25. • 2010, IBM: “A world of 1 trillion connected devices” by 2015.
• 2011, Ericsson’s CEO Hans Vestberg: “50 billion connected devices” by 2020.
• 2013, Cisco: “50 billion things will be connected to the internet by 2020.”
• 2013, ABI Research report: “30 billion” by 2020.
• 2013, Morgan Stanley report: “75 billion devices connected to the IoT” by 2020.
• 2014, an Intel infographic: “31 billion devices connected to internet” by 2020.
• 2014, ABI Research updated report: “41 billion active wireless connected devices” by
2020.
• 2015, Gartner Research: “4.9 billion connected things in use in 2015 … and will reach
20.8 billion by 2020.”
26.
27. “Bigger than Mirai: Leet Botnet delivers 650 Gbps DDoS
attack with ‘pulverized system files’” 28/12/2016
“KrebsOnSecurity Hit With Record DDoS” 21/09/2016
28.
29.
30. Are Smart Cities too Fragile?
Russell Castagnaro
russell@egov.com
Mahalo
Editor's Notes
Aloha,
My name is Russell Castagnaro. Until late November I was the President and General Manager of the Hawaii Information Consortium, LLC - an NIC Inc Company. We ran all of the eGovernment systems in Hawaii for the state and three of the four counties.
I've presented here in the eGovernment Symposium for three or four years and I thank Mila and Ramon for inviting me back this year.
As you'd expect my expertise is on the implementation side of eGovernment. I appreciate the opportunity to turn my gaze more specifically to SmartCities.
Given that I have been running state-level services for 13 years, I focused on finding the inherent fragility in Smart Cities, the infrastructure, etc…
This isn’t all nightmare, fire and brimstone, Where I can I’ll also try to mention some potential solutions or approaches that might help.
I have found that everyone seems to have different ideas about what constitutes Smart Cities. Basically it doesn’t matter. There seems to be plenty of overlap here. What I am going to focus on is the technology that makes Smart Systems possible and how that Smart “Awesomeness” actually makes the systems potentially very, very fragile.
A Smarter City systematically creates and encourages innovations in city systems that are enabled by technology; that change the relationships between the creation of economic and social value and the consumption of resources; and that contribute in a coordinated way to achieving a vision and clear objectives that are supported by a consensus amongst city stakeholders. -Rick Robinson
http://image.shutterstock.com/z/stock-vector-smart-city-concept-with-different-icon-and-elements-modern-city-design-with-future-technology-for-374763079.jpg
Smart cities projects tend to have significant amounts of audacity. We are trying to do things differently and throwing out old assumptions (Do we need that TPS Report??) .
In my work in eGovernment I have often been told “Don’t throw the baby out with the bathwater” I laughed the first few times this came up, then one day I really looked up where it came from. It’s the cleaning train…
---
http://vickybeeching.com/blog/wp-content/uploads/2012/02/baby-out-with-bath-water.jpeg
So it turns out that what I’ve always done in eGovernment and what Smart City projects try to do is just the opposite. You see, when you throw out the baby with the bathwater you are favoring the old way of doing things over the future. The same people that say DTBWTBW are actually trying to protect the old way of doing things at the expense of the future!
Smart Cities projects are the place where change agents can really make a difference.
http://ablsilver.com/img/secondary/plane.png
http://datascienceseries.com/assets/blog/cover_open_data4.jpg
Open data is great. Free your data and see the innovation erupt like lava from a volcano. That was the promise of 2010 - 2014, but we have learned that is not necessarily the case. In fact open data is more of a problem to manage and another hurdle to jump than the freedom we all hoped for.
As with most things that are freely available, they tend to be, in my humble opinion, more expensive than the data that costs something. Cases in point:
----- Meeting Notes (1/3/17 10:39) -----
check Bad Data on the Open Knowledge website for more.
Biggest issues - public version is a pdf. Only a single cell for collecting multiple description fields.
No way to really understand this table without already understanding all routes – no route numbers or station numbers/ names
----- Meeting Notes (1/3/17 10:39) -----
So sad.... From the Bureau of Labor Statistics - this amounts to a "canned report" whose output is in plain text format.
It is INCREDIBLY hard for machines to read, but humans can read it decently well.
Here is an example of the 5th most accessed data set in data.hawaii.gov. About 6 apps that I know of use this. But look, the way the data is formatted is maddening. The data has also not been updated in 3 or 4 years.
Finally one of the things I find most frustrating. Filtering datasets instead of making views. Take a look at this employment information. The same dataset is pre-filtered by county. If you wanted to look at this at the state level, you’d need to pull in the json or data from each county and aggregate it. It could be worse though, the schemas/ data structures could be different right?
When we run cities the current way, these open data problems are annoying and inefficient.
For a Smart City these kinds of hang ups over data hobble smart cities. Think about how many vendors are involved in this. If you think ERP projects are tough (75% of them fail and many of those are being spun positively) just wait for Smart City platforms….
In many ways data access and sharing is the core technology requirement for smart decisions and smart governance.
It means that cities have to negotiate uptime for data apis (as producer and consumer of data) in order for systems to have reasonable levels of uptime.
Buggy software - I remember when we deployed my first major bug in a state system. Basically the fees changed in 2004 for Annual Business Reports in Hawaii (the DCCA) We deployed the system without checking the fiscal reports on our test environment. The net result, we processed about 6,000 reports at a price that was $2.35 less than the actual cost. Luckily it was only a $13,000 mistake for us.
May 2012 California: Placer County Courthouse system accidentally summoned 1,200 people to jury duty on the same morning causing traffic jam
November 2013 Bay Area Rapid Transit (BART): major software glitch, service was shut down by a technical problem involving track switching, it affected 19 trains with about 500 to 1,000 passengers on board
In 2016 the IRS had bugs which allowed millions of tax filers’ information and returns to be compromised in its Modernized eFiling (MeF) System.
The SWIFT network which handle wire transfers – was compromised and continues to have problems due to old software bugs. Over US$1B was stolen last year.
Finally many of you may have flown over watching entertainment systems on United, Virgin or Delta. Hacks of those systems due to bugs are really interesting… You can watch them online if your are interested.
Now think about the computers you have at work or your home. Do they have bugs. These smart systems need to be smart and need a way to stay smart and ahead of the security curve.
https://github.com/Netflix/SimianArmy/wiki
How do you make sure your system functions in the wild when so many loosely coupled systems may be necessary? You implement an army that can cause all sorts of problems – so you can solve them ahead of time.
There are groups
Smart cities will depend on modern technology to a great extent. Using sensors to collect data and communicate instructions to devices (i.e street lights, thermostats, water valves, etc) will be critical in the future. Communication with these small devices makes up a large portion of the Internet of Things...
It all looks so nice and clean!
“Simply put, this is the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other). This includes everything from cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of. This also applies to components of machines, for example a jet engine of an airplane or the drill of an oil rig. If it has an on and off switch then chances are it can be a part of the IoT. The analyst firm Gartner says that by 2020 there will be over 26 billion connected devices... That's a lot of connections (some even estimate this number to be much higher, over 100 billion). The IoT is a giant network of connected "things" (which also includes people). The relationship will be between people-people, people-things, and things-things”. -Forbes
http://www.i-scoop.eu/internet-of-things/
http://www.beechamresearch.com/files/BRL%20IoT%20Security%20Threat%20Map%202015%20300dpi.jpg
The threats to IoT devices and services are varied and vast. Every vulnerability that has been identified in the past can gain new life because most IoT devices do not have the same level of security built into them.
For our purposes this comes down to “things” (connected devices) communicating. On a typical server you can do things like use secure protocols (would you pay for something online that didn’t use HTTPS?) encrypt data at rest, use all sorts of security countermeasures to secure data and services. Unfortunately on these small devices -- networkable chips in reality -- including a full security stack is not economical in the short term. That means that these connected devices in the wild can be used in ways not already understood fully.
Right now the top three IoT entry points are: Routers, DVRs and Cameras once an attacker compromises one of these devices, they are in your network.
But the stakes are even higher for Smart Cities
From Beccaro and Collura -“(Ab)using Smart Cities: The Dark Age of Modern Mobility“ at HITB GSEC 2016
They focused on Transportation Systems and if you have any interest in more technical aspects, I encourage you to watch their presentation.
Smart traffic control
Smart parking
Smart street lighting
Smart public transport system
Gave examples of two Smart Parking Meter Systems which were easily compromised (changing the rate charged, rooting the system).
Bike Sharing systems shown to have multiple vulnerabilities including hardcoded credentials, sql injection and poor coding. Physical hacking of the bike locks also very easy.
They showed examples of public transportation systems (new and more conventional) being hacked. They could lock out tickets, change fares, etc..
Near Field Communication (NFC) cards were also a source of many hacks in all three systems.
Remember Smart systems can be tricked..
2015 had a Wired article that gave instructions on how to turn off a Jeep Cherokee. Nissan Leafs were also compromised in a similar way.
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
Examples:
Lighting systems
Water management systems
SmartGrid
Traffic Lights
It costs a lot to fix this!
----- Meeting Notes (1/4/17 08:00) -----
old platforms with 5 - 8 years left of life! Living in your home, enterprise, city, state, country!
Smart cities will depend on modern technology to a great extent. Using sensors to collect data and communicate instructions to devices (i.e street lights, thermostats, water valves, etc) will be critical in the future. Communication with these small devices makes up a large portion of the Internet of Things...
----- Meeting Notes (1/4/17 08:00) -----
ignore left -- The scariest thing to me is actually connectivity
Smart cities depend on connectivity of devices, as pointed out earlier.
When you consider that by 2020 many agree we will have somewhere between 20 and 50 billion connected devices its dizzying! All of those devices are using bandwidth and require it to function correctly. By leveraging conventional computers or IoT devices in BotNet attacks networks can be compromised.
In 2016 the Netherlands and South Korea both announced a state-sponsored IOT. They are obviously serious about IOT! This is initially for services like smart meters but are already expanding to track individuals, devices, monitor environments and for manufacturing and commercial enterprises.
Basically there is no way to stop a Distributed Denial of Service Attack. Now these attacks come from IoT devices like routers,CCTV Cameras, DVRs and webcams.
As more IoT devices are deployed having your device rooted and turned into a botnet is a bigger risk. New platforms like Mirai allow developers to roll their own botnets. In the end of 2016 botnets run from webcams were used to bring down the heating in two Finnish buildings and online services of multiple Russian Banks. The above attacks were attacks on the fundamental core of the public interet – Domain Name Services. Some people worry that the IoT will be the end of the Internet.
http://qz.com/860630/ddos-attacks-have-gone-from-a-minor-nuisance-to-a-possible-new-form-of-global-warfare/
It costs a lot to fix this! And we don’t actually know how. Just consider there is only one remaining secure protocol for HTTPS left ! What would happen if it was compromised.
So Smart Cities are going to be great IF we can protect them and ourselves from the vulnerabilities they open up. If we move forward without technology, smart cities will be much less smart. We need to really work hard to find ways that our smart cities don’t become smart prisons.
Well, Yes – they are. But we can make them more robust.
Some answers – Procurement changes, Integrated Testing