In our new ARC Smart Cities Podcast, we discuss the role of cybersecurity for smart cities and what can be done to improve things. Most people have heard of the ransomware issues affecting many major American cities, but it's not just a big city problem, and the issues go way beyond just ransomware. You can subscribe to the ARC Smart Cities Podcast through Google Podcasts and Spotify, with more platforms available soon.
Cybersecurity for Smart Cities
Jim Frazer: Welcome to our next installment of the smart cities viewpoints podcast on smart cities. Today's subject is cybersecurity and all of its ramifications across all the verticals of a smart city today. I'm Jim Frazer and I'm the vice president of smart cities here at, Arc Advisory Group. I'm joined today by my colleague on the smart cities team, Tom Cabot, who focuses on building automation systems. Our guest today is a ARC's own Larry O'Brien, vice president of cybersecurity research here at Arc. Welcome Larry. How are you this morning?
Larry O'Brien: I'm good this morning.
Jim Frazer: Great. Can we get started just by you telling us a little bit about yourself and your role at Arc, what research you have done recently?
Larry O'Brien: Yeah, so I'm in kind of a unique position at Arc in that I am on the cybersecurity team and I'm also on the smart cities team. We follow primarily OT or operational technology related stuff as it's related to cybersecurity. So this is the stuff that basically makes everything run. So you have IT level cybersecurity, which I think most people are probably familiar with. And then that is the corporate systems and networks and the Cisco's of the world and, and the IT enterprise level people. And then you have OT level stuff which is really some types of stuff that runs in the basement, right? These are the systems and the sensors and the devices keep everything running. So in the world of smart cities and smart buildings, that would be things like HVAC systems and energy management systems and lighting controls systems and those types of things.
Larry O'Brien: I come from the world of manufacturing. I spent about 20 years following the marketplace for distributed control systems in the manufacturing industries. I think one of the good things that we do is bring this perspective of critical manufacturing through other industry segments as well. That should probably be looking at things in that context and smart cities and smart buildings are definitely one of those industry sectors. I think that kind of brings us into the topic of it versus OT, but there needs to be a lot more attention paid to the operational technology level when it comes to cybersecurity and smart cities.
Jim Frazer: Larry, you're leading me right into my, my first question. It's a very broad one is, so why is cybersecurity important for smart cities, smart buildings and all the other verticals that comprise public infrastructure?
Larry O'Brien: It's important because these are what they and we call critical infrastructure systems. The systems that control buildings and cities touch people's lives. I mean, they are directly related to human safety. They're directly related to quality of life. So if I live in a large building, you have to make sure that lighting systems work, you have to make sure that climate control systems work. You have to make sure that emergency systems work so all these systems are really critical infrastructure to us. They directly impact human life. And that can manifest itself in a lot of ways, right? It can be everything from a data breach that could affect millions of customers all the way down to driving people out of a building because you make it, render it uninhabitable because you make it too hot or, or whatever. So that's why it's so important, because it's directly related to human safety and human health.
Jim Frazer: Certainly we've seen in the last year or so, quite a few, even ransomware attacks on cities themselves, in Baltimore, in Atlanta, and in a number of others that have been, frankly, I think a good word would be paralyzing to their operations.
Larry O'Brien: Yes. and I believe some of these places are still suffering. So the effects that these attacks and then the spectrum is pretty broad, right? So even if you have a simple ransomware attack, which in terms of, a cyber attack is a pretty simple thing or a ransomware attack. But even that could have, implications at the operational technology level as well. So, you know, in Baltimore, you couldn't have access to your utility bills. You couldn't pay some taxes. They lost a lot of critical city services as a result of that ransomware attack - you have to consider the cost, right? I was just reading up on it on Atlanta earlier and they initially estimated it was going to cost them $2.5 million to recover from this ransomware attack. And then they had to revise that. I think it's closer to 10 million now in terms of total cost to recover from that ransomware attack. So the cost is pretty significant. Also, it will really cost you if you don't have a good cybersecurity strategy in place.
Types of Cyber Attacks
Jim Frazer: Before we move on to Tom's questions, can you perhaps comment on the varieties of cyber attacks? I know there's ransomware, there's denial of service. What types are out there?
Larry O'Brien: Well, there's a wide range. It's the ransomware attacks., I think that probably grabbed the most headlines, but I think to us, what we see is a kind of a changing world when it comes to the types of attacks that are happening and the impact that they have. And I think if you look to the world of manufacturing, you'll probably get a good idea of what the future is going to look like as far as cyber attacks in smart cities and smart buildings. So what we're seeing in the world of manufacturing is more of a focus on state hacking groups with very large amounts of resources going after critical manufacturing infrastructure. We saw an attack in the process industries. It was actually in a refinery in the Middle East where they went after the process safety systems.
Larry O'Brien: They injected malware into the process safety system. And these are the systems that keep plants from basically exploding, right in the event of some kind of an abnormal situation. These systems will shut the plant down and prevent an event like an explosion or release of toxic gas, which again, is directly related to human safety. This was found out to be sponsored by or perpetuated by a state sponsored hacking group. It was actually tied back to a Russian technical college or technical university. What's different about these types of attacks is they're looking to cause some kind of damage in the physical world. So when you look at a ransomware attack, I mean, that's if you pay me my money in Bitcoin, we'll give you your information back. They're not directly targeting systems that control things at that operational technology level like I was talking about. So that's what's different about these new attacks is they're actually looking to cause damage in the physical world. And that is a disturbing trend. That's something that we need to be on the watch for. It's something that people need to consider when they're developing their cybersecurity strategy. So it's not just about ransomware, it's about the OT level and how it impacts operations. Tom, I think you have a question.
What Cybersecurity Protections are Governments Implementing?
Tom Cabot: Yeah, thank you. Larry,, what are governments and corporations doing in order to combat this, this issue?
Larry O'Brien: Well, the best thing you can do is to implement a good cyber security strategy and really invest in cybersecurity. That's a multidimensional thing, right? So it involves buying the right products that are related to cybersecurity. It involves having trained people in your organization that know what they're doing. It also involves having things like formal cybersecurity policies, which most organizations don't have. It involves investing in training. This can be kind of tough to try to justify that investment because in many cases, if you're an owner operator, you want to see some kind of a positive financial return on your investment, but when you're investing in things like cybersecurity, you're safe guarding against something happening. So it can be kind of a challenge to justify significant investment in training and products and so forth. But you have to have an understanding of that. You have to invest in training, you have to invest in the products, and you have to actually incorporate cybersecurity into your supplier selection process as well. This is one of the things I see in the marketplace right now is when people are specifying products and systems and applications, cybersecurity isn't always at the top of the list or, or it's off the list of supplier selection criteria and product selection criteria.
Artificial Intelligence and Cybersecurity
Jim Frazer: It's a challenge because it's almost like the challenge of monetizing safety or human lives in the transportation market. But before we move on, Larry, let me ask, with the advent of artificial intelligence and machine learning, how is that threat emerging?, I'm imagining that the threat landscape is changing over time and probably quite quickly. Can you comment upon that?
Larry O'Brien: Yes, you mentioned artificial intelligence, so that, that is one facet of why we would call Iot or digital transformation at Arc, right? So the Internet of things, the Industrial Internet of things, digital transformation to me, these are all terms, they're kind of catch all terms and really what we mean by those terms is the adoption of a wide range of new technologies, that have existed primarily at the IT level, but now we're applying them in the operational phase, right. And OT. And that is things like you mentioned like artificial intelligence and machine learning and analytics. Edge computing, for example, um, cloud based computing. What we're seeing is actually edge based systems are starting to find their way into operational technology environments. They're systems that could do a lot of the same things that proprietary control systems can do that are offered by a lot of these suppliers.
Larry O'Brien: And then we're starting to find this technology is really starting to make its way into the world of OT, which previously was this very proprietary world. You had a bunch of suppliers, everybody had their own solution, they were all completely proprietary. That's all changing now. It's all becoming common technology. So that creates its own set of cybersecurity concerns because obviously cloud computing in and of itself is not secured, right? You have to make allowances for that and you have to isolate and protect the really critical elements of operational technology. So you can't just have everything connected. You have to segregate the the more mission critica operational technology stuff from the other stuff.
5G and Ubiquitous Connectivity
Jim Frazer: And I could imagine it's only getting more complex with the advent of edge computing and fog and, plus 5G and ubiquitous connectivity.
Larry O'Brien: Yes 5G has yet to come. SoAnd that's a whole other challenge that we're gonna have coming down the pike.
Transportation and Cybersecurity
Jim Frazer: And of course, it's a huge issue. I mean, regarding transportation - cars are being connected.
Larry O'Brien: Back to that human safety issue, right? Connected vehicles. I just read an article the other day, I don't remember the source, but they did a hypothetical situation and I think it was in New York City. They said if they stalled out, if you had all connected vehicles in, the New York City metropolitan area, and if you were able to somehow stall out only 20% of those vehicles, you would totally gridlock traffic the whole city,
Larry O'Brien: We're coming up with all kinds of new potential scenarios. You were talking about the threat landscape in potential scenarios, this new technology is creating a vast range of potential scenarios that nobody even thought up.
Jim Frazer: That's fascinating because think about what one disabled car on an interstate highway does.
Larry O'Brien: Exactly. Yeah.
Jim Frazer: With rubberneckers and everything else.
Larry O'Brien: Yes. So you could shut down a whole city, with something like that, if you wanted to, or at least the transportation.
Jim Frazer: Larry, I've got one question and I know Tom has a series of questions, but let me finish up for now with how does Arc Advisory Group approach the market for cybersecurity?
The Five Buckets of Cybersecurity
Larry O'Brien: Scope is very important to us, if you're going to do any kind of solid market research, which we do, in addition to the strategic level consulting and so forth, we also do "boots on the ground" market research and scoping is important for that. So we've been looking at the OT level, cyber security market for some time. We've divided that into some distinct buckets. We have things like threat detection and response solutions - where you have solutions that go out onto networks and they look for potentially anomalous behavior or incoming threats, and they'll alert you to those threats. And they also do things like asset inventory management where they'll automatically scan your network to discover what assets are actually connected to your network, which a lot of people don't really understand.
Larry O'Brien: So that's, that's one aspect of it. We have endpoint protection, which is the probably the stuff that most people would think of when they think of like classic cybersecurity and that stuff like antivirus and things like that. We have a services market that we look at - and the market for OT level cyber security services is pretty broad. You have everything from assessment level services, all the way up to ongoing operational level services and things like secure remote monitoring, which a lot of suppliers are doing right now. And we also have the network monitoring and protection - and that's firewalls, next generation firewalls and what we call specific firewalls. And then we have cybersecurity management solutions, which cover a broad range of stuff that could be in inventory management or asset management type solutions for cybersecurity, which is more administrative kind of stuff.
Larry O'Brien: So those are the five primary buckets that we segment everything into. And then you have different types of suppliers that are getting involved in this market too. So you have the dedicated cybersecurity suppliers that are out there and there are hundreds of them, what we would call the OT level, cybersecurity suppliers, the Dragos', and then the Zombie networks analysis, cyber defense and systems and Clarity. There's hundreds and hundreds of these companies out there right now. Everybody does something different, right? So it's kind of a challenge for users to sift through that pile of suppliers. We try to make that a little bit easier.
Larry O'Brien: You have the system suppliers themselves. For example, like the building automation system suppliers are getting into cybersecurity and they're offering their own applications and services.
Larry O'Brien: So the Honeywells and the Johnson Controls and the Schneider Electric's and the Siemens are all getting in there. And then, like I mentioned before, you have the service providers, and these are very large established companies that have a big business in cyber security services. So the Cap Geminis - and Leidos is out there. So there are a lot of different offerings from a lot of different suppliers and it's growing market, it's growing well into the double digits. We expect there's going to be some level of consolidation. You can only go so long with hundreds and hundreds of different suppliers
Jim Frazer: Larry, that's a fascinating overview. I know Tom's has a few focused questions in his domain of building automation and IoT adoption - Tom, go ahead.
Tom Cabot: Yeah, sure. Thank you. I was reading the other day about this actually, and they were talking about how as the threat level expands, companies are having to expand the amount of money astronomically that they're spending on cybersecurity and risk prevention. What are the specific challenges? I know you've talked a little about the specific challenges for IoT, but what are the challenges in the vendor landscape? Are there a lot of companies out there that are working in cybersecurity?
