Anthony M. Townsend - Smart Cities - Big Data, Civic Hackers, and the Quest for a New Utopia

Centralization of smart-city infrastructure is risky, but decentralization doesn’t always increase resilience. Uncoordinated management can create its own brittle structures, such as the Internet’s “bufferbloat” problem. Buffering, which serves as a kind of transmission gearbox to sync fast-flowing and congested parts of the Internet, is a key tool to smoothing out surges of data and reducing errors. But in 2010 Jim Gettys, a veteran Internet engineer, noticed that manufacturers of network devices had taken advantage of rapidly falling memory prices to beef up buffers far beyond what the Internet’s original congestion-management scheme was designed for. “Manufacturers have reflexively acted to prevent any and all packet loss and, by doing so, have inadvertently defeated a critical TCP congestion-detection mechanism,” concluded the editors of ACM Queue , a leading computer networking journal, referring to the Internet’s traffic cop, the Transmission Control Protocol. The result of bufferbloat was increasing congestion and sporadic slowdowns.' What’s most frightening about bufferbloat is that it was hiding in plain view. Gettys concluded; “the issues that create delay are not new, but their collective impact has not been widely understood ... buffering problems have been accumulating for more than a decade.”39

What a laundry list of accidental ways smart cities might be brittle by design or oversight! But what if someone deliberately tried to bring one to its knees? The threat of cyber-sabotage on civil infrastructure is only just beginning to capture policy makers’ attention. Stuxnet, the virus that attacked Iran’s nuclear weapons plant at Natanz in 2010, was just the beginning. Widely believed to the product of a joint Israeli-American operation, Stuxnet was a clever piece of malicious software, or malware, that infected computers involved with monitoring and controlling industrial machinery and infrastructure. Known by the acronym SCADA (supervisory control and data acquisition) these computer systems are industrial-grade versions of the Arduinos discussed in chapter 4. At Natanz some six thousand centrifuges were being used to enrich uranium to bomb-grade purity. Security experts believe Stuxnet, carried in on a USB thumb drive, infected and took over the SCADA systems controlling the plant’s equipment. Working stealthily to knock the centrifuges off balance even as it reported to operators that all was normal, Stuxnet is believed to have put over a thousand machines out of commission, significantly slowing the refinement process, and the Iranian weapons program.40

The wide spread of Stuxnet was shocking. Unlike the laser-guided, bunker-busting smart bombs that would have been used in a conventional strike on the Natanz plant, Stuxnet attacked with all the precision of carpet bombing. By the time Ralph Langner, a German computer-security expert who specialized in SCADA systems, finally deduced the purpose of the unknown virus, it had been found on similar machinery not only in Iran but as far away as Pakistan, India, Indonesia, and even the United States. By August 2010, over ninety thousand Stuxnet infections were reported in 115 countries.41

Stuxnet was the first documented attack on SCADA systems, but it is not likely to be the last. A year later, in an interview with CNET, Langer bristled at the media’s focus on attributing the attack to a specific nation. “Could this also be a threat against other installations, U.S. critical infrastructure?” he asked. “Unfortunately, the answer is yes because it can be copied easily. That’s more important than the question of who did it.” He warned of Stuxnet copycat attacks, and criticized governments and companies for their widespread complacence. “Most people think this was to attack a uranium enrichment plant and if I don’t operate that I’m not at risk,” he said. “This is completely wrong. The attack is executed on Siemens controllers and they are general-purpose products. So you will find the same products in a power plant, even in elevators.”42

Skeptics argue that the threat of Stuxnet is overblown. Stuxnets payload was highly targeted. It was programmed to only attack the Natanz centrifuges, and do so in a very specific way. Most importantly, it expended a highly valuable arsenal of “zero-day” attacks, undocumented vulnerabilities that can only be exploited once, after which a simple update will be issued by the softwares supplier. In its report on the virus, security software firm Symantec wrote “Incredibly, Stuxnet exploits four zero- day vulnerabilities, which is unprecedented.”43

Stuxnets unique attributes aside, most embedded systems aren’t located in bunkers, and they are increasingly vulnerable to much simpler attacks on their human operators. Little more than a year after Stuxnet was uncovered, a lone hacker known only as “prOf ” attacked the water utility of South Houston, a small town of seventeen thousand people just outside Texas’s most populous city. Enraged by the US government’s downplaying of a similar incident reported in Springfield, Illinois, prOf homed in on the utility’s Siemens SIMATIC software, a Web-based dashboard for remote access to the waterworks’ SCADA systems. While the Springfield attack turned out to be a false alarm—federal officials eventually reported finding “no evidence of a cyber intrusion”—prOf was already on the move, and the hacker didn’t even need to write any code.44 It turned out that the plant’s operators had chosen a shockingly weak three-letter password. While prOf’s attack on South Houston could have easily been prevented, SIMATIC is widely used and full of more fundamental vulnerabilities that hackers can exploit. That summer Dillon Beresford, a security researcher at (oddly coincidentally) Houston-based network security outfit NSS Labs, had demonstrated several flaws in SIMATIC and ways to exploit them. Siemens managed to dodge the collateral damage of Stuxnet, but the holes in SIMATIC are indicative of far more serious risks it must address.

Another troubling development is the growing number of “forever day” vulnerabilities being discovered in older control systems. Unlike zero-day exploits, for which vendors and security firms can quickly deploy countermeasures and patches, forever-day exploits target holes in legacy embedded systems that manufacturers no longer support—and therefore will never be patched. The problem affects industrial-control equipment sold in the past by both Siemens and GE, as well as a host of smaller firms.45 It has drawn increased interest from the Cyber Emergency Response Team, the government agency that coordinates American cyber-security efforts.

One obvious solution for securing smart-city infrastructure is to stop connecting it to the Internet. But “air-gapping,” as this technique is known, is only a stopgap measure at best. Stuxnet, much like Agent.btz, the virus that infected the Defense Department’s global computer network in 2008, were likely both walked into secure facilities on USB sticks 46 Insecure wireless networks are everywhere, even emanating from inside our own bodies. Researchers at the security firm McAfee have successfully hijacked insulin pumps, ordering the test devices to release a lethal dose of insulin, and a group of computer scientists at the University of Washington and University of Massachusetts have disabled heart-defibrillator implants using wireless signals.47

These vulnerabilities are calling the entire open design of the Internet into question. No one in those early days of ARPANET ever imagined the degree to which we would embed digital networks in the support systems of our society, the carelessness with which we would do so, and the threat that malevolent forces would present. Assuring that the building blocks of smart cities are reliable will require new standards and probably new regulation. Colin Harrison, IBM’s smarter-cities master engineer, argues that in the future, “if you want to connect a computer system to a piece of critical national infrastructure it’s going to have to be certified in various ways.”48 We’ll also have take stronger measures to harden smart cities against direct assault. South Korea has already seen attacks on its civil infrastructure by North Korean cyber-warriors. One strike is believed to have shut down air traffic control in the country for over an hour.49