Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Cyber Security Challenges in Building Smartcity (Presented in 2016)
1. Cyber Security Challenges in
Building Smart City
Avinanta Tarigan
Research Center for Cryptography and
Information Security
- Pusat Studi Kriptografi dan Keamanan Sistem -
Gunadarma University
http://ps-sekuriti.gunadarma.ac.id
2. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Smart City, What is all about ?
An urban development
vision to integrate
multiple information
and communication
technology (ICT) and
Internet of Things (IoT)
solutions in a secure
fashion to manage a
city’s assets.
3. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Smart City : Hope
1. Convinience Public Services
2. Safety and Security of Citizen
3. Enhanced Livability of the City
4. Smartness in every aspects
of City Life
5. Long Term Effectiveness
Establishing Trust → Make System Dependable
→ Really3 Difficult
4. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Smart city components
•Intelligent buildings
•Public Safety & Security
•Connected Healthcare, Telemedicine
•Connected Education, Distant Learning
•Free WiFi hotspots
•Emergency services
•Intelligent transportation
•Smart Grid
Logical & Virtual Level
•Governance, Risk, Compliance
•Connectivity
•Big Data
•Disaster recovery
•Privacy, Identity
•Service continuity
Technology platform and components
•Cyber Security solutions
•Backup and recovery solutions
•RFID, M2M, Sensors
•SCADA, Smart meters, AMI
•Mobile devices
•Wireless
•Cloud, Virtualised DC
5. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Smart City is not a Product
● Integration of Well Established Systems
● City InfoSys, Firefighter, Hospitals, Financial, Payment
Systems, Schools, etc.
● Interoperability & Governance
● Protocols, Rules, Standards, Vendors, Compliance, Audit, Legal
● Technological Enabler
● IoT, Social Media, Wireless-NG, SmartPhone, Artificial
Intelligence, Big Data, Data Mining,
● People
● Authorities, Citizen (end users), Developers
6. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Security Breaches / Incidents
7. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Cyber-Security
8. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Vulnerability
● (A)uthentication
● Proving ID of accessing entity
● (I)ntegrity
● Maintain integrity of system
● (C)onfidentiality
● No rights for wrong person
● (A)vailability
● Services are available when
needed
● AICA
● Attack
● Established by exploiting
vulnerabilty of the system
● Vulnerability
● A weakness in design,
implementation,
operation or internal
control, that may breaks
AICA
● Difficult to detect
● Easy to exploit when you
have exploit tools
9. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Vulnerabilities
10. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Bugs Disasters
● Simple bugs can cause big problems :
● May 2012 Califonia : system accidentaly
summoned 1200 people to jury duty on the
same morning causing traffic jam
● November 2013 : Bay Area Rapid Transmit
(BART) major software glitch, affected 19
trains
● August 2003 Northeast, total blackout,
primary cause software bugs in the alarm
system at a control room of an Energy
Company, affected 55 million people
11. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Proven Known Attack on Smart City
● Proven Attack on Traffic Light Systems
● Michigan Univ → 100.000 intersections in the US
● Wireless encryption problems on street lighting
→ firmware replacement
● Manipulate information in City Management
Systems by attacking web apps and phising
● Etc.
→ Single Vulnerability affects many
→ Vendors often do not care about security
12. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Complexity adds Vulnerability
● Attacker needs only a
weakest chain to
break security → end
users
● Adding more chains
doubles likelihood of
the present of
vulnerability
● Smart City is
constructed as
complex system
13. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Attacks on Sensors
● Sensors
● Communication between wireless
sensors and the host are not secure
( some not encrypted or encrypted
with bugs in the protocol )
● Anti tempered sensors are rare. One
can replace firmware.
● Authentication are poor → fake /
spoofed sensors
● Fake seismic detection, Fake flood
detection
● Fake signals → wrong decision →
disasters
14. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Malware
● Infected many devices
● Various types and infection technique
● BotNet, Ransonware, Spyware, AdWare
● Man – In – The - Middle
● StuxNet → attack on critical infrastructure
● Estonia Incidents
15. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Smart City Systems Other
Stakeholder
16. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Social Engineering
17. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Problems
● Building Dependable System is very hard
● Tampered Hardware & Unsecure Software
● Vendors Dependency
● Unsecure System Development
● Lack of Cybersecurity Knowledge and Skills of ICT
persons
● Security through Obscurity
● Lack of Security awareness of end users
● Improper ICT Governance
● etc
18. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Building Secure Smart City
● Top level management awareness and commitment
● City-wide Vulnerability Management Periodic
PenTest and Audit
● Good ICT Governance → Continous Security
● CERT (Computer Emergency Response Team) at
Municipality Level or even RTRW-CERT
● Disaster Recovery Plan (DRP) & Security Breaches
Recovery Plan (SBRP)
● Security and Risk Analysis for every Smart-City
Apps and new Devices
19. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Building Secure ….. (continued)
● Security Compliance – Vendor Certification
● Forensic Ready Products
● Sec-LA (Security Level Agreement) from
Vendors
● Secure System Development Cycle
● Skillfull and yet “secure” system developer
● Continous Security Testing against all chains in
the system
● Cyberthreat Intelligence
20. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Continues Security Process
21. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Manajemen
Aset &
Konfigurasi IT Asset TI
IDS
Vulnerability
Scanner
Profile
Nasional
Aset TI
Honey
Pot
Analisis &
Reporting (Lokal)
Respon &
Analisis
Serangan
Simulasi &
Analisis
Penangkalan
Analisis
Ancaman &
Resiko
Basis Data
Pola
Serangan,
Mitigasi
Pusat Komando
Analisis
Situasi Siber
Nasional
Koordinasi
Mitigasi &
Tindakan
Pencegahan &
Pemulihan (Lokal)
Pemutahiran
Basis Data
Pola Serangan
B
A
D
A
N
R
I
S
E
T
S
E
K
U
R
I
T
I
S
I
B
E
R
Organisasi
1 .. N
Firewall,
Reactive IDS
SOP
22. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Concluding Remarks
● Smart City is a very complex socio-technical
system constructed from interconnected
independence system
● If a chain in the system breaks, it could break
the security of entire system. To make system
dependable is hard.
● Comprehensive secure framework in building
system for Smart City is badly needed
● CyberSecurity Awareness for Authorities, De
● Continous Security Process
23. Tangerang, Aug 11 2016
Seminar on Smart City, Gunadarma University
Thank You