Municipal Chaos: How Chaos Theory Explains Cyberattacks Against Smart City Architectures

When a linear act leads to non-linear results, it’s chaos. That’s not a figure of speech. Non-linear behaviors that result from an otherwise linear and deterministic system underpin chaos theory, a fascinating branch of mathematics and life sciences that results in amazing insights into our world. It shows how tiny actions in an otherwise linear system can cause dramatic effects and even outcomes that we cannot otherwise predict. Common examples include financial markets and the weather. Small movements by financial services firms can cause dramatic drops in market prices that were not predicted if the system is viewed linearly. The weather is likewise affected by small changes in pressure at a given location or a rainstorm that lingers longer than predicted. Chaos theory gives us a completely different lens through which we observe behaviors in our world. If we view a system as purely linear, we build models, risk frameworks, and even policies in a linear fashion. If we view a system as subject to unpredictable outcomes based on small changes, we build differently. At heart is the complexity of the system and the “emergent properties” that we observe due to increasing complexity. 

If you are visiting a busy city at rush hour, you may use the term “chaos” as a descriptor. Maybe you are referring to the volume of people or the traffic, but you would be more correct than you realize. Around the world, in municipalities large and small, we are observing a dramatic increase in complexity. Municipalities, including their critical infrastructure, municipal services, and growing populations, are already complex systems themselves. However, we are now seeing a significant rise in the deployments of internet-connected devices that create an exponentially higher level of complexity that is not yet fully understood by city planners, technology developers, and cybersecurity officials. The knowledge gap is occurring because many view a cyberattack on a smart city (or connected community) architecture as fundamentally the same as cyberattacks on individuals or organizations. The complexity of smart city deployments demands we use the chaos theory lens to create new policies, strategies, and cybersecurity methods to mitigate the risks of currently unknown emergent properties in our population centers. A chaos theory-inspired risk management approach would recognize the nonlinear results of a linear activity and create technology, policies, and risk frameworks that work for municipalities and protect those whom technology is meant to protect and enable.

Cyber Linearity

According to mathematics, “linear” is a term that means a system is equal to the sum of its parts. This can also be thought of as deterministic in that one can predict the outcome of a linear action upon a linear system. If I hold an apple in my hand, I can predict what will happen if I let go of it. Gravity is a linear system, so we can predict what happens when we change something in that system, such as by removing the support of an object with mass.

“Nonlinear” refers to a system that is more than the sum of its parts and from which we observe emergent properties. The human body is an immensely complex system, and from it, we observe the emergent property we refer to as consciousness. There’s no single part of your body that generates consciousness, but we observe it all the same. The sum of all the cells in our bodies does not add up to consciousness. 

Despite the technical difficulties in executing a successful cyberattack, it is inherently a linear action. From identifying the target to surveying the system, building the tool, creating the delivery mechanism, social engineering, establishing persistence, and causing and effect, the planning and construction of a cyberattack is a linear activity. Once the target clicks on the link, attackers can go through a defined set of steps to create the desired effect. The effects might be data theft, distributed denial of service (DDoS), ransomware, or other effects, but they all produce outcomes that can be largely predicted when the operation is planned. Even in the case of the Colonial Pipeline ransomware attack, the outcome of shutting the company’s systems down was not difficult to predict, given what Colonial Pipeline did and where it was located. The same is true of other historically large cyberattacks such as the US Office of Personnel Management (OPM) hack. This was a massive cyberattack that targeted the personal information of millions of US government workers and applicants, and that’s what the attackers took.  

Cyberattacks are complicated, not complex. According to chaos theory, complicated refers to a system that is made up of many parts. Complexity refers to a system made up of many parts and exhibits emergent properties. A typical cyberattack is a linear activity upon a complicated system that produces predictable results. These results are difficult enough for cybersecurity professionals, individuals, and organizational leadership to navigate. In our municipalities, we are introducing conditions that escalate a complicated system to a complex one, from which we should be expecting and studying the emergent properties that will result from a cyberattack against a smart city architecture. 

Smart Cities (or Connected Communities)

The deployment of thousands or millions of internet-connected devices in our municipalities is creating complexity in the true mathematical sense and should force city planners and cybersecurity professionals to think about the cybersecurity of municipalities in an entirely different way. Even the term “smart city” is not itself a technology but a convergence of technologies that creates something greater than the sum of its parts. A standard cyberattack against a single out-of-date IoT device in a smart city architecture can have emergent properties that we do not yet understand. That knowledge gap causes things like policies, strategies, and risk mitigation frameworks to be developed from the wrong perspective. The cybersecurity of a municipality, regardless of size, should be understood through the chaos theory lens, and each municipality should seek to understand the emergent properties that may arise from a cyberattack against its connected infrastructure. Using the lens of chaos theory, we can improve cyber resilience, policy making, and technical designs, but there are some unanswered questions.

