中文 English

Cities Strive For More Smarts, Security

Smart city security starts with the silicon.


As cities around the world move beyond their first completed smart city projects and add more systems, they face hurdles in expanding but have more standards, technical resources, and real-world examples to draw on when making project design decisions. The main concern is keeping the smart city systems and their data and functions safe, especially if the system is touching critical infrastructure.

Smart city technology is a big business in its own right. The smart city market reached $1.09 trillion (USD) in 2021, according to Grand View Research, and is forecast to rise at a compound annual growth rate (CAGR) of 24.2% from 2022 to 2030. Cities need to shop wisely for IoT platforms and networks, which includes the underlying silicon hardware.

The good news is IoT platforms, ecosystems, and design resources are getting more mature. Companies that offer IoT services, such as Siemens, also offer digital twin options for smart buildings, which are a big component of smart cities. The IoT/smart city platforms can help cities address different use cases in smart cities and figure out how to handle data.

“We’re working on breaking it down to key avenues within a smart infrastructure,” said Andrew Tanskey, director of services offer development at Schneider Electric. “A lot of the focus is the smart building infrastructure, and making the buildings that operate within cities smarter and more efficient. About 30% of the greenhouse gases and 70% of the energy utilization is from commercial buildings within a city environment. The more you can connect the buildings, the more advantages you have toward making a city smarter.”

The other big trend is how to make the power grid smarter and more resilient, especially in disasters. “There’s a lot of investment being made in the micro-grid environments, and being able to create these kinds of micro-grid and micro-city environments within larger cities,” said Tanskey.

This affects design all the way down to the chip level. “Developments for smart city technology are part of the industrial domain,” said Frank Schirrmeister, senior group director for solutions and ecosystems at Cadence. “It straddles designs for IoT infrastructure, eMobility, intelligent electrification, and low-power/thermal energy management. Several technology horizontals, including low power, safety, security, and reliability design, pose related challenges. Tradeoffs include aspects of low-power optimization at the chip and system level, and the classic question in edge processing of what information to store, transmit, and process at which point in the edge-to-data center chain. That includes tools to ensure low-power, safety, and security, and complex mixed-signal requirements, as well as the IP necessary for sensors, video, audio, and AI processing, and the required connectivity.”

Know your attack surfaces
Understanding the parts of the system that need the most security is an essential ingredient in smart cities. “The important part of smart city is infrastructures,” said Vincent van der Leest, director of product marketing at Intrinsic ID, which makes SRAM PUFs used in Flex Logix‘s eFPGAs and in Rambus’ hardware root of trust (HRoT).

Some attacks are physical, others are digital. “If you consider say a smart factory, you can assume there’s a secure perimeter around the devices in the factory, and you don’t have to worry so much about somebody coming in tampering with the devices in the factory unless you’re dealing with an insider threat,” said Steve Hanna, distinguished engineer at Infineon Technologies. “But in the smart city realm, you almost always need to worry about physical attacks, and therefore attacks on the hardware. A lot of devices are out in the public realm, exposed to direct physical attacks. Somebody can tamper with something and try to change the way it works or infect it.”

Any connected device is susceptible to attack. “A variety of different attacks are looking for vulnerabilities in the software that can be exploited, or to take control of the device or infect it until some later time when, say, they want to change the message that’s on the highway signs. It’s always a popular attack to something clever,” said Hanna.

The components of the smart city — IoT sensors, edge devices — need to be physically secure first, but sensors connected to a network aren’t always a critical attack surface.

“Smart cities’ biggest problem with these devices is their accessibility to the public,” said Mitchell Mlinar, vice president of engineering at Cycuity. “Beyond the physical security, the biggest threat isn’t an errant sensor here or there. It’s really if something gets into the network and starts masquerading as something else. That’s where it gets to be a problem. That includes even detection stuff. If you can figure out the detection stuff in there and figure out a way to defeat the detection, there is a problem. That’s where the big challenge comes in.”

The goal is to secure the important stuff. “If you look at everything that is being connected nowadays, relating to different forms of infrastructure, critical infrastructure needs to be secured in some way,” said Intrinsic ID’s van der Leest.

The Colonial Pipeline hack last year made it obvious that smart city infrastructure security needs to be as impenetrable as possible. “A very simple hack can disrupt basically the world when it comes to these kinds of infrastructures,” he said. “If you look at the way that more and more things in traffic, for example, are being connected, it’s very obvious when you don’t secure those things properly. Some very big risks are on the table there. We see more and more need for encryption. I recently saw an article where it said that 98% of IoT traffic is still unencrypted. That’s just mind-blowing. I have been working for a security company. I was assuming these numbers would be much better than they currently are.”

