Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Smart Cities and the Threat within - Ensuring Devices are IPv6 Addressable

March 7, 2018

  • Blog
  • Archive
When a typical citizen thinks of a smart city, they think of a city that is fully connected like a smart home. A city that has lighting, train schedules, traffic lights, and everything integrated to make the citizen feel safe, on time, and provide maximum comfort. The truth is, the definition is different for every city and for every country. A true smart city starts with an ecofriendly environment that is sustainable, reliable, and builds technology on top of not being a drain on natural resources. This can include everything from renewable energy like solar to urban gardening on buildings and backyards. The goal is to make a city sustainable. Once the vision is understood, then technology plays a part. Whether this is enablement of driverless cars or train schedules depends on the city itself. If you consider all the possibilities, we then understand the number of potentially accessible devices, services, applications, and resources. While not all of these would be directly accessible to the citizen, they would need to be electronically addressable. The current standards for IPv4 are grossly inadequate to meet these needs. There are just not enough IP addresses to assign to all the devices. This is where IPv6 becomes relevant for any smart city plans and potentially the threats that can lie within. IPv6 was developed to address the problems of running out of public IP addresses in 1998. Its adoption has been slowed by the inception of Network Address Translation (NAT), legacy solutions, and the sheer fact that a human being cannot easily remember an IPv6 address verses and an IPv4 one (i.e. 192.168.1.200 verses fe80::54c4:14ee:5d69:9435). While the number of combinations possible for IPv4 address is 2^32, IPv6 allows for a staggering 2^128. That should easily accommodate every smart city in the world with unique addresses for every single device and still have room for private addresses within governments and businesses. With this in mind, implementing a true smart city means that all of the devices should be IPv6 addressable, our infrastructure needs to be able to manage all of these devices, and our cyber defenses scale to the volume needed to protect everything. This means security best practices like vulnerability management, patch management, and privileged access management for a smart city need to accommodate millions of potentially dumb devices from street lights to cameras. A volume exceeding anything we have today and a volume exceeding the capabilities of most security and management tools. This is growth beyond anything we have seen before and an exponential risk surface of unimaginable proportions. We need to begin being smart in terms of our smart city plans. Smart about management, cybersecurity, the tools, workflow and policies for sustainable management. A botnet of hundreds of thousands of streetlights would put the threats of the Mirai botnet to shame. So how do we move forward? Consider the following recommendations to scale a smart city (or any large IPv6 environment) for public usage: 1) Even though there are enough IPv6 addresses to make every device (everywhere) unique, they do not need to be routable from public access. Security best practices for segmentation are still very much applicable and even more so to keep IoT and IIoT devices from direct access. Smart cities should keep their resources off the public Internet and user secure middleware to instrument their usage for normal consumption. 2) Each device should have unique credentials. With potentially millions of devices, any shared, reused, default, or dictionary-based passwords (or keys) could allow malicious access and lateral movement. Consider implementing a privileged access management solution for password management and rotation to keep every device unique and secure from rogue root or administrator access. 3) While we consider millions of addressable devices, the human mind cannot remember or communicate IPv6 addresses effectively. This why a robust and resilient DNS implementation becomes a tier one service. Typically, cameras, street lights, and even trash cans have serial numbers or identification schemes that teams can understand and reference for a specific device. A successful DNS implementation in a smart city uses the same scheme so teams can identify the asset electronically and physically to remediate any potential problems. 4) Cybersecurity best practices for asset, vulnerability, and patch management are more relevant than ever. Information technology teams must be able to inventory all smart city assets and determine if security risks are present. If they are, a remediation plan should be able to patch systems or even flash firmware. Visiting every street light with a USB stick to flash firmware is not acceptable. Any, and all deployments of resources needs to be centrally managed and allow for centralized remediation and inventory. 5) In a smart city, it is completely cost prohibitive to think every device will be wired. While some might be, many will be wireless. Whether the device is WiFi based, cellular (LTE, 4G or 5G for example), the challenges in securing wireless communications from man in the middle attacks to jammers need to be considered. To that end, all communications should be encrypted and strong access control lists enforced. Successfully wardriving a smart city to identify vulnerabilities in the infrastructure is just not acceptable. 6.) Your choice of management tools from inventory and asset management to logging need to be able scale to your city’s needs. It is doubtful many on premise solutions will meet your needs from a centralized routing perspective, bandwidth, or even scalability. This makes management of your smart city ideal from the cloud. If you consider all the diversification needed to instrument a smart city, potential network zones and segmentation, and the protection of sensitive systems and critical infrastructure, the cloud provides a central point to manage everything. With more devices, there is a need for more resources and management. While the cloud is not infinitely scalable, it definitely can scale from a PaaS, SaaS, and IaaS, perspective to make smart cities a reality. Whether you are ready for it or not, smart cities are coming. With the enablement of mobile technologies and the convenience and efficiencies of mobile applications and electronic payments, the cities of the future will make our lives more convenient, sustainable, efficient, and less problematic (when everything is working right). Security threats, bad architectures, and threat actors will test our new standards, implementations, and limits of our patience and intellect. They will be the first widespread implementations of IPv6 and potentially add common devices like street lights to resources we already consider critical infrastructure. While the definition of a smart city will vary by location and country, one thing is for certain, once we connect and enable them electronically, a threat actor somewhere will try and attack it. That is for certain. Contact us today for a customized cybersecurity planning session. Editors note: This article was originally published on ITProPortal.

Morey J. Haber

Chief Technology Officer and Chief Information Security Officer at BeyondTrust

Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.