Not If, But When: The Hidden Threat to Smart Cities

Like it or not, Operational Technology (OT) systems are everywhere, notes Andre Shori, the APAC CISO of Schneider Electric. And the line between OT and traditional IT is blurring rapidly.

“At restaurants, we are starting to order food over the internet with a QR code, and the food might then get delivered by a robot,” he said. “As more OT is deployed everywhere, there will be more ways for an attacker to take advantage and cause disruptions.”

While conversations around OT security today typically revolve around factories, SCADA networks, and traditional OT infrastructure, this needs to change.

“OT security has to evolve with the changes in technology and increased use of OT systems. We need to be thinking about all the use cases that exist and are coming our way very, very soon.”

Smarter cities, greater threats

The very convenience of OT systems amplifies the threats, says Shori. Before identifying the potential impact of compromised OT systems, it is necessary to first understand the pervasive role of OT systems in making cities safer, more liveable, and easier to manage.

OT systems are everywhere in any modern city. Shori listed some of them: From the signalling system used by mass rapid transit systems, the automated or remote-controlled cranes such as those used at the Port of Singapore, to water treatment facilities, waste treatment plants, and airports.

“The air-conditioning and lighting in your building, the elevators you take to your office, those are OT systems. It is almost challenging to find some parts of our lives where we are not interfacing directly with an OT system in some shape or form.”

Direct benefits aside, data from one OT system can benefit municipal authorities, too. The public transportation systems, for instance, can offer insights into concentrations of residents throughout the day, says Shori. This information can facilitate better planning of water treatment and distribution, or enable strategic tweaks to conserve energy use.

The risk of cascading failures

However, the very interconnectedness of OT systems could well culminate in a national catastrophe due to the potential for cascading failures. Shori shared the extremely unlikely – but not implausible – scenario in which the entire nation of Singapore loses power for a week from a cyber-attack on electrical generation plants or its electrical distribution network.

"Our water filtration and water treatment plant run on electricity. And backup generators can only go for so long. The pumps that are used to distribute water around the city, they also run on electricity,” he said.

“The mobile phone networks are already down because the emergency backups or generators powering the cell transmitters and receivers around the city can only run without mains power for a finite amount of time. And since none of us can charge our smartphones, they will stop working soon anyway.”

Though emergency services can probably run for a while without power, they will eventually run dry. The result is a city that is out of energy, out of clean water, and without the ability to respond to emergencies.

“Things can become apocalyptic very quickly if we don't realise the risks that our systems face are not necessarily isolated and segregated by individual systems. There are systemic risks that must be addressed as well,” Shori explained.

Plan for the worst

How can governments protect smart cities? The often-touted strategy of air-gapping critical OT systems does not appeal to Shori: “There is always going to be communication between a critical system and the rest of the world for patching, updating, maintenance, and management.”

Genuine air-gapped systems must be built solely for a specific function, he says, and replaced with completely new builds should new features be desired, not updated over the network or storage drives. Of course, this would render such systems prohibitively expensive.

Fortunately, Shori says modern OT systems are now designed with integration in mind. Moreover, the security of legacy OT systems is also gradually updated and tightened. Good security is still imperfect, however, and organisations must do their part to plan for a breach.

“Prevention is great. But your ability to react is even more important. You cannot prevent every attack from succeeding; attackers only have to succeed once, but we have to succeed every single time. So the odds are stacked against us.”

"Become very proficient with your incident response to mitigate and minimise the blast radius or damage from any compromise of your OT systems,” explained Shori.

“Make sure that your plan incorporates not just the technical aspects, but the people and processes. Ensure that your incident response plan has different kinds of playbooks for all the use cases and scenarios that you can imagine.”

The path to maturity begins with lots of practice. “Do at least one tabletop exercise a year. There is no such thing as too much practice.”

Conclusion

“No [battle] plan lasts the first volley of attack. Be flexible, be adaptable, orient yourself to make decisions, and make them on incomplete information based on the organisation’s priorities and strategy,” said Shori.

Ultimately, preparation work entails not just working with internal stakeholders, authorities, and external experts, but also ensuring the availability of resources during a crisis.

“Make sure that you have the right expertise available to you during an incident. Have maybe a couple of companies on retainer that have capabilities around the OT environment, such as OT forensics.”

And organisations should keep practising, says Shori.
 

More conversations and insights on digital transformation, securing critical infrastructures and supply chains can be found at the GovWare Conference and Exhibition 2023, on 17 - 19 October at Sands Expo and Exhibition, Singapore. Find out more or register for your Conference Pass at www.govware.sg.

Learn from our panel of subject matter experts in the discussion on "Building Resilience: Securing Critical Infrastructures and IT Supply Chains".

The panel will explore the various aspects of cybersecurity and resilience building in Smart Grids, Smart Cities and Supply Chains. The current threat landscape will be explored and best practices to secure Critical Infrastructure and Supply Chains will be put forward.

• Date: 19 October 2023
• Time: 4.00pm - 5.30pm