Maria R. Sumnicht, National Director Cybersecurity and Infrastructure, EMP Task Force on National and Homeland Security
Information TechnologyIoTSecurity

The Need to Secure IoT in America’s Largest Cities How IoT was Secured on a Massive Scale in New York City

cxomagazine
By Maria R. Sumnicht, National Director Cybersecurity and Infrastructure, EMP Task Force on National and Homeland Security

Issue:  The top 30 cities in America contain approximately 60+ million people. American cities are the backbone of our nation’s prosperity, economic stability, cultural diversity and public safety.  However, our cities remain highly vulnerable to multiple threats, including but not limited to physical attacks on key municipal infrastructure, geomagnetic storms (GMDs), and electromagnetic pulse (EMP) from high-altitude nuclear detonations, suitcase nukes, locally generated pulses through high-powered microwave weapons and cyberattacks both domestic and foreign.  This article focuses on the strategy and program implemented by the City of New York Cyber Command to secure the world’s largest footprint of endpoint technology (Internet of Things – IoT) and smart building automation systems.

The City of New York had a massive problem; City Agencies were deploying unvetted IoT Endpoint Technology and connecting them to New York City networks and critical infrastructure, exponentially increasing the threat landscape. Coupled with the unknown fact that NYC had no idea how many IoT devices had been deployed across the five Boroughs. The problem seemed to be endless and enormous. These internet-connected devices and systems significantly increased the City’s exposure to cybersecurity risks. NYC needed to effectively address these risks and their potential catastrophic cascading effects, which could leave NYC without; government services, transportation, communications, power and much more; placing our largest city and its residents in grave danger with potential existential consequences.

Big Apple Challenges:  It is New York City, is there much more to say? Securing IoT and Smart Building Automation System programs on a large scale did not exist, especially at the municipal level. The challenges were not only at the technology level but also at the City Agency cultural level. The program would be new to the City, an entire cyber infrastructure would need to be built around securing Endpoint Technology, with many city agencies having the mindset that a program to secure IoT would be a roadblock to their rapid deployment of technology.

It is highly recommended that American cities include in their budgets plans to implement a program to secure their IoT and building automation systems prior to deployment

Other big challenges were;

  1. Inconsistent legal agreements for the purchasing of technologies – almost every City agency had its own legal technology purchasing agreements/contracts/licensing.
  2. Having a ‘catch mechanism’ in the procurement of new and existing IoT technology.
  3. Educating agencies on what exactly is IoT, many did not know.
  4. The GREAT UNKNOWN – the existing IoT footprint:
    a. What exactly is out there now, how many and is it being supported contractually (legally)?
    b. How to inventory existing IoT footprint
    d. How to capture existing technologies and bring them into the process.
    c. How to automate the monitoring and upgrades of IoT networks.  
  5. While the U.S. Federal Trade Commission and NIST have issued certain guidelines and policies for IoT cybersecurity best practices, there are no universal standards regarding the cybersecurity of IoT devices.
  6. A budget of only $150,000.00!

Landscape:  Our cities depend on endpoint technology, from a police officer’s mobile communications device to critical sensors placed around cities for the detection of dangerous gasses, radiation and water levels.  Municipalities need to be aware of the potential risks associated with Endpoint Technology before its deployment. Without properly securing IoT device systems, an infiltration through one of these devices can have rapid and catastrophic consequences, bringing a large city to its knees (Baltimore, Atlanta). 

The weaknesses of IoT devices and their management systems are well documented and have been recognized for years, with various organizations taking different approaches to the issue by publishing basic security requirements to protect against threats to municipal infrastructure, networks, and systems.  On the federal level, the bipartisan Internet of Things Cybersecurity Improvement Act of 2020 was signed into law and at the state level, the California Civil Code on Security of Connected Devices was passed into law in 2018 which requires manufacturers of IoT devices sold or offered for sale in the state, to; “equip the device with a reasonable security feature or features…designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure…”

Unfortunately, these efforts, requirements and directives have not had the desired effects. Actions, if taken, were unsynchronized, uncoordinated, stove-piped and for the most part ignored by municipalities because of budgetary constraints and finding the talent needed to implement these programs.  Many of our adversaries are very aware of the weaknesses of IoT solutions and have demonstrated the capability and indicated the willingness to attack our city governments, grid, water system, communication systems, etc.  As studied and documented by the previous successful municipal cyber and ransomware exploits, these breaches have cost cities across America in the hundreds of billions of dollars, and long-term, their effects are having catastrophic consequences on city services.

Recommendation:  City governments around America are investing billions of dollars in innovative new technologies to improve government services. When implementing IoT devices as part of this digital transformation, it is critical that municipalities understand the security risks and vulnerabilities inherent in this technology.

It is highly recommended that American cities include in their budgets plans to implement a program to secure their IoT and building automation systems prior to deployment. At a minimum, each city should have a citywide strategy guide that outlines how the city can equitably and safely adopt IoT technologies. The guide must provide;

  1. An assessment of the city’s current IoT environment and, how it will examine cybersecurity vulnerabilities of its deployment of IoT.
  2. Policies, standards and the created processes to review and test devices and networks that city agencies procure, ensuring that appropriate cybersecurity protocols are in place for each device
  3. The guide should include recommendations for conducting an inventory of all the city’s IoT devices periodically. Ideally this should be automated.
  4. Establish a standard review process that all city agencies and offices have to adhere to in order to consistently (contractually) purchase technology within the city, and to ensure IoT devices are safe and secure prior to their deployment on the city networks.

A program to proactively secure IoT will protect our cities against catastrophic cyber-attacks by not only catching ‘low hanging fruits(vulnerabilities)” but programs like the one implemented in NYC can also have a cascading positive affect on existing network architectures by including a review of the existing network typology and further securing it downstream before connection to the IoT solutions.

If it can be implemented in NYC, it can be implemented in any American city. When I arrived at NYC Cyber Command none of these programs existed. Each of these were developed from the ground up and brought them to maturity. Maria is now sharing her expertise with other municipalities.

Author: Maria R. Sumnicht (mariasumnicht@gmail.com
LinkedIn.com/in/mariasumnicht
Maria is currently the National Director Cybersecurity and Infrastructure, EMP Task Force on National and Homeland Security.