Preamble 53 of the EU’s NIS2 Directive highlights the increasing connectivity of utilities in cities and the potential risk of widespread harm to citizens, should they fall victim to a cyberattack. If public services and utilities are compromised, the consequences can be far-reaching and even catastrophic. In this blog, we will explore the risks faced by interconnected and smart cities and the challenges created by the involvement of operational technology.
What Does Preamble 53 Say?
Preamble 53 states that EU member states should develop policies that should address the development of interconnected and smart cities. Their potential effects on society should be considered, as well as their place in the national cybersecurity strategy.
This is because of the increasingly connected digital networks in cities. The urban transport network, water supply, waste disposal, and lighting and heating of buildings are all being digitalized for the sake of efficiency. However, due to their scale and interconnectedness, they are an attractive target for cyber attacks. If these networks are successfully taken out in a cyber attack, it can cripple the infrastructure of entire cities, directly harming the citizens.
Key Considerations for Interconnected and Smart Cities
Cyberattacks on digitalized utilities can pose significant risks because they cause direct harm to citizens, including:
- Disruption of essential services: A successful cyberattack could disrupt the provision of essential services such as electricity, water, and gas. This can lead to power outages, water shortages, and heating failures.
- Financial losses: As with all cyberattacks, those targeting utilities can result in financial losses for both the utility companies and their customers.
- Loss of personal data: Utilities and public services often store sensitive personal information about their customers. Cyberattacks could seriously compromise people’s privacy.
- Public safety risks: Some utilities, like nuclear power plants or dams, when compromised can have direct implications for public safety or even lead to catastrophic accidents.
- Social disruption: Disruption of utilities can also lead to broader social disruptions, such as transportation delays due to traffic signal failures or communication breakdowns caused by internet outages.
While the digitalization of utilities and public services is in many ways beneficial for their efficiency, these risks need to be taken into account. Outages and disruptions can have cascading effects on all layers of society, impacting businesses, emergency services, and public institutions. They call for robust cybersecurity measures, contingency planning, investment in resilient infrastructure, and collaboration between government, industry, and other stakeholders.
When developing these connected or smart cities, several considerations should be taken into account to ensure their security.
- Privacy and data protection should be guaranteed at all times to protect citizens’ rights and personal data. This includes implementing strong data encryption, anonymization techniques, and clear consent mechanisms for data collection and usage.
- Robust security measures and regular risk assessments will safeguard the systems from possible cyber attacks.
- An incident response plan is needed to protect essential services and to limit the impact of potential security breaches to an absolute minimum. A minimum level of service has to be guaranteed until systems can be restored.
- Resilience and disaster preparedness should be built into the policies to mitigate the impact of natural disasters, and other emergencies on critical infrastructure and essential services.
Operational Technology in Utilities
Operational technology (OT) has played an important role in utilities and public services for a long time. It keeps the infrastructure for processing plants and other facilities running by monitoring, controlling, and adjusting the machines that power the providers’ operations.
In the past, these systems were siloed from the IT network. OT ran the machines, and IT everything else. However, this has been changing in recent years. With OT infrastructure being increasingly connected to the internet, the IT and OT networks are becoming more and more intertwined.
The Problem with OT Security
Connecting OT to the web opened up a world of possibilities for cost, performance, and productivity, but unfortunately, it also brought the usual security risks. Protecting operational technology has a number of unique challenges. Now that it is converging with the IT network, it becomes a potential weak spot to infiltrate the rest of the network.
Operational technology is expensive and therefore it is expected to last a while. OT devices are intended for long-term use. Unlike IT devices, they are not upgraded, replaced, or even patched very often. This gives attackers plenty of time to find and exploit vulnerabilities.
This is largely due to the second challenge with OT: there is no room for downtime. OT often runs in critical environments, including public services and infrastructure, which can’t just be shut down for a little while. Even in manufacturing, any downtime can be extremely costly. This leaves very little room for maintenance.
On top of all that, OT often uses unique protocols. Most asset management solutions won’t recognize these protocols, meaning that they won’t be able to pull detailed data or even any data on OT assets. The lack of OT asset inventory causes a gap in visibility that makes it difficult to make data-driven decisions when managing these systems.
Lansweeper for OT
Lansweeper’s OT scanner was created to tackle the challenges of OT asset visibility. In order to protect the entire technology estate, you need full visibility of all IT, IoT, and OT. Lansweeper OT can discover and identify OT devices and systems from manufacturers such as Siemens, Rockwell Automation, Mitsubishi Electric, Schneider Electric, and more.
Since the goal was OT asset discovery and OT visibility, it is specifically designed to work with industrial protocols. This provides organizations with the visibility and insights they need to make informed decisions about their OT infrastructure.
Lansweeper OT collects detailed information about each device, including manufacturer, model, serial number, firmware versions, and more. This information is vital to manage changes and maintenance of equipment and remediate firmware vulnerabilities
The increasing interconnectedness of OT with IT can be a cybersecurity liability, but it doesn’t have to be. With the proper tools, OT infrastructure can be managed and maintained just fine, properly securing all entrances to your technology estate.
Navigating NIS2 with Lansweeper
Learn how to prepare and navigate the complex terrain of NIS2 compliance.
GET STARTED