Smart cities need smart cybersecurity

By Amit Roy Choudhury

It is best to treat smart cities like giant corporations which have a standardised cybersecurity policy.

One of the most significant non-pandemic related stories of the past 18 months has been the rapid digital transformation, not only of organisations but of society at large.

According to McKinsey, the Covid-19 pandemic has resulted in seven years’ worth of digital transformation happening in 2020 itself. There is no turning back.

Irrespective of how long this pandemic drags on, the sense of urgency among organisations to ensure that they are not left behind by their competitors in the digital sweepstakes is going to be a permanent feature. Companies are upgrading not only systems and processes but their entire approach to core business functions to get ready for the brave new digital world.

The shift is just not work-related. Online shopping, food ordering through mobile apps and family zoom meetings, among others, have become part of the daily routine just as work from home has become the new norm. The world will emerge in a post-pandemic world that is far more digital than it was before the start of the Covid-19 crisis.

Smart cities VS security


Digitalisation does not happen in a vacuum. The same technologies that are powering digital transformation are the ones that are fuelling the smart city ambitions of governments around the world. A World Economic Forum (WEF) report says that the pandemic has accelerated the adoption of digital city services, which are a vital component of smart and inclusive urban space.

Policymakers and smart city builders need to keep in mind the security implications of smart city projects where data, including personal data, is the key to services provided. As digital and physical infrastructures converge in smart cities, they are exposed to the same dangers which digital organisations face from cyber threats. This is especially so with today’s automated and digitalised public utilities.

There have been several cyberattacks on smart city systems in the recent past. Hackers were able to get into the water plant's supervisory control and data acquisition system of Oldsmar in Florida, USA, early this year and alter the amount of sodium hydroxide in the water. Also, cities like New Orleans, Knoxville and Las Vegas in the US have had their systems affected by ransomware attacks.

Is expertise available?


The question that needs to be asked is, do the authorities in cities that offer “smart” services have the necessary expertise to guard against extremely sophisticated cyber-attacks that are happening around the world?

Let’s first look at the kind of investment that is going into smart city infrastructure.

According to a Frost & Sullivan report in the post-pandemic world, smart cities will focus on developing collaborative, data-driven infrastructure to provide appropriate healthcare facilities and public security services. This will create significant business opportunities with a global market value of US$2.46 trillion by 2025, wrote the report. Smart cities are expected to spend US$327 billion on technology by 2025, the rate growing at a compound annual growth rate of 22.7 per cent, according to Frost.

While big-budget allocations are being planned, it is useful to look at what the WEF says. The report notes that while 80 per cent of cities that are planning smart services acknowledge that they have legal obligations for privacy and data protection, less than 25 per cent have conducted privacy impact assessments when deploying new technology.

The study also notes that while smart cities make access to digital city services a vital component of an inclusive city, less than half have policies to embed basic accessibility requirements into their ICT procurement, and less than half of cities provided evidence that they implement these requirements in practice.

Smart cities are an amalgamation of disparate technologies and systems, as Deloitte notes. The system comprises data gathering devices like IoT sensors (traffic cameras, for example) sitting at the edge of the city IT network.

These devices connect to the core system where the data received from various sources within the city network are analysed, usually on a cloud platform, and actionable information is gleaned from deep learning algorithms. All this is made possible by a combination of fixed-line and mobile telephony networks which allows for the back-and-forth transmission of the data.

The two-way flow of data is vital for the smooth running of a smart city. Mobile networks, especially 5G, will be the key.

Off the shelf devices


IoT devices, street cameras, pollution monitors, motion sensors and other smart devices are usually bought off the shelf from various manufacturers, many of whom do not have a strong cybersecurity background.

Individually, these devices do not need much security. But when they are connected to the network, each of them could be a potential weak point through which bad actors can access the network. The mobile telephony network also has its set of cybersecurity challenges, especially with 5G becoming mainstream.

Finally, the core of the network, where data is aggregated and analysed, is the most valuable part of the network and is also the area that hackers want to access the most. Are civic authorities prepared to tackle the myriad of compliance and cybersecurity issues that arise from collating so much data for analysis?

For instance, as data privacy laws become more stringent, data governance can be a thorny issue for cities. They need to think about whether the data is internal or external; is it personal data; what data can be stored and how; which can be duplicated; and which piece of data needs to be deleted after a certain period.

When all these different devices, applications and technologies are connected, the attack surface increases dramatically. A network is only as secure as its weakest link. These increasingly sophisticated and complex systems require cybersecurity best practices, impact assessments for potential failure or compromise, and the establishment of incident response capabilities.

Not all tech are equal


A University of California at Berkeley study argues that different smart city technologies pose different levels of risk. The most vulnerable are technologies such as emergency alerts, street video surveillance and smart traffic signals. The study recommends that city officials consider whether the cybersecurity risks of a particular piece of technology potentially outweigh the gains on a “case-by-case” basis.

There are no easy solutions to the cybersecurity dilemma faced by smart city planners. A central cybersecurity policy is a must and this must extend to vendors who supply equipment for smart city projects.

The policy needs to include education and training to help smart city users, critical infrastructure owners, transportation operators and others to raise the level of cybersecurity awareness in smart cities. There is a need to constantly update emerging security standards and follow government guidelines to ensure systems are secure by design, and perform adequate testing before and after installation to address any flaws.

Cybersecurity cannot just be the government’s responsibility. Equipment suppliers, third-party vendors and even end-users need to have the awareness of the potential dangers. It is best to treat smart cities like giant corporations which have a standardised cybersecurity policy.

All this does not mean that the idea of smart cities is inherently risky. Rather, what it means is that as technologies become “smarter” we also need to adopt smart ways of keeping the network safe to enjoy a better quality of life.

Amit Roy Choudhury, a media consultant, and senior journalist writes about technology for GovInsider.