LAS VEGAS — As this year’s Consumer Electronics Show got underway in Las Vegas, cities and states across the country readied themselves for the potentiality of a cyberattack from Iran. Vegas itself, was saddled with a cyberincident on the opening day of the show, which made the remarks at the CES session Top Security Trends in Smart Cities seem all the more urgent.
Panelists from the cyber industry discussed the emerging world of data and interconnectedness, agreeing that by making communities and products “smarter” they were ironically making them that much more vulnerable to cyberattack.
“A lot of people think ‘I’m not susceptible to being hacked because I’m not driving around in a Tesla.’ But any car made after 2001 is connected to GSM [the Global System for Mobile Communications] and is a target,” said panelist Alissa Knight, of Knight Ink, a marketing and advertising firm focused on cybersecurity.
Knight, a self-admitted “recovering hacker” who described her life and transition from Black Hat lawbreaker to White Hat cyberprofessional as the “typical Hollywood story.”
“I hacked into a government network in 1997. I was caught, I was arrested, and I went to go work for the U.S. government in cyberwarfare,” said Knight. But the world of hacking and cyberwar, which was mostly about defacing government websites at the time, has changed immensely since then, she said.
“It’s one thing to deface a website, it’s another thing to take control of a car that your family is in,” she said.
Knight would know, since she’s spent the last few years hacking into cars and manipulating them for research purposes. From a remote location, Knight is typically able to control a car’s steering wheel, push the gas or pump the brakes, she said, admitting that in one particular case she accidentally ran the test car into the side of a building.
These powers in the wrong hands pose grave security risks, she warned.
“Why fly a plane into a building when you can just do it from your cave and cause just as much panic through terrorism remotely?” Knight posed.
Ami Dotan, CEO of Karamba Security, said the risk is amplified by the fact that hacking tools are now very accessible. He gave the audience some examples of exposed systems his team could find by using Internet scanning tools that anyone could download: controls for gas stations, electric vehicles, even a high-rise’s emergency generator. Many devices, designed for connectivity and convenience, have built-in and obvious weaknesses, he said.
“We don’t want to waste time, we love those gadgets that make a life easier and more efficient,” said Dotan. “But connectivity comes with a huge risk.”
The hacking crisis is made worse by the urbanization of communities around the globe, a trend that is creating exponentially more data — approximately 16.5 zettabytes and counting — and the task of securing that data is becoming increasingly more difficult, said Sameer Sharma, Intel’s general manager for IoT Solutions.
“Three million people are moving into urban areas every week. … When we are bringing all these people in, we are also creating a lot more data,” Sharma explained.
Because of this, he advocates for taking a “data-centric” view of cybersecurity that takes into account how urban populations are directly tied to data creation.
Panelists generally agreed that solutions for city officials would have to be diverse and multifaceted and could include regulations, but also that the solutions start with the relationship between the vendor and the consumer.
Knight said she felt that an increased consumer knowledge and focus on cybersecurity could help pressure vendors to be more responsible with their designs. Dotan agreed and advocated for normalizing cybersecurity standards, much the same way that working airbags are considered basic security for a car. Security should be viewed as a marketing advantage, he added.
“If consumers are aware that cybersecurity is an issue and that [a lack of] it makes a platform less safe, then they will require it [from vendors],” said Dotan.
Information security officers also need to be able to better at cataloguing the devices under their domain to better protect them, Knight said.
“You can’t protect what you don’t know you have,” she said. “If there’s anyone in the audience in charge of security for their city, one of the most systemic problems that I’ve found in my career is that a lot of CISOs … don’t have asset catalogs, they don’t know how many CCTV cameras they have, and they don’t know who’s patching them. That’s a huge problem.”