by Greg Conti & Tom Cross & David Raymond

How would you take down a city? How would you prepare for and defend against such an attack? The information security community does a great job of identifying security vulnerabilities in individual technologies and penetration testing teams help secure companies. At the next level of scale, however, things tend to fall apart. The information security of cities, the backbone of modern civilization, often receives little to no holistic attention, unless you count the constant probing of nation state aggressors. The information technology infrastructure of cities is different from other entities. Cities feature complex interdependencies between agencies and infrastructure that is a combination of federal, state and local government organizations and private industry, all working closely together in an attempt to keep the city as a whole functioning properly. Preparedness varies widely. Some cities have their act together, but others are a snarl of individual fiefdoms built upon homegrown technological houses of cards. If you can untangle the policy and politics and overcome the bureaucratic infighting to create workable leadership, authorities, and funding, you are still faced with an astronomically complex system and an attack surface the size of, well, a city. Our talk identifies these necessary precursor steps and provide a broadly applicable set of tools to start taming and securing, such an attack surface.

In this talk, we first explore a notional city, deconstruct it layer by layer, and use these insights to suggest a comprehensive methodology for reverse engineering any city and deriving its attack surface. We complement these insights with a broad analysis of proven capabilities demonstrated by hacker and information security researchers as well as known capabilities of criminal and nation-state actors applicable to city-level attacks. Next, we develop a coherent strategy for penetration testing as an approach to highlight and then mitigate city-level vulnerabilities. Finally, we conclude with a wide-ranging set of approaches to complement pen testing efforts, including exercises and collective training, metrics and a maturity model for measuring progress, and specialized city-level attack/defend ranges. You’ll leave this talk fearing for the survival of your respective country, but also possessing a toolkit of techniques to help improve the situation. By better securing cities we have a glimmer of hope in securing nations.