IT vulnerability, another challenge for the smart city

[ad_1]

Automatically steer red lights to better regulate traffic detected by sensors in the roadway? Why not. But it is still necessary to be certain of the computer security of this sensitive equipment. What will happen the day when the traffic lights of a commune are put out of service by an malicious person or a cryptolocker (*) having infected the control center? With the rise of the digital city, the question of computer security is posed even more crudely.

Communities play big, whether in terms of credit to residents or real damage. Information systems security (RSSI) managers are on the front line when faced with these growing threats. "Signaling protection? It's in the top of our risk hierarchy", indicates Bruno Caudal, RSSI of the city of Vannes.

In Marseille, it was the digitalization of school boilers that was looked at closely two years ago by Jérôme Poggi's IT security service. Losing control of such equipment could have serious consequences, from the lack of heating in winter to a furnace in summer. A type of incident to anticipate, especially since the communication protocol used allows access without authentication. "We therefore isolated each boiler room to secure them"by physical access control, explains Jérôme Poggi.

Industrial IT worries specialists. "Most of this equipment is full of security vulnerabilities easily exploited by hackers, analyzes Bruno Caudal. Manufacturers favor turnkey solutions that are easy to use and deploy."Lack of encryption of communication flows, network partitioning, weak passwords, complex updates or lack of physical protection complicate the task of professionals.

Disaster scenario

Terminals that prohibit access to streets, parking meters, ATMs … In addition to the very sensitive ehealth surveillance cameras, many devices hitherto isolated are gradually smart health connected to the municipal computer networks. In order to avoid a catastrophic scenario, "you have to control your heritage thanks to an adapted maintenance and security plan, recommends Jean-Noël Olivier, assistant to the general director of digital and information systems of Bordeaux metropole (Gironde). It is a fairly classic governance in IT, but which is still little practiced on urban equipment."The multiplication of smart health connected objects increases the attack surface. At the metropolis of Toulon (Var), we highlight the encryption of the communication flow of flood sensors, since 2016, to avoid any incident on this equipment."Malicious people can launch false alerts that disrupt our services", notes Hervé Stassinos, associate vice-president for digital. For its new digital key system for schools, Marseille has, in turn, implemented"a dedicated computer server and restricts the number of people who can access it", explains Jérôme Poggi. Controlled remotely, these keys should simplify access management by granting rechargeable rights on terminals located in each school.

With these smart health connected objects that take computing away from the cloud, "it will be increasingly necessary to question the data collection methods and the quality of the subcontracting", warns Damien Alexandre. This professional, in charge of the space dedicated to communities at Le Clusif, an association dedicated to IT security, notes that subcontracting,"sometimes cascading over complex projects, can constitute the weak link".

Sensitive data

But these vulnerabilities are not limited to technological objects. Cybersecurity is also a legal, organizational and human issue. Example with open data and the question of personal data. Sometimes rudimentary, the anonymization mechanisms used can be circumvented by processing capable of re-identifying people. "Information systems security officer or data protection officer are often seen as dream breakers, observes Damien Alexandre. The temptation can then be strong not to associate them with innovative projects."At the risk of not identifying a security breach or a compliance problem with the GDPR (general data protection regulation). This is how a security professional in a community in the West of France discovered in the press the launch of a smart smart health connected benches service in his city…

Patrick Chambet, head of information systems security for the city and metropolis of Nice

"The smart city is above all a flow of information, which flows from thousands of sensors installed on the territory to applications. To secure this new ecosystem, we first set up a systematic security criterion in our public markets. Then we work on the sensors. Until now, there has been little security in smart health connected objects. Awareness was late when they are often used as relays in attacks or hacked. Four years ago, we carried out an experiment to install sensors in the pavement calculating the parking spaces available. These sensors, embedded in the mix, could not be updated, which was a worrying vulnerability for us. The security of our smart health connected objects also requires physical security. They must be inaccessible – at the top of a mast, in a locked urban cupboard … – with, for the most sensitive, opening sensors. Finally, we plan, in our installation procedure, to reconfigure the password, the default version of which is often tested by hackers. We adapt our security measures according to the criticality of the sensors to avoid far too high a cost. And we have implemented data consistency control procedures. They allow us to block non-compliant values ​​for less critical smart health connected objects, such as noise or pollution."

(*) Trojan horse malware.

[ad_2]