Smart Cities Are Exciting—Until There’s a Cybersecurity Snafu

The ideas behind “smart cities” are becoming more relevant as leaders in government and business seek innovative ways to respond to the global COVID-19 pandemic.  A recent article in Wired described how smart city planning could slow future epidemics, using technology to prevent diseases from spreading while helping to ensure the availability and safety of critical resources, including water, transportation and healthcare.

Many cities are already seeing the benefits of using smart city technologies in managing the pandemic, according to a survey from ABI Research: 

  • Using drones with facial recognition technology to track those who are infected with the virus to ensure they don’t break quarantine and risk spreading the virus.
  • Using technology to communicate and enforce social distance guidelines and monitor the delivery of medical supplies.
  • Real-time dashboards and data sharing using smartphone data and crowd sourcing for location tracking.
  • Remote temperature sensing using artificial intelligence, and autonomous last-mile delivery of critical equipment and supplies.

Smart cities preceded COVID-19, of course, built on the concept of digital municipal systems that do everything from controlling traffic grids and ensuring water quality to promoting online voting. This was already a high growth market segment. Research conducted pre-pandemic indicated that a staggering $189 billion would be spent worldwide on smart cities initiatives by the year 2023. 

And we’ve probably only scratched the surface. That same research indicated that more than half of global spending on smart cities projects is concentrated in three use cases: resilient energy infrastructure, data-driven public safety and intelligent transportation. 

It’s easy to see the potential innovation still to be tapped for systems that improve how communities work, live and play. San Francisco’s smart power grid and Barcelona’s digitized waste management systems are just two examples of tens of thousands of smart cities initiatives that are improving the lives of residents.

As big as the potential may be, however, city leaders and technology decision-makers must keep cybersecurity top of mind.  The more things that are connected, the greater the opportunity for cyber-attackers to infiltrate systems, exfiltrate sensitive data and disrupt potentially critical systems in law enforcement, public health and other municipal applications. 

Internet of Things (IoT) devices should be of particular concern because their use in smart cities is growing exponentially. According to one study, the number of active IoT devices in Europe alone is expected to grow to 53 million in 2025.

Enhanced cybersecurity readiness, resilience and responsiveness are key. Yes, the intended benefits and new capabilities of digital municipalities are incredibly exciting, but it can all come crashing down around elected officials, government department heads, local businesses, citizens and visitors if cybersecurity is not a top, top priority.

Smart Cities Must Be Secure by Design

Smart cities are a classic case of the vital importance of “secure by design.” Connected systems for first responders, environmental controls, public internet access, traffic management, green energy and more must be based on rock-solid, intuitive and automated security protocols and policies from the start. 

Security that is “bolted on” after systems are in place (and maybe after data breaches have already occurred) is next to worthless. The hackers are resourceful and highly collaborative with each other. Add-on security initiatives are not going to work, and the potential consequences are stunningly frightening. (And I’m sure I don’t have to remind you about the newest scourge of municipal systems—ransomware.)

One big reason why is the dramatic proliferation of endpoints at the edge of municipal networks and as gateways to the cloud. This isn’t just more notebook computers, tablets and smart phones; it’s different forms of sensor-based systems and devices. 

This expansion of the attack vector is even more problematic when you consider that IoT devices, both for commercial and industrial applications, have innate security challenges because they often can’t support the memory requirements for many cybersecurity protocols. Then, add in the reality that humans—municipal workers, citizens, visitors and businesspeople piggybacking onto municipal WiFi systems—are often weak links in the cybersecurity chain because of poor security hygiene.

The importance of security by design becomes even more apparent with smart homes. Take one element of smart homes: energy-saving automatic lighting and energy metering. More and more municipal-owned utilities are installing smart meters to help consumers monitor energy costs and to help conserve on energy usage. If security is not properly designed into those systems from the start, it’s easy to imagine what hackers could do if they got access to residents’ home computer networks. What a treasure trove of personal and private data they can access, from banking records to health insurance numbers.

Ensuring Cyber Resilience

So, what do you do about it?

One big issue for local, state and national governments is, ironically enough, governance. The lack of governance on smart cities initiatives, on a wide range of issues such as data handling, privacy policies, access privileges and more, is highly problematic. No, it’s worse than that; it’s a potential nightmare for chief information security officers, SOC personnel, IT teams and, of course, public officials that need to ensure that there are clear rules that govern access to critical systems and data. 

For instance, take something as seemingly modest as hiring a vendor to install smart streetlights. If government officials, and their technical teams, don’t have the right governance policies in place to ensure that the vendor has designed in security so hackers don’t creep into back-office systems through digital lighting systems, data exfiltration—or worse—can result.

All parts of smart cities—governmental bodies, municipal leaders, local businesses, citizens and visitors—also must practice good cybersecurity hygiene. Good authentication policies, such as frequent and regular changing of passwords, multi-factor authentication and increased adoption of biometrics, are essential. Obviously, this has to be a personal commitment by anyone accessing smart cities digital services, but it also has automated policies mandated and installed by the governments.

Moreover, municipalities need people looking after the smart cities programs who have cybersecurity experience and expertise. That doesn’t necessarily mean you have to hire an army of security engineers, but you do need leaders and practitioners for whom cybersecurity is a familiar discipline. They need to be able to see the big picture and ensure that the technical and operational details are in place.

Four Major Elements

Finally, there are key questions that non-technical municipal leaders—elected officials and governmental department heads—must be ready to ask their CISO, CIO and other technical executives who have cybersecurity oversight. These include:

  • Do we have a documented incident response plan? If so, what is it? Many municipal leaders often think their organization has a plan, but then are surprised to learn just how threadbare that plan actually is.
  • What are our governance strategies for securing systems, applications, data and identities?
  • Should we allow our legacy (and presumably less likely to “secure by design”) systems to connect with other systems and devices on the edge?
  • What kind, and what frequency, of cybersecurity testing are we doing? What metrics do we receive on those tests, and what do we do about the results?

In the end, successful smart cities initiatives require four major elements: visibility, to make sure you see what is actually happening in those systems; analytics, to identify risks and abnormal systems and network behavior; control, to manage and, if necessary, to compartmentalize key systems against threats, and coordination among all key constituents to ensure that security is “baked in” for smart cities initiatives.

Don’t let your municipality become a front-page headline when cyberhackers infiltrate your databases, snarl up your traffic grids….or worse. Adopt “secure by design” as the mantra of all your smart cities initiatives.

Haider Pasha is chief security officer for Middle East and Africa at Palo Alto Networks.

share: