Smart cities should learn from decades of cybersecurity practice when building networks, writes Neil Correa, security strategist, Micro Focus
Since the middle of the Twentieth Century, two of the biggest social shifts we’ve seen have been about communication at a distance and people coming physically closer together. Even while the internet has connected people across the globe at the speed of light and changed the way we live and work, our cities have grown remarkably, from 750 million to nearly three billion people between 1950 and 2018, and the UN projects that the urban population will grow to nearly 6.7 billion by 2050.
While there are clear benefits to mass urbanisation, cities can also struggle to cope with this expansion, as infrastructure stretches to accommodate more people in the same space. Everything from public transport to refuse collection to air quality to healthcare services can find itself at the edge of crisis as cities continue to grow.
The internet, meanwhile, is adept at scaling out to match demand, which is why so much investment is now going into integrating these two social shifts. Smart cities initiatives promise to digitalise infrastructure and services in order to find efficiencies, reduce resource usage, improve accuracy, and generally do more with the capacity that cities already have. Last year, IDC forecasted that smart cities spending will reach $189 billion by 2023, with efforts focused on energy, safety, and transportation.
Importing the benefits of digital networks to help cities thrive, however, also means importing the challenges and risks which we’re now familiar with online. Collecting data and turning it into actionable insight underlies a lot of contemporary industrial innovation, from present-day realities like smart banking apps to incoming disruptions like autonomous vehicles. Often, though, this data is highly sensitive, and security vulnerabilities of the kind that we have seen affect many business institutions could have catastrophic consequences in the context of the smart city.
Centralising data is a goldmine for bad actors
It is therefore critical that we advance smart cities infrastructure while thinking about security from the ground up. We have already seen the kinds of cyber attack which could compromise smart city infrastructure. Connected sensors embedded in internet of things (IoT) devices will provide the massive pool of data which can enable the same kind of analytics we already see happening on things like social media activity, shopping behaviours, and media consumption. Street lights which report performance and enable predictive maintenance; security cameras which use machine vision in order to alert people to situations which require human attention; traffic lights which react to air quality and traffic flow to keep streets healthy and moving: IoT plays a central role in the smart city.
Because they are heavily networked, a security vulnerability in just one of these devices could lead to entire network segments being compromised, and the data it holds being stolen. As an example, it was reported in 2016 that over half a million IoT devices were susceptible to the Mirai botnet. While that botnet was used to launch Distributed Denial of Service (DDoS) attacks against servers – taking them offline by asking for large amounts of data from many different places – within a smart city, similar vulnerabilities could threaten essential services that people rely on every day, from transport to water and power supplies.
While these risks exist, they’re not inevitable – and knowing about them is an opportunity to take action in advance of problems occurring. What’s more, cyber hygiene practices are well established in the software world and can be adapted to IoT situations.
As a checklist, smart cities stakeholders should ensure that a few key steps are in place: defining security requirements, such as following a standardised framework so that all parties agree on the risks and the mitigation strategies; maintaining software security, making sure that the applications embedded in IoT devices are regularly tested and updated; practicing entity management, so that connected devices don’t get forgotten about in security updates and leave holes open for attackers; and implementing data analytics, to support the healthy functioning of the city in real time.
Collecting potentially sensitive data and centralising its storage and analysis creates a goldmine for bad actors. Personal health information, for instance, can help identify trouble spots, ease the burden on healthcare provision, and monitor overall trends in citizens’ health – but in the wrong hands, it could also be used for fraud and blackmail. This means that as well as making sure that the smart city technology is performing its function, it’s also vital that privacy regulation compliance is considered.
Even where it is assumed that a system is secured, steps can be taken to minimise the risk of data leaks. Labelling sensitive data as sensitive helps systems to treat it with care and only access it when absolutely necessary, while encrypting and pseudonymising data limits its usefulness if it does fall into the wrong hands. Importantly, developing and practicing incident response plans ensures that authorities can react rapidly and appropriately if something does go wrong.
All of this advice draws on hard-learned lessons from decades of cybersecurity development and practice. As we ramp up spending on smart cities, we have an opportunity to apply those lessons from day zero. In doing so, we’ll make our urban spaces safer, more efficient, and healthier, while also building up trust with the people who live there. With a big prize on offer, security cannot be an afterthought.