Larry O'Brien: Oh yeah. Tons of them. Like I mentioned, I mean, literally hundreds so that, I mean, it's difficult. It's difficult to chew. A lot of people aren't even aware that these solutions exist in the smart city segment. A lot of these suppliers that I've been mentioning have been heavily targeting the manufacturing sector or the defense sector, but not so much smart cities. And we just now are seeing a lot of these companies are trying to find their way into smart cities and they're approaching smart city owner operators and they're starting to be installed in buildings and other places in these cities. There's another class too. We mentioned Iot and there's this whole new genre of what they call zero trust security schemes and a lot of suppliers or are offering these iot based solutions that incorporate zero trust.
Zero Trust Cybersecurity Schemes
Larry O'Brien: Which basically means that nothing trusts anybody, right? You have to authenticate everything which is gaining a lot of traction in the marketplace. So it's a wide variety - depending on what your requirements are. And that depends on what type of supplier you might want to approach. If you're an end user in a building and you have a supplier, like a Honeywell or a Johnson controls or Schneider or Siemens, then you also have to understand what their offerings are. What do they do in cyber security? What's their strategy? Some of these companies are keeping up with the cyber security vendors,with the independent cyber security vendors. Some of those companies are probably going to end up acquiring some of those vendors at some point.
Larry O'Brien: I think it's reasonable to assume that, so that's another thing you have to consider. You know, how many of these companies will be around in five years, or are they going to get swallowed up by another supplier or are they going to exist at all? These are all things that you have to consider. Then with the services aspect of it, there's things you have to consider there too. So for example, you might want to consider doing some kind of a cybersecurity assessment, kind of an exercise rights or who do you, where are you going to pick for that? Who is strong in cybersecurity assessment? Who is strong in the lifecycle phase of it? So beyond the assessment phase, who can help me in the operational phase? This is one thing we see actually with smart cities is this push to remote monitoring.
Smart Cities and Remote Monitoring
Larry O'Brien: And a lot of people are doing remote monitoring. I always talk about the Target hack. I don't know if you guys know, it's a pretty famous example in the industry , Target corporation was the victim of a massive data breach. The way the hacker got in to get the information, the financial information of all these customers was actually, through an HVAC supplier who had put HVAC systems in many of these Target stores. And they were actually remotely monitoring the HVAC systems at these stores for maintenance purposes, to make sure the systems are running optimally and identify any potential maintenance issues and things like that. Well, if you're supplier doesn't have a secure framework for remotely monitoring your store, then that's a vulnerability that was exploited in this case through the HVAC system remotely. And then you cross over - you move laterally through the system and you cross over into the financial network. And then you've, then you have a massive data breach.
Tom Cabot: Yeah. Kind of like the TJX breach in 2007
Larry O'Brien: Very similar things. So, HVAC systems in particular, have been a culprit in a lot of this stuff because it's not that they're insecure in and of themselves - although that might be an issue, but in a lot of cases people just have poor cybersecurity practices. So maybe they use a vendor default password - they never go in and change the passwords. A lot of these basic cyber hygiene issues are basically ignored in a lot of cases in smart cities and smart buildings. Part of that goes back to training. A lot of people aren't trained up on cybersecurity. They don't know what they're supposed to do. Basic training and education can actually go a long way towards preventing these attacks.
Tom Cabot: Yeah, as the solutions expand, the vulnerability there of those solutions also expands as well.
Larry O'Brien: Yes, I would say that's a fair statement. Yeah.
What Can End Users Do To Cybersecure Their Projects?
Tom Cabot: So what necessarily can end users look for in these products and systems? What should they look for?
Larry O'Brien: So my advice is start incorporating these cybersecurity related selection criteria into your selection exercise. When you're out specifying a new system or new products, make sure that cybersecurity is part of that selection criteria. Right. And then we're talking about things like how do you build cybersecurity into your products? Do you have a secure development life cycle when it comes to your products or your software? How does that play out? Do your products have any kind of certifications or anything like that that show they're cyber secure? And there are organizations out there that will test products to make sure they are secure and operational environments. So just add it to your selection criteria is probably the biggest, the biggest thing you can do in terms of selecting more secure products and ask the right questions. And if you go to places like Arc, not just Arc but also some of the standards groups will give you great guidance on what to look for in terms of products and application cybersecurity like ISA, like NIST - there's a lot of government resources out there, there's a lot of places you can go to actually get more information and, and get some good training resources.