Securing the important infrastructure is key. It’s not about every sensor that misbehaves. “Who cares if they (the troubled sensors) don’t have access to do anything,” said Mlinar. “But the things that have access to network — those are the ones you have to be super careful of. And those are the ones that for smart city central, people have to be able to see if this sensor is live and whether it is still sending queries and spectral results back. It’s got access to the network, which means it can easily know other things in a network that maybe it was never intended to do.”

To make matters worse, infrastructure is becoming more complex. “The street light system is certainly one area we are seeing, and enabling eMobility and intelligent communication within the city infrastructure are equally important. Requirements for upcoming vehicle-to-infrastructure applications add additional complexity here,” said Cadence’s Schirrmeister.

Smart cities can be a hodgepodge of networks, whose use depends on the load it will carry. “Smart city networks always include a blend of technologies,” said Schirrmeister. “We are already deeply involved in enabling 4G LTE, 5G, and future 5G+/6G networks for chips and systems. They blend with WiFi and low power wide area networks (LPWANs) like LoRaWAN, as each serves specific purposes. Developers are balancing the requirements of consumer devices using Bluetooth and WiFi with other smart city IoT applications using LPWAN focused on low power.”

Edge computing, especially AI on the edge computing, can downshift a heavy load into a lower bandwidth network. “It varies by application. Deciding how to balance the processing at the various types of edges is a critical-system design question that architects consider carefully. The usage of AI at the edge and where to do proper processing and storage depend significantly on specific application requirements,” said Schirrmeister.

When it comes to security, too many options and rapid change aren’t necessary good. “One of the bigger concerns I’ve seen is how do you secure it and how to create a secure environment,” said Schneider Electric’s Tanskey. “And how do you ease concerns to get this data pass from one entity to another, especially the networking side of it from a wireless capability from Ethernet or from the fiber optic and cabling? With the advent of 5G, a lot of innovation is happening within the wireless sector. But when you look at a smart city infrastructure — and this happens a lot in the smart buildings infrastructure, as well — to make it usable and impactful, systems need to talk to each other. It’s one thing to have sensors and a bunch of data that is being generated. But unless you can digest all of this large data and make smarter and more informed decisions, it’s just data. When you get to the interoperability of smart buildings, smart cities, smart hospitals, smart everything, cybersecurity concerns are at the forefront for a lot of people, especially when you start connecting a smart grid. They’re all becoming cloud-based systems.”

Securing the hardware
The National Institute of Standards and Technology (NIST) has been warning cities of attacks and how to become cyber-resilient. “The U.S. government has led the way because they have the most sophisticated adversaries. Those adversaries are now going after cities and other critical infrastructure,” said Hanna. “The U.S. government is pushing out the awareness to cities and to critical infrastructure operators that they should expect to have these sophisticated nation-state attacks mounted against them.”

It’s impossible to stop 100% of all attacks on smart city systems, but detecting them and knowing how to fix the problem is a way to keep a system cyber-resilient. NIST also was instrumental in building a cyber-immune system. “If the attacker has gotten inside and actually infected some of your devices, they may have control of those devices,” Hanna said. “What we’ve learned over the last few years is how build devices that have an immune system built into them. This is cyber resiliency. It was pioneered by NIST and is now being adopted by manufacturers, such as Infineon, to allow the devices to self-heal. If you have an IoT device, you can have that device be able to self heal if it should become infected. And there are a variety of ways that that can happen. One simple example is to just have the device reboot. Maybe that will solve the problem, because the program memory is read-only for a lot of these devices. They might have corrupted the RAM on that device, but they won’t have corrupted the ROM on that device. If you reboot the device, it goes back to being clean. At that point, hopefully you’ve blocked off the attack and the device can remain clean and uninfected.”

But a lot of devices today have a writeable program memory, which is used to upgrade the firmware. “If you’ve got a pump, and the controller on the pump has the ability to do a firmware update, you need to make darn sure that before you install a firmware update on it that you know that it’s the right one, and that it’s a good firmware update — not some sort of malware that’s being attempted to be installed remotely,” Hanna said.

To do the update, typically the device goes into a special mode to update the firmware, and before it installs the update, it checks the signature on the update to make sure that it’s secure, that it’s authentic and engaging from the manufacturer and should be installed on this device.

“The highest level of sophistication that we get into in terms of cyber resiliency is the ability to have central monitoring of devices so that a central control room can remotely trigger actions like rebooting a device, or performing a firmware update, or rolling back to a previous version of firmware on a device,” said Hanna. “That’s what we call resilience authority — the central control authority that can make those things happen remotely, even if the device has become totally infected or locked up. This resilience authority can extract the device over the network and get it to reboot. You don’t want to have to send somebody out in the middle of the hurricane to reboot a bunch of things, or in the middle of a cyber attack to go out to all of the light poles and have to hit the reboot. You want to be able to do that remotely. And it’s this cyber resiliency capability that gives you that way out even if devices have become impacted.”

