of the world’s population could add another 2.5 billion people to urban populations by 2050, with close to 90 percent of the increase concentrated in Asia and Africa, according to a new United Nations report launched today.
Challenges for a City?
Mobility
(Transport and ICT)
Economy(Competitiveness)
People
(Social and Human capital)
Environment
(Natural Resources)
Governance(Partcipation)
Living(Quality Of Life)
Giffinger (2007)
City IoT Platform
302 KWProduced
RainIn 2h 43m
490 KWProduced
Fine Dust50 µg/m³
Field Gateway
Wifi Hotspot
Trash Level75%
FeedbackCity feels save
FeedbackPerson in distress
Smart Light
Smart Traffic
DiningFully Booked
Bike Rental2 Available
What is a Smart City?
A smart city is an urban place that uses Information and Communication Technologies (ICT) and their role in economic development, building an infrastructure to enable greater connectivity between businesses, citizens or government, or all three
How to build a Smart City?
• TOP DOWN
• holistic
• total solution
• government in driving seat
• technology-driven
• Bottom UP
• experimental
• small scale
• smart citizen holds central position
The smart City Platform
User Centric
Co-Created
Service OrientedData-Driven
Cloud Enabled
Pluggable
Communications patterns
Non-functional requirements
Distributed & Decoupled
Interoperability Scalability
Legacy &
heterogeneousRobustness
Open
Standards
SecurityOpen Source
Privacy
Current Cases in Antwerp
• Smart Zone City as a Data Broker• Safe Crossing• Smart Lightning• Smart logistic (last mile)• Smart Trashbin• Food Surplus
• Synchronicty European project around an API for the City• Smart Transportation
• Circular south enabling renewable energy• New City Development
• Select4Cities• European Smart IoT City Platform
Basic Sensors
Smart Sensors
City Network
Uncontrolled Area
Basic Sensors
Smart Sensors
City Network
Gateway
Gateway
Uncontrolled Area
LPWAN
Sigfox (uplink 12 bytesDownlink 8 bytes)
LoRa (max 51 to 222 bytes))
Basic Sensors
Smart Sensors
City Network
Internal Network
Data Lake
City Network
Gateway
Gateway
Uncontrolled Area
Basic Sensors
Smart Sensors
City Network
Internal Network
Data Lake
City Network
Gateway
Gateway
Uncontrolled Area
The hacker news
WIRED
Hackers Remotely Kill a Jeep on the Highway
Security
• Firmware updating
• Bad implementations
• Default passwords
• Tampering with devices
• Tampering the measurements
• Battery exhausting
• Interpreting the signals
• Vendor out of business (new markets)Basic Sensors
Smart Sensors
City Network
Uncontrolled Area
https://www.pentestpartners.com/blog/hacking-defcon-23s-iot-village-samsung-fridge/
Security
• Jamming the communication
• Spoofing sensors
• Man in the middle attacks
• Evesdroping
• Replay attacks
• Disconnecting the sensor
• Location determination
City Network
Uncontrolled Area
Basic Sensors
Smart Sensors
Gateway
Gateway
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-LoRa-security-guide-1.2-2016-03-22.pdf
• DOS attack on the wireless gateway
• DOS attack on the internet facing server
• Weak passwords & broken authentication
• Injection
• Eavesdropping on the gateway
• Tampering the gateway
• OWASP
City Network
Internal Network
Data Lake
City Network
Gateway
Security
Keys everywhere
Basic Sensors
Smart Sensors
City Network
Internal Network
Data Lake
City Network
Gateway
Gateway
Uncontrolled Area
http://www.tweaktown.com/news/43448/nation-states-launching-cyberespionage-attacks-becoming-normal/index.html
Challenges for Privacy
Building Trust
• How to ask specific consent to the citizens, visitors?
• How to handle temporary consent?
• How to implement the transparency?
• How to protect the data at rest and in transfer?
• How to prevent data attacks?
Regulations
• What will the GDPR bring?
Challenges for Privacy
Example data attack
• 3 months of credit card records
• 1.1 million people
• 4 spatiotemporal points are enough to uniquely reidentify 90% of the individuals
• - de Montjoye et al, 2015
Privacy by design – 7 principles
1. Proactive not Reactive : Preventative not Remedial.
2. Privacy as the Default Setting.
3. Privacy Embedded into Design.
4. Full Functionality : Positive-Sum, not Zero-Sum.
5. End-to-End Security : Full Life Cycle Protection.
6. Visibility and Transparency : Keep it open.
7. Respect for User Privacy : Keep it individual and user-centric.
https://www.iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf
How we started
• Gathered information internal & from the community• Network security & Security officer• IMEC & Marc Vael• Meetups around IoT & Security
• From the feedback we decided to build a treat model for security & privacy • We tried to make the treats as clear as possible with
examples and real cases• For each treat we identified a mitigation method
• Wherever we can we choose standard and proven technologies
• For each project we take into account the privacy by design principles
• We are building classifications for the different projects• Re-assess with each iteration
Conclusion
• Smart cities can help cities to tackle a number of the challenges it faces
• Implementing Security and Privacy right, still poses some challenges and is best implemented as an iterative process.• Always ask if you should not if you could!
Dr Ian Malcom --https://youtu.be/304Lcn0nU3c
Thank You!