Without robust cybersecurity systems, smart cities are flawed, writes Haider Pasha, chief security officer for the Middle East and Africa at Palo Alto.
As we work our way through what living with COVID-19 means for our societies, there’s a growing body of opinion that smart city technologies could be helpful to how governments and business leaders respond in the future. For example, Professor Jason Coburn, who studies urban health at the University of California, Berkeley has written about how smart city planning could slow future epidemics, using technology to prevent diseases from spreading while helping to ensure the availability and safety of critical resources, including water, transportation and healthcare.
However, the more connected devices there are, and the more data collected there is, the greater the opportunity for cyber-attackers. Smart cities must be secure by design to prevent cybercriminals being able to access sensitive data, disrupt critical IT systems in traffic management, internet access and more.
According to ABI Research, many cities are already seeing the benefits of using smart city technologies in managing the pandemic, including:
Smart cities, built on the concept of digital municipal systems that do everything from controlling traffic grids to ensuring water quality, preceded COVID-19 and have long been popular. Research by IDC conducted pre-pandemic forecast that $189.5 billion (about £144 billion) will be spent worldwide on smart cities initiatives by the year 2023. Furthermore, it indicated that more than half of global spending on smart cities projects is concentrated in three use cases: resilient energy infrastructure, data-driven public safety and intelligent transportation.
Smart city planning could slow future epidemics
There is huge potential still to be tapped for systems that improve how communities work, live and play. San Francisco’s smart power grid and Barcelona’s digitised waste management systems are just two examples of tens of thousands of smart cities initiatives that are improving the lives of residents.
Nevertheless, without cybersecurity, smart cities are flawed. The more things that are connected, the greater the opportunity for cyber-attackers to infiltrate systems, exfiltrate sensitive data and disrupt potentially critical systems in law enforcement, public health and other municipal applications.
Internet of Things (IoT) devices should be of particular concern because their use in smart cities is growing exponentially. According to the European Telecommunications Network Operators’ Association, the number of active IoT connections in Europe alone is expected to grow to 740 million by 2026. Unit 42, Palo Alto Networks threat intelligence arm’s 2020 IoT Threat Report found that 98 per cent of all IoT traffic is unencrypted, meaning that any cybercriminals that have successfully bypassed the first line of defence can collect and sell exposed personal or confidential information. Smart cities are great in terms of the new capabilities they bring, but it can all come crashing down around elected officials, government department heads, local businesses, citizens and visitors if cybersecurity is not a top priority.
Smart cities must be ‘secure by design’. Connected systems for first responders, environmental controls, public internet access, traffic management, green energy and more must be based on rock-solid, intuitive and automated security protocols and policies from the start.
Cybersecurity that is ‘bolted on’ after systems are in place – and maybe after data breaches have already occurred – is next to worthless. Hackers are resourceful and highly collaborative – add-on security initiatives won’t work. One big reason why is the dramatic proliferation of endpoints – different forms of sensor-based systems and devices as gateways for hackers to the cloud where they can access far more.
Cybersecurity that is bolted on is next to worthless
This expansion of the attack vector is even more problematic when you consider that IoT devices, both for commercial and industrial applications, have innate security challenges because they often can’t support the memory requirements for many cybersecurity protocols. Then, add in the reality that humans—municipal workers, citizens, visitors and businesspeople piggybacking onto municipal Wi-Fi systems—are often weak links in the cybersecurity chain because of poor security hygiene.
City, region and national leaders can achieve cyber resilience, but a big obstacle to overcome is, ironically, governance. The lack of governance on smart cities initiatives on a wide range of issues such as data handling, privacy policies, access privileges and more, is highly problematic. For example, when hiring a vendor to install smart streetlights, if government officials and their technical teams don’t have the right governance policies in place, there will either be delays or insecure lights installed. If they are insecure, hackers could access back-office systems through the lights, and data exfiltration or worse could result.
Good cybersecurity hygiene by all stakeholders involved in smart cities is imperative. Strong authentication policies, such as frequent and regular changing of passwords, multi-factor authentication and increased adoption of biometrics, are essential. This needs to be a personal commitment by anyone accessing smart cities digital services, but automated policies mandated and installed by the governments must also be created.
In addition, municipalities need people looking after the smart cities programs who have cybersecurity experience and expertise. That doesn’t necessarily mean you have to hire a team of security engineers, but you do need leaders and practitioners for whom cybersecurity is a familiar discipline. They need to be able to see the big picture and ensure that the technical and operational details are in place.
There are key questions that non-technical municipal leaders—elected officials and governmental department heads—must be ready to ask their chief information security officer, CIO and other technical executives who have cybersecurity oversight. These include:
Successful smart cities initiatives require a checklist with four major elements: visibility, to make sure you see what is actually happening in those systems; analytics, to identify risks and abnormal systems and network behaviour; control, to manage and, if necessary, to compartmentalise key systems against threats, and coordination among all key constituents to ensure that security is ‘baked in’ for smart cities initiatives. To avoid hackers infiltrating networks and stealing private data, all stakeholders in smart cities need to ensure their municipalities are fully protected. Adopting the ‘secure by design’ mantra is crucial to making that happen.