Different approaches for security
Other hardware security approaches use secure keys, or signatures. PUFs, for example, are a way to assure that the silicon in a device is the silicon it is supposed to be. A PUF is a secret key based on the characteristics of each piece of silicon, and is not stored or shared with anyone. It also can provide encryption keys used to encrypt data going in or on the chip.

The SRAM PUF encrypts things by relying on variation in chips. “Each chip you make will have its own fingerprint,” said Ralph Grundler, senior director of marketing and architecture solutions at Flex Logix. “You could use that fingerprint for encryption, and when you power down the chip or the if device is lost or stolen, there’s no way to find out the fingerprint. The military actually uses SRAM PUFs in different applications. That has gained a lot of traction, and it’s starting to get much more traction in the commercial market because of that.”

That SRAM PUF serves as a cryptographic root key for a device. “That’s the symmetric key. We can derive an unlimited number of additional keys from this root key,” said van der Leest. “You should never use the root key itself for cryptographic purposes, because that risks exposure. If that key gets broken, your whole device is broken. You always need to use derived keys for doing the actual crypto.

An eFPGA has a bitstream that can be encrypted to offer some security, as well. “Encrypting the bitstream to the FPGA, the reconfigurable part of it, is one way to make it secure,” said Grundler. “And the other way is making that bitstream useful for security part of the application as well.”

Another approach is to have software check the information paths to find vulnerabilities. “You see it today with RETbleed. These are all design flaws that could have been found with Radix,” said Mlinar, noting the information path checks happen during the design stage, but also could happen later in the factory. “It looks very specifically for what designer and security say is secure here. You don’t look for where everything goes all the time you look for where the sensitive information goes. You tell it very explicitly, ‘Here is my secret information. Here’s where and when it should go.’ And if it goes somewhere it shouldn’t go, or goes at the wrong time, this is the challenge. We can help engineers track where it’s going. But they also have to understand what that means when it gets there.”

The TPM, or trusted platform module chip is another route for some issues.  “You can use tamper-resistant chips,” said Hanna. “That can be very valuable, especially in the case where you have what they call a BORE (break once run anywhere everywhere) attack,” said Hanna.

In some applications, such as traffic routing in smart cities, a breach can have safety implications. “Security and safety go hand in hand,” said Cadence’s Schirrmeister. “We have specific solutions that deal with aspects of safety management for automotive and industrial applications.”

Security is a big issue for automotive chips, which makes them well-suited for smart city applications. “You can argue that a lot of the technology that already exists for radar, lidar, and so forth are absolutely the same concepts being built into consumer and commercial settings, which are starting to apply a lot more in our home environments,” said Michal Siwinski, chief marketing officer at Arteris IP. “The way people deal with aspects of ensuring a building has the right level of security, the right level of access, are similar to the underlying technologies in automotive chips. You need to have vision, you need to process information, you need to make decisions, and you operationalize from there.”

Smart cities are just beginning to take shape. The National Institute of Standards and Technology (NIST) released a framework to help industry and cities have interoperable of the IES-City Framework Release v1.0 20180930.  Cities to need stay on top of standards, and to become involved in creating them. And they need to collaborate and learn from each other, as well as other agencies and industry.

“It’s how we raise the bar in terms of cybersecurity,” Hanna said. “I don’t see this as something where individual cities are going to have the wherewithal to do so — even a big city like LA or New York City. It’s something where cities banding together or working with Department of Homeland Security may be able to raise the bar. And we see some interesting standards developing in Europe along these lines, and even discussions within the U.S. under a recent national security memorandum issued a little more than a year ago. The U.S. government is bringing together parties from certain sectors. I haven’t seen smart cities as one of the sectors, but I expect that it would be on the list. When those folks come together, they come up with a lead set of best practices. Through efforts like that, they may be able to drive improvements in the state of the art and raise those vendors who don’t have the highest standards up to a certain minimum baseline.”

Hardware security can’t help but get better. “I come from the software side security-wise, and hardware security is probably 8 to 10 years behind the software security world, but it will catch up,” said Cycuity’s Mlinar. “Right now, the hardware world is still learning what security means in the context of protecting assets and secure information. Not everything needs to be protected.”

Related Stories
Grappling With Smart City Security Issues
Economics and convenience are driving cities to connect services, but they’re also widening the attack surface.

Using AI To Speed Up Edge Computing
Optimizing a system’s behavior can improve PPA and extend its useful lifetime.

Making PUFs Even More Secure
New sources of entropy could significantly improve robustness of physically unclonable functions.

Leave a Reply

(Note: This name will be displayed publicly)