Smart cities: Is cyber security an issue?

City services and resources are under pressure to keep up with the demands of digital-savvy populations generating masses of data and wanting to connect with their surroundings. But how can we ensure new digital services are cyber secure?

According to a whitepaper from the International Electrotechnical Commission (IEC), the world’s urban population will rise by 72 per cent between 2011 and 2050. To combat this growing demand, emergency services and city service providers are networking Internet of Things (IoT) technology with existing infrastructure to reshape supply chains and manage assets and resources more efficiently.

Middle Eastern cities are leading the way on this, keen to offer citizens improved living conditions by reaping the benefits of IoT integration. In Doha, smart city developments are accelerating so transport and other services can handle the increase in population when the city hosts the 2022 World Cup.

The security challenge of smart cities

However, this new network of sensors, data analytics and decision makers brings a fresh challenge. Many devices and systems aren’t cyber resilient, posing a threat to the safety and security of the citizens they’re designed to help. In 2014, researchers from the University of Michigan hacked the traffic lights of 100 of the city’s intersections, proving security flaws existed that had the potential to cause serious accidents. During 2017, hackers turned on 156 severe weather sirens in Dallas in the middle of the night, causing a surge of 911 calls and distress.

The roots of these vulnerabilities are no secret, though. The security issues surrounding IoT devices, like lack of encryption and patching over the wire, are well known. And they persist despite there being lots of guidance on how to make the devices and supporting architecture secure. However, with no security requirements in force, manufacturers continue to roll vulnerable devices and systems off production lines into smart city solutions, increasing system attack surfaces.

Pursuing change in IoT security

Efforts are being made in the pursuit of security excellence. Authorities have announced and are developing standards and guidelines, but there is still much to do.

Vendors should develop systems to be 'secure by design' and then test security as part of the development cycle so they can understand and address any security flaws. Both wired and wireless communication channels should be encrypted and require strong authentication mechanisms to grant access to networks. Systems should be designed to be manually overridden should a hack or malfunction make it necessary to retake control. And a Municipal Computer Emergency Response Team (MCERT) should be established with responsibility for security monitoring, incident response, vulnerability management and security patching.

The IoT Security Foundation is helping address the challenges and share knowledge, best practice and advice. The International Electrotechnical Commission is leading the development of smart city standards for electrotechnology to help with the integration, interoperability and effectiveness of city systems. The Department for Digital, Culture, Media and Sport and the National Cyber Security Centre have published a Code of Practice for consumer IoT security. And the first voluntary cybersecurity certification framework for IoT products has been backed by Members of the European Parliament and will be certified by the EU Agency for Network Information Security.

Unfortunately, without making certification frameworks mandatory across the board, manufacturers may not implement security when it only adds to the time to market, cost and complexity of products.

The development of smart cities has huge potential to bring benefits for businesses, city services and people. But the security of the underlying digital infrastructure is key to success. Over 60 million passengers used the London transport system during the 2012 Olympics. Imagine the impact on Doha during the World Cup if a successful cyber-attack shuts down parts of its critical national infrastructure because security wasn’t developed correctly or considered at all.

It is vital that collaboration occurs between vendors, device manufacturers and governments to develop more stringent regulation around IoT security. Organisations and device manufacturers must adopt emerging standards and guidance to ensure systems are ‘secure by design’ and perform testing before and after installation to address any flaws. Furthermore, operators of active smart city technology must seek to understand the security issues facing their smart environments and systems if they’re to mitigate the risks before incidents occur. Cities of tomorrow will undoubtedly be smarter as the years go on but getting IoT security right will be the difference between a smart city and a secure city.