Smart cities: five smart steps to cybersecurity

The cities of the future may be smart — but will they be cyber safe?

As urban centers continue to balloon in population, many become “smart cities” through a digital transformation intended to make their residents’ lives better, governance more effective and resource consumption more efficient — via the instrumentation of, well, just about everything in a city. Any metropolis’s street lights, traffic signals and cameras, electric and gas meters and sewers can all feed into this digital infrastructure. Citizens will also connect with the smart-city infrastructure to gain municipal services or pay bills.

All together, the smart-city market is expected to exceed $1.7 trillion in the next 20 years. But the interconnectivity across the virtual and physical infrastructure that makes a smart city work also creates new and substantial cybersecurity risks. With each additional access point, sensitive data exposure vulnerabilities expand. Smart cities can be susceptible to numerous cyber attack techniques, such as remote execution and signal jamming, as well as traditional means, including malware, data manipulation and DDOS. To counter the risks, comprehensive smart-city plans designed to safeguard what is clearly “critical infrastructure” are needed on behalf of all parties involved, from the individual citizen to large public and private institutions.

There’s no question the smart-city shift is emerging. At the Mobile World Congress in Barcelona in February 2017, global PwC chairman Bob Moritz cited rapid urbanization as one of the most important forces impacting our world today. And the numbers are eye-opening: 1.3 million people move into cities each week, and with this influx, 65% of the world population will be city dwelling by 2040. Today, the world harbors 21 megacities of more than 10 million people each — up from just three in 1975. Urbanization is creating big gains: The top 600 urban centers generate 60% of global GDP, and that number will only grow as more people move to cities.

Meanwhile, cities are looking to use a fusion of technologies that work best leveraging a large city-scale. Innovations such as mobile, Big Data, artificial intelligence, robotics and the Internet of Things are all transforming a huge array of human interactions, including how we work, govern and interact — and the cities in which we live.

In short, tremendous communication among city systems means that huge amounts of data accrue to the agencies that provide municipal services, including private information about residents’ finances and movements. Essentially, a smart city could be seen as one gigantic, city-sized Internet of Things (IoT) device, communicating with each other and with residents’ smartphones or wearables, opening and closing virtual doors that would otherwise require locks and keys.

The reality, however, is that many of those smart-city doors are never completely locked. Rather, they are ajar — and may be alarmingly exposed to cyberattack. Indeed, absent efforts to address, your future smart city may not actually keep you safe.

Burgeoning vulnerabilities

Because a threat could enter a smart-city infrastructure at any compromised point, the risk can quickly grow as one system can then compromise the next. In a classic weakest-link scenario, one seemingly innocuous connected device, when hacked and injected with malware, could potentially open up an array of other devices to penetration, causing cascading damage throughout the entire infrastructure.

For instance, a breach of street light systems could lead to control of the lights, which could lead to servers, in turn leading to data about individual customer behavior, eventually winding up with access to financial information and other personal information about citizens — possibly even their health records. It’s not unlike a recent big distributed denial of service (DDOS) attack, in which everyday IoT devices such as baby monitors were hacked and turned into a botnet to kneecap some of the world’s biggest websites. Cities could be similarly susceptible as they rapidly deploy connected devices across municipal domains.

Also, customer-centric information — the objective of which is convenience for the citizen user — can also be quite vulnerable. Unfortunately, the development of cybersecurity credentialing, security, safety and prevention systems for smart cities has not kept pace with the burgeoning adoption of digital capabilities. Even in the most security-conscious cities, the technology that allows ambulances to turn red traffic lights to green has already been hacked, for instance. Meanwhile, penetration of the power grid infrastructure is not uncommon. And, of course, examples abound of breached personal information in the private sector. Once a city becomes “smart” via interconnectivity, the potential for havoc is boundless. Imagine all of a city’s stop lights set to green as a worst case scenario.

Some European cities — anticipating the potential downside of digital transformation without controls — have already implemented safeguards. With the European Union’s General Data Protection Regulation taking effect next year, residents in European cities can opt in rather than having to actively opt out of various systems. Meanwhile, many cities have employed certified biometric systems, cryptography and digital privacy policies — establishing a culture of cybersecurity.

Acknowledging the need to begin with and then budgeting for cybersecurity as part of an overall smart-city initiative can help avoid add-on expenses once a system is already in place. As with the IoT in consumer products, citywide connected systems also need security protocols.

Five smart steps

The National Institute of Standards and Technology recently established an IoT-enabled smart-cities framework to address issues associated with cybersecurity, data integration and sharing. Yet until concrete standards are agreed to, here are some essential best practices for connected cities:

  • Are you policy-smart?: Too often with IoT, the focus is benefits with little attention paid to risks. Creating a policy around IoT data privacy and data use at the outset can help ensure against inadvertent misuse. A sound policy can help guide employees and users toward becoming more cybersecure.
  • Protect individual identities first: ID management is critical across connected systems. Each connected piece of infrastructure may have different rules or standards for providing access, some weaker than others. By synchronizing access credentialing— thus eliminating weak points — cities can help protect residents’ identity information.
  • Secure information at the source: Each connected device starts generating data the moment it’s plugged in and every second thereafter. Before a system goes live, smart-city managers must have a clear understanding of the magnitude of the data that will be collected, as well as how it will be used. That way, it can be better secured and appropriately encrypted from the outset, and costly forensic and mitigation efforts may be avoided down the road.
  • Standardize the need to know: Very few people in any organization need to know everything in a given system. Protocols and options for access create boundaries while still providing the openness and functionality desired for the connected infrastructure to be effective. These protocols offer complete accountability, identifying who is using the information, ensuring they are authorized and governing that access. It also promotes a cybersecure culture by setting automatic standards and limitations.
  • Implement appropriate deterrents: Currently, repercussions for cybercrimes are limited and ill-defined. Sanctions, fines, prison sentences and the US code all need to be updated to reflect the consequences for rule-breakers in an interconnected world.

An interconnected smart city sounds appealing: Drivers avoid traffic congestion; city services anticipate residents’ needs; utilities provide information in real time, allowing residents to adjust usage, and so on. Yet a cybersafe interconnected utopia includes the right controls with proper implementation to ensure that connected infrastructure is accessible only to the right people at the right time for the right reasons.

Contact us

Rahul Gupta
Principal, Capital Projects & Infrastructure (Technology, Media and Telecommunications Projects)
Tel: +1 (202) 756 1762
Email

Daryl Walcroft
Principal, US Capital Projects & Infrastructure Leader
Tel: +1 (415) 498 6512
Email

Peter D. Raymond
Principal, Capital Projects & Infrastructure, Global Leader
Tel: +1 (703) 918 1580
Email

Follow us