Jim Frazer: Right. That's a great point, Larry. As you know, I come from a deep standards background, what are the relevant, cybersecurity standards and maybe even simply just best practices for cybersecurity in any industrial and then the public and smart city and building domains.
The Role of ISA and NIST
Larry O'Brien: Right. So to me, the ISA 62443 standard is probably a good place to start. ISA is the International Society for Automation. They're probably the biggest industrial standards group in the US - they're affiliated with ANSI, the American National Standards Institute. A lot of the ISA standards are harmonized with the IEC standards. IEC is the International Electrotechnical Commission and that's an international group that administers international standards for industry and for manufacturing and also for smart buildings and smart cities. I think one of the things about the smart city sector is they really have not rallied around a common standard for cybersecurity. We feel ISA 62443 is really a good place to start - it was born in the manufacturing industry, so it really has a focus on how to keep operations safe and secure.
Larry O'Brien: There's a lot of great recommended practices in the standard that can be adopted by the smart city and smart building segment. I recommend that as a good place to start. NERC CIP, is obviously more targeted at the power industry. But if you're doing anything related to power, you want to be looking at NERC CIP - chances are you already are complying to NERC CIP hopefully. And there's the NIST framework, which is also very popular which is a risk based framework, which is good. There's a lot more focused on risk now, especially with IoT, a lot of end users and owner / operators are struggling with this quandary of how do I adopt this new technology while remaining secure at the same time. So NIST is a good resource for that. They have a risk based framework. We could talk for hours about all these different things, but I would say, go to ISA, go to NIST.
Jim Frazer: Well, it's interesting, Larry, that ISA is an ANSI accredited standards making body. I do tend to respect all the standards that are developed under the ANSI framework. As you know, ANSI doesn't develop standards on their own. They actually define the process to develop standards so that they can be widely adopted. And one really foundational piece of that is to have a diverse group of stakeholders participating. So at a minimum its end users, its manufacturers, and then what you can call general interest. So anything that comes out of the ANSI process tends to be a very well balanced standard and is not driven just by vendors or just by end users or by a subset of the community. So ISA is a great place to go. So let me ask you, one general question. I haven't reviewed these standards in detail, but do they tend to follow a cookbook approach? Particularly for the implementer, the city manager, the public works director, the traffic system manager, do they employ a cookbook approach where, this is what you do first, this is what you do second. Does it follow a flow chart like that?
Larry O'Brien: The ISA 62443 Standard does. It's a life cycle standard. That means it covers everything from, what to consider when you're looking at products all the way through to the project itself, the system design system implementation and the life cycle of the system. So it's not just a standard that defines what a technology technology should look like. It tells you, how to implement secure technologies, in your facility or your installation throughout the life cycle of that instance.
Jim Frazer: Great. Larry, I think that probably follows the, the waterfall model from the computer science industry, the concept of define your stakeholder communities, develop a consensus based user needs. From that, develop a concept of operations, then develop measurable requirements so that whatever it is you're doing actually is requested. It actually satisfies the real user needs rather than going a bit wayward and satisfying things that might not be so critical. One other question, Larry, is how cybersecure is anything? Can anything ever be made a hundred percent cyber secure?
Can Anything Ever Be 100% Cybersecure?
Larry O'Brien: No.
Jim Frazer: Thanks for that frank answer because I often think that there's levels to this and in many instances it would require going right into the chip design, wouldn't it?
Larry O'Brien: Yeah. And I think you're going into supply chain kind of stuff.
Blockchain and Cybersecurity
Jim Frazer: Exactly, exactly. And I know I've been in some conversations with supply chain folks that have even advocated Blockchain to a blockchain ledger approach to make sure that unauthorized edits to the code haven't worked their way into the development process. That's fascinating.
Larry O'Brien: Yeah. Well that's another thing that that ISA is doing. They actually have ISA secure certification for products and applications and then one of the things they do is ensure that the supplier has a secure development life cycle process for software and for other products as well. So that is a concern. I mean, if you read that Bloomberg article that came out earlier this year about that supposed supply chain hack, that was never really 100% proven, but that is something that you should be concerned about. It's an aspect of things that you should be thinking of.
Jim Frazer: Okay. Well, Larry, this has been an enlightening discussion. I really have one last question, and you touched upon this already, but at length, can I ask you how, how do you see this market developing? Clearly it's growing. Could you comment upon that? What's the future look like here?
