Many cities around the globe have started becoming “smart cities,” deploying various technologies and digital infrastructures to increase the quality of their services and consequently the quality of life of their citizens. Smart cities offer extensive opportunities by concentrating on urban services and fostering intelligence within networks. A smart city collects various types of electronic data and processes them to a) manage its assets and resources efficiently and b) improve the operations and services provided to its citizens. Data are generally collected from citizens, devices, assets, etc. and are used for the optimization of transportation systems, power plants, water supply networks, waste management, law enforcement, public safety, etc.

A simplified architecture of the smart city is divided into various components fitting in four layers: Sensing and Control Layer, Communication Layer, Processing Layer, Application Layer.

Smart cities are vulnerable to nearly every type of attack in the ICT sector. For the application layer, smart cities applications and services have to deal with injection attacks, cross-site scripting, broken authentication/authorization mechanisms leading to authorized access and sensitive information leaking, social engineering, insecure 3rd party applications/components, etc. For the processing layer, the attacks include DDoS attacks, hacking and intrusion, worms, viruses, and malware, etc. For the communication layer, smart cities are also facing the attacks of existing network infrastructures. Such attacks include jamming, spoofing, wormholes, man-in-the-middle, sinkhole, Sybil, eavesdropping, replay, etc as those can be manifested in the various layers of the OSI network model. However, most of the above attacks can be mitigated using solutions and products from the Information Technology domain.

A smart city may be seen as a collection of diverse systems forming dynamic applications and services. Thus, complete security cannot be applied in the form of one single framework or product that covers everything. The approach to secure smart cities infrastructures is to a) ensure that its components maintain high levels of security and b) evaluate the vulnerabilities of each new service or application, also examining their security impact on shared systems and resources.

The end node of smart city infrastructure is usually associated with the sensing and control layer of the smart city and partially with the communication layer. Cybersecurity attacks on the end nodes can assume different forms depending on the kind of end node devices (embedded or Personal Computer). While there exist a broad range of attacks targeting PC devices, widely explored, and thwarted by international literature works and products, the embedded system domain is mostly unexplored (and unprotected) regarding cyber attacks.

Recent attacks that exploit cyber-physical systems have triggered interest in cyber-physical/embedded system cybersecurity countermeasures that yet still adopt the same principles as the PC based ones. However, while most high-end software cybersecurity solutions can potentially protect against attacks based on software vulnerabilities, when it comes to hardware vulnerabilities the attackers still have a rich unexplored area to exploit with few countermeasures (if any) to thwart them.

So, end nodes can be attacked in an unconventional way by exploiting hardware vulnerabilities. Thus, a smart city designer and security administrator should be very careful on the choice of deployed end nodes on the smart city urban grid if he is to retain the security level that latest network standards offer him.

Apostolos P. Fournaris, Konstantinos Lampropoulos
University of Patras

More information: End Node Security and Trust vulnerabilities in the Smart City Infrastructure