Here is how this live cyber war game works. On an annual basis, one of the core government agencies creates a new synthetic city code named Shell Cove. This city is created out of a massive number of LEGO pieces (yes, LEGO for the city elements). Then, the electronic infrastructure is developed to represent a model smart city. For example, the police station has the electronic elements of a working police station. There is an airport as well as mass transit trains, water works, and so forth. The result is a complete electronic-kinetic model city where the impact of attacks can be seen.
This combination of kinetic and simulated is very important. It makes the exercise more real in the minds of the participants. It creates a much better sense of what is at stake. But there are also important interrelationships that might not appear if the city were only computer simulated. Some examples from past war games can illustrate this. It was discovered that if an attacker compromised the electrical system, the fire department couldn’t respond to fires; firefighters could not open the firehouse doors. When the water distribution system in the city wasn’t able to distribute water, dams creating reservoirs serving the city failed and created a flood in the city.
These are important and interesting findings. But the real goal is to take cybersecurity experts that are defending the smart cities and teach them to be attackers. Once they understand how an attacker thinks and their methods and mannerisms, they can become much stronger defenders. A key lesson learned in the recent War Games of 2019 was the importance of knowledge sharing between all sides of the cybersecurity problem. One team simply cannot do it all. This is already understood, but it becomes clear during these types of exercises.
With these insights, the Australian government has taken an interesting hybrid approach. By partnering with industry and sharing all the tricks and approaches, leadership is not only hardening the skills of government employees but also carefully selected private company employees too. Or in the words of Stuart Robert, Minister for Government Services Australia, DHS Senior Minister, “We have found that the public-private partnership is a very powerful way to harden our people’s skills and build new methods of defense.”
The smartness of a city is measured by six characteristics: smart economy, smart people, smart governance, smart mobility, smart environment, and smart living. The three layers that make up the smartness of the city are based on ICT structures such as IoT, Big Data, the Internet, and so on. But is a good ICT infrastructure enough to build a smart city? Technological interconnectivity is key: all smart devices and virtual data should be linked to the infrastructure and analyzed in order to achieve the goal of a sustainable and smart city.
What about safety? While each element may be safe, this may not result in safety in combination. Also, as Bill Ratcliffe asks, “How many of the key characteristics can be lost before chaos reigns? What is the threshold where the city becomes unstable? If you introduce a global pandemic to a smart city, what happens?” Finally, Diana Neuman from Bace Cybersecurity Institute, which focuses on resilience analysis, says, “Today’s technologies are so complex no amount of theoretical review will find all the issues.” You only know if you test!
Over the years, the cyber war game sponsors have created a significant body of knowledge, tricks and techniques. Many countries have asked about this, and while nothing is final, the Australian government is considering partnering with another country or group of countries. For example, the Abu Dhabi government has created Masdar City, a pioneer in sustainability and a hub for research and development. The city is home to a rapidly growing clean-tech cluster, business-free zone, and residential neighborhood with restaurants, shops, and public green spaces. The government recognizes the importance of security for Masdar City. As Mohammad Al Ramahi, CEO of Masdar says, “Secure growth is a challenge and an opportunity.”
This article should be considered as only an introduction to the Australian and possible follow-on efforts. Others dealing with the economic, social, and technological pressures moving us to smart cities may develop other ways to plan and test to avoid the path of focusing on capability and only focusing on security as an afterthought. However, any such effort should include outreach to the Australian project to incorporate what its leaders have learned.