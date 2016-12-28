With the Internet of Things making smart city projects an everyday reality, Stephen Pritchard explores what steps are being taken to tackle the security and privacy issues that so often surround them

"In a smart city, everyone knows your name." This is how Gareth Jones, partner at law firm Bond Dickinson, describes the privacy issues around smart city projects.

Jones' warning was issued to a recent conference on smart cities organized in London by the Westminster eForum, where he explored how security and privacy are emerging as two hidden challenges of smart city projects.

As urban populations grow, public authorities are looking for new ways to deal with congestion, pollution and crime. Applying Internet of Things (IoT) technologies, sensors, and low-power, wide area (LPWA) networks gives administrators a much more detailed and up-to-date picture of what is happening in the city.

"IoT can address problems including parking and traffic, clean water, air pollution and landfill waste," says Tony Judd, managing director for UKI & Nordics at Verizon. "We'll see a massive flow of information from IoT devices."

Increasingly, these data flows are at the heart of urban planning, but connecting city systems brings risks.

"Cybersecurity is a major challenge," warns Cesar Cerrudo, board member of the Securing Smart Cities industry group and CTO of IOActive Labs. "Cities around the world are deploying technology without making sure it’s secure. We haven’t seen important attacks yet… but it’s just a matter of time until attackers target cities."

"Smart infrastructure requires cybersecurity," agrees Dan Byles, vice-president at Living PlanIT and chair of industry group SmartUK. "The idea that older infrastructure is not vulnerable to cyber-attack is a fallacy. Being smarter is fundamentally part of making the infrastructure more secure."

A Matter of Scale

Smart city technology has to communicate across networks and the public internet, and operate at a massive scale.

"You need to think of how to manage these [networks] at a scale with hundred or a thousand-times more devices than the average enterprises run," says Alex Bazin, vice-president and head of Internet of Things at IT vendor Fujitsu. "You could have tens of millions of users and hundreds of millions of devices, and they need to be maintained, managed, and serviced."

As Bazin warns, older hardware might not have been designed with security in mind, and offers no easy way to apply patches or updates. Updates might even need engineers to visit each device to apply a patch using a laptop.

"There may not be a connection to a fixed network, and LPWA networks don't have a lot of bandwidth. A traditional patch management approach would be a challenge," says Bazin.

Connecting together systems that are designed to operate in discrete silos, isolated from public networks, creates further risks.

"When you put systems together, the attack surface is larger," cautions Aidan Jarvis, cybersecurity expert at PA Consulting. "Smart cities bring together operational technology and use data to make the city more efficient or to make services better, but by bringing it together you have more for the bad guys to misuse or abuse." API security, and the interfaces between systems, are areas hackers are most likely to exploit, he adds.

However, the real risk in smart city projects lies less in the potential to disrupt operational systems, and more in exploiting sensitive and often personal data.

Deanonymizing Data

"Someone could turn traffic lights on or off, but there is not much value in stopping a car in the middle of the road," says Jarvis. "I could make that point by going onto a bridge and dumping horse manure."

However, cities could store up problems by collecting and holding data, if they combine and analyze data sets that were originally meant to be separate. It could, for example, lead to individuals being identified from data that administrators thought was anonymized.

CISOs must be sure they have full correct consent for any information gathered from the public.

"If you can link CCTV with other data sets that identify people as individuals, you are dealing with personal data, and that can be very dangerous territory," says Bond Dickinson's Jones.

"It's important that we map data flows, identify who has touch points with the data, who the controller and processor is, and ensure compliant agreements are in place."

PlanIT's Byles agrees: "Don't collect more data than necessary, and don't aggregate data unnecessarily, that will reduce the attack surface. Most data should be used close to where it’s gathered."

For smart city projects to succeed in improving our quality of life, they have to be ambitious, and often, bold. But ignoring data security and privacy is not an option. Overcoming technical security challenges is the only way city leaders can ensure the future of urban areas is both efficient, and safe.