Go back a hundred years and services like electricity and running water — let alone phones — would have all been considered luxuries. Now, we see these services as critical infrastructure that could cause a serious threat to life and societal order if they were to break down.
As the Internet of Things (IoT) is becoming a bigger part of our world, creating a marriage of software and hardware that ranges from the exceedingly useful to the overly creepy, it is also finding its way into many of the utilities that we depend on for modern living.
What we define as infrastructure is being rapidly altered by the growth of IoT and the move towards smart cities. We depend on traffic lights, security cameras and garbage removal to keep our cities livable, and we would quickly take notice if these services faltered.
As these devices and systems start to get brains, they become vulnerable to attacks like Mirai or the one that targeted the Ukrainian power grid. There is the added challenge of how to protect smart infrastructure, recognizing that it has major differences from the way that we defend power plants.
Historically, critical infrastructure projects have been tougher targets for hackers as their operational technologies (OT) relied on legacy systems that were not widely connected to the internet. As cases such as Stuxnet and more recent cyberattacks on electrical power systems have shown, these systems are vulnerable to external hackers, despite their supposedly high level of security and regulation.
Whereas old-school critical infrastructure has been played out in the court of large corporates with their dependency on proprietary systems, smart cities are a whole other kettle of fish.
Open Source: the Necessary Building Blocks of Smart Cities
If we assume that smart city infrastructures will probably be implemented by many of the large corporates that have the experience and resources to run these projects, then they will probably try to work it as they always have with as much of their in-house tech as possible. Makes sense, right?
Michael Shalyt, CEO of the critical infrastructure security startup Aperio Systems, says that he is skeptical of whether the companies will want to turn to more efficient methods of development like adopting open source in the near future. “We probably won’t see a full blown project for handling end-to-end operations since that’s not modus operandi of utilities and other companies managing critical infrastructure,” he explained in an interview.
But unfortunately for the corporates, the smart city game has a different set of rules and stakeholders. Outside of the critical infrastructure bubble that allows for certain inefficiencies in the name of not having to deal with innovation, the public demands fast and friendly service.
For starters, this means that developers of smart city products and systems will have to keep up with a more rapid release schedule. Teams will need to pull in resources from third parties if they want to stay on pace, and they will be unable to take their time on writing their own code for everything.
“There will still be deadlines when we move to smart cities, putting pressure on developers,” said Shalyt. “Once an open source project seems good enough and it’s free, there is a lot of pressure to use it, simply to shorten the development cycle, saving time and money.”
Secondly, users want interfaces that are easy to use. This will mean a reliance on web and other apps, most of which are built on open source components for their look and functionality.
Finally, unlike sites like power plants, where there is a single company managing the project, smart cities are a collaborative effort, including many new startups that come from a newer culture that depends on open source.
Open Source Security: A Different Approach for Protecting Infrastructure
While working with open source gives developers a faster way to build their products while staying on schedule, it presents a different set of challenges for security.
We have to assume that all code will have vulnerabilities. What makes an environment secure is how well you check the products that you are using for holes that attackers can exploit. For many, it seems obvious to test your in-house written code. Unfortunately, they don’t always do the same for third-party libraries and components. When talking more specifically about open source components, this does not mean checking the code yourself, but verifying that it does not contain any known vulnerabilities.
“No one is going to pen test an open source project that you took from somewhere else,” Shalyt remarked. “It’s not that it’s impossible to write perfect code, just nobody does it. In most cases, developers are under pressure from senior management to meet their release schedules and will just throw in open source components without first checking whether or not they have known vulnerabilities.”
When it comes to open source and smart cities, Shalyt believes that companies will turn to open source for what he calls “more granular operations.”
He pointed to more specific tasks like communication and enabling specific devices as the most likely uses. From an efficiency point of view, he said that it may make sense to run many of the devices and sensors that smart cities depend on off of hardware like Raspberry Pis, which utilize the open source Linux operating system.
“If there are vulnerabilities in the low-level communications, the hacker can have control of all of the endpoints in the city,” he said.
The risk is that hackers could target these base-level protocols and endpoint devices, potentially using their knowledge of vulnerabilities in projects like Linux’s OS from outside the infrastructure sector. If an open source library has a known vulnerability, attackers can try to exploit it across numerous targets, hoping that somebody failed to perform the proper fix.
Taking Responsibility for Your Code
Shalyt noted that today people often assume that new products include code from third parties.
“It used to be that 20 years ago, a software product was built by the company that you bought it from, but now we assume the opposite,” he explained. “While this is unlikely to change due to the culture of these older organizations, smart cities are probably going to develop differently since they are coming out of the more modern development culture.”
As such, all parties that are working in developing products for this sector will need to be sure that they are being responsible with their code, not adding code with known vulnerabilities.
However, since checking these products for crucial vulnerabilities and bugs manually is unrealistic, developers and security personnel alike will need to depend on automated solutions to ensure that everything in their products are on the up and up.
It’s the Future — Deal With It
Some may ask why we need to talk about protecting open source in smart cities if those heading up the projects are by nature not big fans of it. Fair enough.
The thing is, at the end of the day, these companies simply won’t have much of a choice about working with open source. Just as DevOps is becoming a new standard (read: coping strategy) for dealing with schedules and expectations, so is open source adoption becoming the best option for developers to keep on top of demand. The big players will have to play ball or risk getting left behind in favor of those that are ready to evolve.
It is worth noting that there is currently some movement to introduce standards for open source in the critical infrastructure sector. The Linux Foundation’s Civil Infrastructure Platform (CIP) was launched last year to create a framework for the industry (with the backing of big players like Siemens and Toshiba to name a few), but it is still early in the process.
What is certain, is that open source — in whatever form it takes for these projects — is an additional attack vector that can be targeted by hackers looking to breach city systems. A well-placed attack can disrupt operations, hold a city hostage for ransom and possibly deter others from adopting the smart city model if they feel that they cannot properly defend it.
However, before running for the hills for fear of open source, take a beat and remember that it is often more secure than closed, proprietary software since it has more eyes passing over its code, alerting the community to threats and helping to provide for a safer space for development.
It is clear that open source is the way forward for how we go about building large-scale projects, in both government and business. It is up to those doing the development to ensure that they are incorporating security into their products.
Rami Sass is CEO and co-founder of WhiteSource, the leading open source security and compliance management platform. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity.