The concept of “smart cities” – digital municipal systems that do everything from controlling traffic grids and ensuring water quality to promoting online voting and identifying sources of gunshots in far-flung neighbourhoods – is now commonplace. It’s an exciting, hyper-growth market segment: research indicates that a staggering $189 billion will be spent worldwide on smart cities initiatives by 2023.
More than half of global spending on smart cities projects is concentrated in three use cases: resilient energy infrastructure, data-driven public safety and intelligent transportation. Clearly, it’s easy to see the potential innovation still to be tapped for systems that improve how communities work, live and play. Game-changing smart cities initiatives –from San Francisco’s smart power grid to Barcelona’s digitized waste management systems – are just two examples of tens of thousands of smart cities initiatives, with many more to come.
But, there are unintended consequences to all those systems, sensors and devices connected to each other – and to external systems around the world – over lightning-fast networks via the public internet and a wide range of cloud computing architectures. The more things that are connected, the greater the opportunity for cyberattackers to infiltrate your systems, exfiltrate sensitive data and disrupt potentially critical systems used in law enforcement, public health and other municipal applications.
In the world of smart cities, enhanced cybersecurity readiness, resilience and responsiveness are a must. The intended benefits and new capabilities of digital municipalities are incredibly exciting, but it can all come crashing down around elected officials, government department heads, local businesses, citizens and visitors if cybersecurity is not top priority.
Smart cities must be secure by design
Connected systems for first responders, environmental controls, public internet access, traffic management, green energy and more must be based on rock-solid, intuitive and automated security protocols and policies from the start. Security that is “bolted on” after systems are in place (and maybe after data breaches have already occurred) is next to worthless. Hackers are smart, resourceful and highly collaborative. Add-on security initiatives are not going to work and the potential consequences are stunningly frightening, often involving ransomware attacks which can paralyse municipal systems.
The cyber-risk to smart cities is compounded as a result of the dramatic proliferation of so-called “endpoints” at the edge of municipal networks and as gateways to the cloud. These are not just more notebook computers, tablets and smartphones but novel forms of sensor-based, “intelligent” systems and devices. Then add humans – municipal workers, citizens, visitors and business people piggybacking onto municipal wifi systems – who are often weak links in the cybersecurity chain because of poor security hygiene.
The importance of “security by design” becomes apparent when considering the increase in the use of smart applications in the home, such as energy-saving automatic lighting and energy metering. If security is not effectively designed into these systems, it’s easy to imagine what hackers could do if they got access to residents’ home computer networks. and the treasure trove of personal and private data they could access, from banking records to health insurance numbers.
Ensuring cyber-resilience
A big issue for local, state and national governments is the lack of governance for smart cities initiatives, in particular regarding issues such as data handling, privacy policies and access privileges. For instance, take something as seemingly modest as hiring a vendor to install smart streetlights. If government officials and their technical teams don’t have the right governance policies in place to ensure that the vendor has designed-in security preventing hackers from creeping into back-office systems through digital lighting systems, for example, data exfiltration – or worse – could result.
All actors in a smart city environment – government bodies, municipal leaders, local businesses, citizens and visitors – must practise good cybersecurity hygiene. Good authentication policies, such as frequent and regular changing of passwords, multi-factor authentication and increased adoption of biometrics, are essential. There has to be a personal commitment made by anyone accessing smart cities’ digital services, but automated policies should be mandated and installed by governments.
Municipalities also need leaders with cybersecurity experience and expertise involved in smart cities’ programmes. That doesn’t necessarily require the recruitment of an army of security engineers, but rather leaders and practitioners for whom cybersecurity is a familiar discipline. Such smart city “champions” need to take account of the broader context and ensure that the technical and operational details are in place.
Finally, there are critical questions that non-technical municipal leaders – elected officials and government department heads – must be ready to ask of their CISO, CIO and other technical executives who have cybersecurity oversight:
- Do we have a documented incident response plan? If so, what is it? Many municipal leaders often think their organization has a plan, but are surprised to learn just how threadbare that plan actually is.
- What are our governance strategies for securing systems, applications, data and identities?
- Should we allow our legacy (and presumably less likely “secure by design”) systems to connect with other systems and devices on the edge?
- What kind of cybersecurity testing are we doing and at what frequency? What metrics do we receive on those tests and what do we do about the results?
Ultimately, successful smart city initiatives require four major elements: visibility, to make sure you see what is actually happening in those systems; analytics, to identify risks and abnormal systems and network behaviour; control, to manage and, if necessary, to compartmentalize essential systems against threats; and coordination among all crucial constituents to ensure that security is baked-in.