Larry O'Brien: Well, the future for the market is great. I mean, if you're selling cybersecurity products and applications and solutions right now it's a very high growth market. And like I said before, I don't think the smart city sector and smart buildings, they have a long way to go. So there's a lot more. It's underspent you know, there's a lot more investment that needs to be made in this sector to make things more secure.
Jim Frazer: Yeah. I think in the education process as you're outlined earlier is critically important. Coming from the smart cities and public infrastructure domain, it's clear to me that cost accounting for public infrastructure isn't simple it's quite a bit different than it is for say a private manufacturing facility that knows how much each minute of downtime will cost them.
Larry O'Brien: They're very sensitive to that. Yeah.
Jim Frazer: So it's a little bit softer in the, in the public domain, you don't know what does it cost when a traffic signal is down, how do you monetize perhaps a pedestrian injury that gets hit by a car. It's much more difficult. What if a water treatment plants offline? Well how do you monetize that? It's just a challenging environment. Their cost accounting works in a different way there. They're getting educated - education starts all of it. Awareness first, and then education and that industry is coming along. Unfortunately through situations like in Baltimore and Atlanta, most recently.
Cost Accounting and Cybersecurity
Larry O'Brien: I think, unfortunately that's kind of the way things go, right? I mean, people don't really start to pay attention until bad stuff actually starts to happening. Then they're like, oh yeah, this really is a problem.
Larry O'Brien: We really need to do something about this. I mean if I'm the city of Atlanta and I'm paying out over $10 million to fix this problem, how much would it have cost to mitigate against the problem, probably not, not as much as 10 million. And that's just at the IT level. Target, I think they had to settle for almost 20 million for that data breach. These are not insignificant costs. and that's just the direct cost. You have a lot of indirect costs as well. Like you said, how do you measure a water treatment plant going off line or if you're in a hospital, how do you measure? We didn't talk much about hospitals, but that's a scenario where you can run into some real trials. So it's kind of like, what's that worth to you? I think the management has to appreciate the consequences and the risk. And I think they're starting to.
Jim Frazer: Okay. Larry, this has been a great session. Can I just ask you as a final question to review what, does Arc actually do in this space? What studies are available? What selection guides? Can you touch on that and then we'll call it a day.
Larry O'Brien: We have a lot of studies on IT in building automation. We cover the full scope of building automation systems. Like I said, from HVAC to energy management systems to security systems and access control systems and even elevator control systems. We also cover the full scope of OT level cybersecurity offerings out there. So those five segments that I told you about, we have market studies that actually size the markets and tell you who the leading players are for each one of those cybersecurity segments like services and network monitoring and threat detection and response and so forth. So we have studies there and we've recently done some studies that actually take our knowledge from both of those worlds and combine them together. So I just recently completed one on cybersecurity for smart buildings, so we specifically hone in on the smart buildings segment and and see who was playing in that segment and what's available in that segment and what are some of their concerns - specific concerns that we have around smart buildings.
Larry O'Brien: So that I think that's one of the good things that we can do is combine our expertise in different areas, and use that to look at the market in a bit of a different way, than most people could. These are easy markets to quantify. When you have a good background, and, well established background of research to be able to come up with realistic numbers as far as how big is the market and where are the opportunities and things like that.
Jim Frazer: This is great. I know that in our smart cities team, we have a range of studies that are coming out in the Fall. Tom is finishing up on indoor positioning systems. We have electronic tolling, we have a connected vehicles study coming up in the fall.
Larry O'Brien: And we also smart lighting. We have a smart lighting study.
Jim Frazer: We also have product selection guides in a variety of domains for IT, for end users too. To help them select vendors and to fine tune what their requisition process looks like. We have those in smart lighting and a variety of other domains as well. Well, Larry, thanks again for your time and do you have any final comments.
Larry O'Brien: No, other than if you're interested, please get in touch with us. Uh, you know, our website's www.arcweb.com.
Jim Frazer: Thanks, Larry. Thanks Tom for participating today and thanks again, Larry. Yes, thank you. Thank you all for attending this session on cyber security. Please follow us on Twitter @smartcityvwpts, and we do have a very, very popular blog. You can visit that on the web at Arcweb.com/blog/smart-cities-viewpoints, and we'll see you all again next time. Thank you very much for attending today. All right, thanks.