Randomness and Attractors

Physics tells us that you can predict the movement of a physical system if you know the starting positions and the forces acting on the objects in the system (thanks, Isaac Newton). We know the positions of planets, and we understand gravity, so we can predict things like eclipses and the passing of comets years in advance. This is a deterministic system, meaning that it does not exhibit randomness because the state of the system at one moment predicts the state at the next moment. Thinking about this in terms of a cyber event, we know the beginning state of the system and the forces acting on it. Without a cyberattack, the cyber system will continue to function as intended unless there is an outside force, such as a power outage. Even if a power outage occurs, we can precisely predict the next moment in time after the outage. In the case of a cyberattack, we may not know each individual move a malicious actor might take inside the system, but we can still predict an outcome such as the outage of a system, theft of data, or other outcome. 

In deterministic systems, there are fixed-point attractors, which are mathematical forces that make the system return to stasis or a fixed point if plotted mathematically. If a pendulum is swinging without the power of a wound spring, it will eventually come to rest at a fixed point. The fixed-point attractor is air resistance. In a cyber system, the system will continue to function until acted upon by an outside force, such as a power outage. After power is restored, it will return to its stasis. The fixed-point attractor, in this case, is the supply of power.

The execution of a cyberattack is a linear act against a linear system. While it causes disruptions and potentially serious damage to the users, the system does not exhibit randomness. This means that we can predict the outcome of a cyberattack if we have perfect information about the attack. The NotPetya attack spread quickly around the world, and the reasons for this were uncovered later. Had investigators known about the use of EternalBlue and how it impacted targeted systems, that spread would likely have been predicted.

Randomness in a system causes it to never fully settle to equilibrium. Unlike a fixed-point attractor, where you can see visually that the system centers around a fixed point, a similar graphic of a strange attractor shows a pattern that never exactly repeats itself with a fractal nature.

Chaotic systems exhibit random behaviors, as you can see in the image above. This randomness creates emergent properties that cannot be described by the combination of the initial state of the system and the forces acting on it. Chaotic systems require two properties: 

1. Dependence on initial conditions

2. Endogenous motion (not settling in the absence of external shocks)

A smart city architecture is much more closely related to the dynamics of a chaotic system than a deterministic system. Smart city architectures are the product of the convergence of multiple technologies to create a capability that is greater than any of them individually or combined. The specific technologies deployed in the system, such as IoT devices, cloud, AI, and 5G, plus the infrastructure on which they are deployed, such as water, energy, and citizen data, form the initial conditions of the system. Those initial conditions are critical to how the system functions practically and from a chaos theory perspective. The initial conditions for a smart city are its specific configurations and the manner in which convergence is applied. Since there is no standard makeup for a smart city, the initial conditions vary widely. Some municipalities incorporate cameras, IoT sensors, open data solutions, or other technologies. Those technologies are applied to a variety of city functions such as law enforcement, energy, food, transportation, and others. The initial conditions of a smart city architecture are critically important to understanding the potential randomness from the deployment and, thus, how to create effective policy, governance, and resilience around the system.

The second property is endogenous motion, or the inability of the system to settle. A smart city architecture is constantly collecting and aggregating data from the lives of humans. At the infrastructure layer, there are multiple pieces of hardware that are physically removed from human operators and analysts that all must be orchestrated together such that they work as one. However, these individual devices require firmware updates to be delivered remotely. They also require power sources and some level of physical protection. Because of changing environmental and humanmade conditions, a diverse and dispersed infrastructure layer that collects and aggregates massive quantities of data also displays endogenous motion and requires extraordinary oversight to maintain it securely. Smart city architectures should be thought of as constantly in motion and never settling into a steady state (or to a fixed point).

Unknowns

As a chaotic system (mathematically speaking), smart city architectures have the potential to exhibit emergent properties, some of which are positive for our purposes and some of which may be negative. Our desired outcome from deploying a smart city architecture is to improve the lives of the inhabitants, making services more efficient and life in the city more pleasant. These can be emergent properties of the way we create convergence between multiple technologies. Just as we seek these emergent properties, we see the potential for other outcomes that are counter to our intended purpose for the system.

When a cyberattack against a portion of smart city architecture, such as a lone IoT sensor deployed far afield that missed its firmware update, the attack itself is a linear and predictable action. However, we cannot confidently say that we can predict the state of the fully smart city system following this external event. With the ability for an attacker to swim upstream into a host of interconnected services, some of which are critical infrastructure, there are technical interdependencies that may go unseen. As a result, we must accept randomness in a smart city system, which, by definition, makes it chaotic. If we accept randomness, our technology governance, policies, and engineering must be recalibrated to accept the unknowns that are present in these systems, particularly as they become more complex. 

Understanding and accepting the differences between complicated and complex, linear and non-linear, and fixed-point and strange will help municipal and federal leaders make better policies around smart city deployments. There are no standards around deployments or minimum cybersecurity standards, so each deployment is different. That alone is its own type of complexity since no one deployment will be like another. To create actual resilience in smart city-enabled municipalities, we must apply chaos theory and recognize that a linear act against a non-linear system presents a different kind of threat. One to which we are unaccustomed but next to which we live every day.