Securing Smart Cities of the Future

The future of the world’s population is urban. More than two-thirds of our planet’s population are expected to live in urban areas by 2050, driven by rapid urbanization in Asia and Africa. Even as another 2.5 billion people are expected to be added to our cities over the next three decades, the challenges of providing critical infrastructure and urban services to them, loom large.

As with all other challenges, man is turning towards technology to create better, safer and more efficient cities. From utilities, transportation, traffic, waste management, pollution, sustainable living, to safety, healthcare and governance, smart cities are emerging as the answer to managing growing urban agglomerations.

Smart city initiatives are game changing. Home heating from renewable sources in Yokohama, Barcelona’s digitized waste management systems, smart parking solutions deployed by Canberra, real time public transport monitoring in Groningen or a distributed air quality network at Nijmegen – are just a few examples.

Interconnectivity is a Double-Edged Sword

Smart cities run on the backbone of sensors and IoT devices that are connected – to each other, to control systems and external systems – over the internet and cloud computing architectures. They transmit personal and confidential data through unsecure channels, with devices that are not patched and don’t support data encryption. The very interconnectivity that makes a smart city work also creates substantial cybersecurity risks. Every access point expands sensitive data exposure vulnerabilities and digital attacks have already begun.

Atlanta was held hostage to a massive ransomware cyber-attack in 2018. The breach shuttered many devices for five days, interrupted law enforcement, business licenses and even America’s busiest airport, among several other disruptions. Ransomware attacks also took out most of Baltimore’s servers and paralyzed its 911 emergency call center in the same year, costing $18m in damages.

Attacks aren’t limited to American cities. Dublin’s tram system was disrupted in a ransomware attack, as was Stockholm’s air traffic control and railway ticketing systems. Power supplies to Johannesburg and Hyderabad were also crippled through ransomware attacks. Apart from ransomware, cyber-criminals deploy numerous other techniques including remote execution, signal jamming, as well as traditional means, such as malware, data manipulation and distributed denial of service attacks. Their digital arsenals are sourced from the deep web and their weapons are fully automated, powering attacks that can run 24/7.

Easy Targets or Preventable Crime?

Cities make easy targets for cyber-criminals because they lag behind in technology usage and familiarity. The underlying technology running their critical infrastructure is, at best, outdated. The technological acceleration that transforms existing cities to smarter ones adds complexity. Smart cities aren’t built in one go, but rather evolve over time. Given that they use technologies that are initially experimental in nature, they remain perpetual beta versions – increasing the probability of mishaps.

Cities currently generate 70% of the world’s gross domestic product. This translates to an easy path for financial gains for cyber-criminals who can breach a smart city’s defenses. Smart cities must, therefore, be secure by design, not bolted on after systems are in place. They should base their systems on rock-solid, intuitive and automated security protocols and policies right from the start, consulting with and involving citizens at every stage. This will help build confidence and ownership about upholding citizens’ privacy requirements.

Cyber-Risk Defined By Convergence of Old and New

The smart city ecosystem’s security risk is influenced by several factors. The convergence of cyber-systems and operational systems exposes devices and sensors at the edge to become entry points for cyber-criminals. Devices as innocuous as energy-saving automatic lighting or energy meters can become potential entry points. Once hacked and infected with malware, they open up other connected devices to penetration, causing cascading damage throughout the entire infrastructure.

Interoperability compulsions between legacy systems and new age digital technologies translate into disparate technology platforms being force fitted to work together. Without consistent security policies and procedures to govern their operational framework, they expose the entire ecosystem to hidden security vulnerabilities. Exacerbating this challenge is the lack of generally accepted standards governing the functioning of IoT- enabled devices at the edge. What this means is that security is usually compromised at the altar of interoperability.

Another influencing factor is the integration and interconnection of different services and departments within a smart city ecosystem. They are used to working independently in silos. This mingling of services and systems integration, interconnectedness and data exchange creates shared vulnerabilities. So, a problem in one service area can quickly infect other areas.

Integrated Frameworks and Comprehensive Governance Models

Overcoming cybersecurity threats caused by issues of convergence, interoperability and interconnectedness requires a cyber-risk framework. Such frameworks must provide cities with the management principles to incorporate industry cybersecurity standards into the design, ensuring that confidentiality, integrity and availability requirements are met. It should integrate legal and regulatory requirements that assess the effects of cyber-risk on all ecosystem participants, services, infrastructure and processes. This framework must be drawn and integrated into the planning, design, implementation and transformation blueprints, and in line with the broader smart city strategy. Additionally, it must also evaluate each system’s and asset’s influence on each other.

IoT devices and networks should be protected from attacks by device authentication, patching, encrypting the data and through security monitoring. Enforcing strong secure channels and establishing a secure chain of trust among interconnected devices is critical. Physical security measures such as protecting IoT devices from unauthorized access and cyber-attacks must not be overlooked.

Smart cities also need to formalize a comprehensive governance model that spells out roles and responsibilities for each critical component in the ecosystem. The model should underpin the continuous alignment of policies, legislation and technology for the right balance of protection, privacy, transparency and utility.

Finally, smart cities need to establish a network with an ecosystem of other smart city governments, academia, private sector and startups, so they don’t have to fight this battle alone. While their immense potential remains, managing the associated cyber-risks effectively is crucial to realizing the smart city promise.

What’s Hot on Infosecurity Magazine?