Notes from Meetup #15: Locking Down the Smart City
SmartSheffield number 15 took place on the 13th January in the Diamond Bulding at the University of Sheffield, thanks to our excellent sponsors and partners at Pitch-In - the 3-year project to understand the barriers to adoption of internet of things technologies across a range of industrial application areas, including smart cities. And it was this aspect of embedding smart technologies in our urban surroundings and the ways in which this infrastructure might be subverted to do us harm, which was the theme of the evening, with three excellent talks about the cyber security implications of smart city networks and sensors.
As per usual here are the videos of the talks, along with my notes, as well as a the regular SmartSheffield news section highlighting relevant projects, initiatives and events currently in motion across Sheffield and the wider region.
Do please get in touch if you have any feedback, news you would like us to share or a topic you want to present at a future meetup. Email me at info@smartsheffield.city, or get in touch via Twitter @SmartSheffield.
Thanks once again to our sponsors at Arup, Pitch-In, Creative Space Management and Sheffield Digital. The next event will be on Monday the 2nd March at the Electric Works, and will focus on the Future of our Food!
We hope to see you there,
Chris Dymond (Unfolding and Sheffield Digital)
Prof John Clark from the University of Sheffield and Pitch-In on Security Threats and Challenges in the Smart City
John Clark took the opportunity to look at three under-researched threat vectors in smart city systems:
Firstly, the potential to subvert ‘digital twins’, i.e. the live digital representations that many smart city systems use to make decisions about how to optimise the network. The most sophisticated (or ‘smartest’) of these are essentially autonomic - meaning they are self-optimising and self-healing. However, if the digital twin can be undermined, for instance by targeted network jamming, these systems can be placed into a state of continual adjustment, effectively causing their own denial of service. It’s like the system’s own ‘immune system’ being made to turn on itself!
Secondly, the lack of designed-in forensic evidence in these systems. As digital technology becomes more integrated into cities, they will begin to have the same problem that every other large IT system has, which is that as criminal activity inevitably occurs, there will be a need to provide evidence of what exactly took place and who the perpetrator was. This fact is not being considered sufficiently in the design of systems and the technologies, devices, sensors and networks that they consist of, and logs, meta data and audit trails are almost certainly currently insufficient to reconstruct a crime (or an accident!) and bring prosecutions.
John argues that system designers need to not just focus on the security of data, but also on what forensic experts need in order to reconstruct an event, and ensure that the system’s monitoring stores the right things and keeps that data separate and at least as safe.
And finally, the potential for small-scale but highly targeted radio frequency ‘vandalism’. That is the ability for anyone, for very little money and effort, to create 'pulse guns’ or small electro-magnetic pulse generators, which can knock out integrated circuits if they are not sufficiently shielded. So if this isn’t accounted for in design, or system components are not appropriately procured, anyone could potentially render a device inoperable: a vehicle, traffic lights, an entire building or a mass transit interchange, etc. - whatever piece of smart city infrastructure is close enough to the pulse.
Do watch John’s talk for a more in depth analysis of these threats.
Mark Davies from Ioetec on whether Smart technologies are actually the "Asbestos of the Future"
Mark is one of the founders of Ioetec, a Sheffield-based cyber security firm that specialises in securing the ‘Internet of Things’ and related technologies.
In hits talk, Mark specialties whether the sensors and embedded circuitry that is currently being built in to our environment has the potential to be as significant (and expensive) a long term problem as asbestos was in the 20th century. He recaps the history of asbestos, for those perhaps too young to be aware of the prevalence of the substance, once regarded as a wonder-material and used in an enormous range of contexts before the health hazards were fully understood and addressed. And of course its removal still costs hundreds of millions of pounds around the world each year.
The risk of installing billions of sensors, circuits and processors in our built environment is not related directly to our health as asbestos is, of course, but to the security of the data that flows through and between all these devices. And while security is being built into each individual component of smart systems, there are gaps where these components interact and often no cohesive security framework that covers the system from edge to end user. So, if the integrity of the data that flows across these systems cannot be guaranteed, all these sensors and devices may need to be replaced far sooner that the people who procure these systems realise.
Ioetec is specifically engaged in addressing this issue, and employs a range of techniques to encrypt and verify data across complex systems, even if there are inconsistencies in security coverage across it. There are, though, constantly new methods of attack being deployed by organised criminals, hackers and state intelligence services - a fact which Mark illustratres by describing the now famous Las Vegas Fish Tank Hack, in which the environmental control mechanism in a fish tank in a casino was compromised and used to gain access to the casino’s main network and exfiltrate 10Gb of confidential data about the casino’s high rollers.
There are signs that regulations will be brought in around the world to address these IoT security issues and force better practice from manufacturers, and of course the debate over whether to allow Huawei to contribute to the next generation of Western communications networks is now front page news.
Dr Carlos Da Silva from Sheffield Hallam University on Lessons from the Smart Metropolis Project
Carlos has recently moved to Sheffield from Natal in Brazil, where he was responsible, amongst many other things, for designing the IT infrastructure underlying the "Smart Metropolis Project", which is an attempt to build a comprehensive smart city system, developed by the Instituto Metrópole Digital at the Federal University of Rio Grande do Norte. The project started in earnest in 2015, and is still underway,
The idea was to integrate cross-disciplinary expertise from all across the university - around 40 leaders in total - and bring it to bear on the challenge of integrating smart systems across a city. In other words, instead of having a large number of independent, non-interoperable systems across city domains, the project would look to integrate them in a way that data could be shared between them, and insight delivered to end users when and where it was needed.
The ambition was for the project to be the national centre of reference for smart cities in Brazil, which it achieved in 2018. The project is also recognised with a seal of approval by the Institute of Electrical and Electronics Engineers (IEEE).
As the leader of the project’s Infrastructure work package (one of five major work packages in total), Carlos was responsible for ensuring adopting a ‘security by design’ approach to the integration of the project’s systems from the outset. He explains in this talk how the project team used the OpenStack cloud computing framework and the European Union’s FI-Ware (Future Internet) framework as their starting points for the system. This gave them a set of open source components which they could deploy and adapt as and how they were required, including determining how each component fits in with the system’s overarching security framework. It was Carlos’ Team’s responsibility to work this out and support other teams in deploying their components in a way that maintained performance and security standards across the system, and he explains here how this happened in practice.
He also covers some of the components of the system itself, from a monitoring and communications system used by the military police during the World Cup in 2014 to “Visit Natal”, the city’s tourist information system.
Chris Dymond: SmartSheffield News for January 2020
As always, I finished off the talkie part of the evening with a short segment on recent smart city related goings on in Sheffield. There wasn’t very much to report this time - either not much has happened since the last last meetup, or we need to cast our net wider and encourage more people to let us know about their projects!
Anyway, there were still some interesting things to highlight, as follows:
Sheffield Plan: "Call for Sites". Effort to solicit information from citizens about what new uses parts of the city should be put to.
Sheffield Street Trees: Lessons Learned & Actions (pdf). Excellent to see this level of openness. Would be good to have more information on how the urban Forrest is going to be managed and whether the data used to manage it wil be made open as well.
Sheffield City Region Active Travel Map. A reminder that this initiative to gather information on walking and cycling in the city region from citizens is still open until the end of March.
Locate in SCR. This is SCR’s new platform for inward investment - a super site of economic data and information about relocating a business to the region.
The Things Network Sheffield - the regular update on the effort to build a community-owned Internet of Things network across the city. There are now 17 gateways active, and active development of applications.
And that was it for an excellent event - really interesting talks about a massively important but not well enough understood issue. Thanks to everyone who came along, and we hope to see you all at the next event in March!