Insurance companies might want to hear this talk.
Governments and/or insurance companies demanding some kind of certification will help clear things up. Until then, vendors will continue selling whatever someone will buy.
"Real world hacker" Cesar Cerrudo has blasted vendors, saying they're stopping security researchers from testing smart city systems, and as a result they're being sold with dangerous unchecked vulnerabilities. The warning will be detailed at RSA San Francisco this week, and comes a year after the IOActive chief technology …
Governments and/or insurance companies demanding some kind of certification will help clear things up.
Won't happen, at least until things go disastrously wrong. There is no such thing as a proactive government entity. To be sure, this equipment will be tested. The only question is whether it will be white hats or black hats doing the testing first. I guess this article points out which it will be.
In Europe one would hope the EU could come up with some regulation insisting on security across the bloc and every government would comply with such regulation.
Of course, some see that as a bad thing in principle and will actively oppose regulation. Some even want to leave or opt-out of the EU as what may help society as a whole is often "bad for business" or imposes additional costs.
Governments seem to prefer to pay the cost of failure later than pay the cost for protection now. As long as failure doesn't happen on their watch they can blame others for their own failings.
"Charlie's team showed how lax security was on the "smart" traffic system in Turin in 1969. It looks like nothing has improved since then..."
A more up to date documentary on the subject suggests it's even worse since then.
Spend high on shiny new kit chasing the promised few dollars savings it generates - then spend infinitely more trying to restore your city and more again to upgrade and fix the string vest code.
There's always an option when it comes to spending on fancy new systems - 'do nothing or go manual'. Most project teams overlook it because it's not seedy, no toys, doesn't generate headlines, doesn't shiny the CV, but it's essential. I worked for one of the really big software companies who delivered payslips electronically. The system was a mess and poked holes in the corporate security, and had to be replaced. Because of the increased security risk, running on extended warranty hardware on obsolete OS, using dedicated data centre capacity, etc., this was very expensive to keep alive. I costed out printing the payslips centrally (first thing anyone ever did with their electronic ones was print them anyway, on higher cost per impression printers) and delivering them via internal mail, savings were five figures per year. There's a lot to be said for not using technology 'just because', and I'm speaking as an avid technologist!
An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks