Building Smart City Security

As urbanization intensifies and public sector technology initiatives advance quickly, the once-futuristic promise of “smart cities” is coming to fruition.

Cities have always been “smart” to a degree, using technology to boost the productivity and efficiency of municipal services. But today, the proliferation of digital connectivity and big data explosion are creating new opportunities for beneficial smart-city projects across a range of sectors.

According to the UN, just over half of the world’s people live in urban areas; it is projected that two-thirds of the global population will be city dwellers by 2050, amounting to an urban influx of 2.5 billion people in the next few decades.

The speed and stability with which our cities optimize for efficiency, sustainability and safety will broadly impact quality of life issues around the world. Information and communications technology, including demographic analytics, the Internet of Things (IoT) and cyber-physical infrastructure, will obviously play a central role.

Unfortunately, connectivity and data factors also bring risks, including breaches of personal information, disruption to critical infrastructure and damaged public trust. While a failure of internal systems is a relatively private misfortune, a failure between interconnected sectors presents risks of a much larger magnitude.

The fallout of disruption can extend to cascading failures, wherein highly interconnected entities rapidly transmit adverse consequences to each other. It’s no easy task to invest in information security while creating a sustainable urban environment, but this is the challenge we face as digital connectivity and data-driven services become tightly woven into the fabric of smart cities.

Balance Risk And Reward

As urbanization continues and smart cities evolve, it is becoming harder for organizations to find the optimum balance between commercial risk and reward. Interconnection and interdependence intensify and enable new capabilities, and data proliferates, offering up important insights. It’s easy to identify the benefits, but many risks remain opaque.

A city that is truly “smart” should operate for the benefit of everyone.

Products and services are deployed with security that may be adequate in isolation, yet becomes lamentably weak when connected to other systems. This makes it difficult to measure and mitigate risks, such as contagion in financial markets, loss of public confidence or disruption to infrastructure.

Commercial and public organizations alike are faced with constant changes and a lack of clarity regarding information security standards, governance and legal responsibilities, leaving them unsure how to proceed with major development programs.

As ethical questions arise regarding smart cities, organizations must make new considerations. It may be legally permissible for organizations to collect personal data from smartphones that connect to free wireless access points, but have they considered the perception and repercussions of such activity if it were disclosed publicly?

For example, complex or lengthy end-user license agreements may allow an organization to sell highly sensitive medical data to third-parties, but has the individual truly given informed consent for these actions? This debate is moving steadily into the public policy arena, as the European Union (EU) is now scrutinizing the privacy practices of major technology companies such as Apple, Amazon, Facebook and Google.

In the absence of even vaguely defined smart-city parameters, organizations must keep up-to-date on emerging privacy norms and remain wary of those who offer quick and easy solutions.

Risk managers must prepare in advance by regularly reviewing smart-city products and services, and promptly identify any changes to the organization’s network profile. They will have to monitor continuously for unidentified devices, sensors or other communications capability being added to their network without proper vetting and permissions.

Prioritize Data Security

Smart cities are heavily dependent on gathering and processing data in real time in order to increase service efficiency and improve situational awareness. This data is valuable — in many instances more valuable than the networks it transits — particularly because it can be used to support commercial activity such as targeted advertising or more efficient service delivery.

To gain the maximum value from this data, several thresholds must be met, including:

  • Trusting the confidentiality and integrity of the data so that commercial decisions can be made with confidence.
  • Trusting the integrity and availability of the data to control a physical environment in a safe, reliable way.
  • Establishing and maintaining public confidence in those who process the data and use it for decision making and service delivery.

To achieve these goals, at least two challenges must be overcome. The first is managing the torrent of data generated by people, devices and sensors. Data is the oil that lubricates smart cities; securing this data is a high priority. Accidents and misuse will have significant ramifications in an environment where infrastructure sectors are so closely interconnected that disruption can spread quickly and unpredictably.

The second challenge is to use big-data analytics effectively. Analytics infer patterns and make predictions through aggregation and analysis of large and often disparate data sets.

A purely reactive stance will be less permissible as societal awareness of the value of data grows and the reputational and regulatory consequences of data breaches increase.

Big-data analytics have the potential to open new windows of insight into human behavior and complex system interactions, capabilities that will be increasingly crucial as smart cities become more widespread. From a security perspective, guaranteeing the integrity of this data will be critical to conducting commercial and municipal activities with confidence.

Retaining public trust will remain a high priority. Because of the emerging methods for collecting, aggregating, analyzing and exchanging data, individuals will find it difficult to maintain privacy.

Moreover, it is hard to rectify breaches of personal privacy; once personal data is in the hands of cyber criminals, it is beyond reach. As consumers and citizens become more aware of privacy and security issues, there is growing public demand for protection from unauthorized corporate and government data use.

This demand is happening in parallel with a change of perspectives regarding data. Organizations have long realized the value of personal data, but many individuals are starting to realize it, as well. Governments and regulators are pressing organizations to consider data security and privacy.

For example, in response to sustained popular demand in the EU, the forthcoming EU General Data Protection Regulation will introduce sweeping changes to the way organizations handle the personal data of EU citizens. Similar regulations are emerging in the U.S. at the state government level.

In general, regulations related to personally identifiable information (PII) are becoming more stringent; investment in smart cities must account for these changes. Organizations will be required to make data security a higher priority and to document plans for implementing safeguards. A purely reactive stance will be less permissible as societal awareness of the value of data grows and the reputational and regulatory consequences of data breaches increase.

Maintain Safety, Reliability And Availability

As digital interconnection evolves in smart cities, there will be a corresponding need to devote attention to the safety, reliability and availability of cyber-physical systems (CPS) and other critical network components.

These systems provide new functionality that can improve quality of life and enable technological advances in critical areas, such as personalized health care, emergency response, traffic-flow management, smart manufacturing, homeland security and energy supply management.

Organizations that own, operate or rely on CPS in their supply chain should be aware of the deepening dependence on these systems —  and the importance of maintaining their safety, stability and availability. This dependence is not trivial, given that many CPS are part of critical infrastructure systems.

For example, the Global Positioning System (GPS) underpins many systems, and also provides essential timing and navigation services. Loss or degradation of GPS would have a major impact on key sectors, including telecoms, transport, energy and financial services.

Improvements in miniaturization and processing power, as well as increased bandwidth from service providers, mean CPS can interact with or be controlled by devices that are smaller and more remote. Some of the control will be done via the IoT. Many of these “things” can not only measure temperature, altitude, location and power output, but also activate switches, valves and other elements of CPS.

Clearly, there must be a strong public safety component in all smart-city developments, a perspective not often discussed in information security. CPS go beyond merely measuring the environment — indeed we are moving beyond IT systems that reflect the virtual world to systems that directly influence the physical environment.

We are moving beyond IT systems that reflect the virtual world to systems that directly influence the physical environment.

This paradigm shift from passive to active systems creates safety implications for individuals and communities that interact with and rely on them. CPS have existed for some time, but the growth of smart cities will increase their prevalence. Failure to secure them adequately could adversely affect public safety and result in widespread disruption, especially in densely populated urban areas.

Many information security controls for CPS will be the same as we see with traditional IT systems, but there will be notable differences that must be identified and addressed. As securing highly interconnected systems becomes more challenging, the importance of resilience will be recognized more extensively.

It will be crucial to invest in “bouncing back” after an incident, in order to mitigate the uncertainty of depending on numerous and widely distributed supply chain partners. CPS will be a high priority target for investment in resilience and incident-response planning, given their centrality to smart cities.

Next Steps

Burgeoning experimentation with smart-city capabilities means new use cases will develop, uncovering new opportunities and challenges for organizations and individual citizens. This is an evolutionary process, one which will never be truly finished.

Along the way there will certainly be inflection points where change happens more rapidly and security becomes a higher priority. The next few years will see the rapid growth of smart cities, and organizations will benefit from beginning their strategic planning and prioritization now in order to fully realize the economic, social and environmental benefits.

Balance Risk And Reward

  • Public perception, along with the ethics of data collection and analysis, will begin to play a more prominent role in discussions about smart cities. Consideration must be given not only to the actions being taken, but also to how they will be perceived.
  • Given the rapid rate of change in smart cities, there is a need to conduct regular risk assessments to identify areas where an organization’s risk profile may have changed more rapidly than desired.

Prioritize Data Security

  • Assure the origin of data and decisions made from this data in order to conduct commercial activities with confidence and avoid incidents that could adversely affect customers.
  • Agree on an incident-response plan in order to avoid a reactive posture when something goes wrong. Regulators and insurers will be watching more closely.

Maintain Safety, Reliability And Availability

  • As a result of growing digital interdependency, and the uncertainty it introduces, many sectors will have to prioritize resilience instead of relying solely on technical controls.
  • Attention should be given to the IT policies and standards updates that may be necessary to accommodate CPS and IoT.
  • Because of CPS, public safety will become part of the technology debate around smart cities. Regulation and legislation will not be far behind, and organizations should prepare to influence this discussion.

The Time To Prepare Is Now

Smart cities are more than hype. They are happening and will transform many sectors. It is important to prepare, but proceed with caution. A good degree of uncertainty remains regarding privacy issues, the effects of interdependency, the impact of IoT and other challenges that will no doubt emerge as smart cities become the standard.

Whilst the unknowns loom large, translating into risk for early adopters, a city that is truly “smart” should operate for the benefit of everyone, offering efficiency, opportunity, security and progress for a majority of the world’s population. Achieving these goals is one of the smart city’s biggest challenges.