Cities, towns and rural areas in the United Kingdom are having to become more connected to meet their economic, social and environmental targets in a sustainable way. At the same time, local authorities are under pressure to meet their net zero carbon emissions targets and provide supporting services to keep up with the demands of the digital-savvy population wanting to connect with their surroundings, often using their own devices. Some are responding by integrating the Internet of Things (IoT) with existing infrastructure to improve residents’ lives through connected places, data rich environments and public realm technology (also known as smart cities).
London set the bar high in 2018 with the release of its Smarter London Together Roadmap and is already working hard towards the plan’s goals. Singapore is digitalising its healthcare system by incorporating IoT devices to monitor patients’ progress and transmit their data to therapists over a wireless network. To handle the increase in population when Doha hosts the 2022 World Cup, Project Qatar Mobility will see a fleet of self-driving electric shuttles usher in a new era of urban mobility.
However, these developments mean it is vital that action is taken to ensure these digital services and their applications are cyber secure.
The security challenge
Whilst the benefits of connected places and public realm technology are plentiful, this connectedness of systems, sensors, analytics and decision makers does bring threats to the safety, security and privacy of the citizens they’re designed to help. During March 2021 California based technology firm Verdaka, which provides urban surveillance systems and building access control, suffered a major cyber-attack.
This enabled a group of hackers to gain access to the live footage of 150,000 surveillance cameras including jails, hospitals, gyms, companies, and schools. In 2019 more than 40 US municipalities were victims of cyberattacks, with Baltimore a notable casualty from a ransomware attack that shut down the majority of the city’s servers and some government applications. The city declined to pay a ransom, and eventually lost $18m in direct costs and revenue shortfalls as a result of the attack.
The roots of these vulnerabilities and the security issues surrounding IoT, like lack of encryption, patching and vulnerable operating systems, are well known. And they persist despite there being lots of guidance available on how to make the systems and their supporting architecture secure.
The National Cyber Security Centre, a branch of GCHQ, recently published a new set of cyber security principles that focus on helping both UK local authorities and those designing and managing systems within connected places recognise the risks of insecure technology and provide guidance to help systems become ‘Secure by Design’. The IoT Security Foundation is also developing knowledge, best practice and advice and the International Electrotechnical Commission is leading the development of a suite of standards to support the integration, interoperability and effectiveness of urban digital applications and systems.
What is needed now is for councils to take this guidance on board and move the whole issue of cyber security and resilience higher up their agenda.
The action needed
Councils should be focusing on four key actions:
Identify current and future smart initiatives – IoT enables a myriad of different business applications. For example, in adult social care, Hampshire CC has adopted the use of Amazon Echo devices since 2017 and many authorities will be using IoT devices in traffic and street lighting management. As their adoption increases, authorities will need to identify and develop a comprehensive and cross sector list of current and future use cases. That will help integrate smart initiatives into future investment decisions – after all, single devices should not be limited to single use cases. Equally, as services are often delivered in partnership with other public bodies and the third sector, they will also need to make sure they identify all the key stakeholders.
Understand the risks of systems already in operation - For systems already live and operational, there is a need to carry out a rapid risk assessment and architecture review of the end-to-end system alongside business-related controls like incident response, business continuity and data privacy. A rapid programme should then be put in place to plug security gaps and address risks.
Ensure new systems are ‘Secure by design’ – Gain an understanding of the type of information the new system will hold, the threats and vulnerabilities it will face. Define the risk appetite for the system and develop functional security requirements. These should be used to embed security into the system during the design and procurement phase and as a reference to test security controls and gain assurance as the system progresses through development, installation and commissioning.
Maintain security throughout the system lifecycle – Once the system is commissioned and live it will require monitoring and maintenance. Manage operational security risks by developing processes for maintaining a secure configuration and applying software patches and updates coupled with a protective monitoring capability and an incident management plan. If vendors or suppliers are being used to deliver these elements then responsibilities, processes, resolution times and maintenance windows should be clearly defined in contracts and the supply chain.
New IoT systems and applications are already helping reduce inefficiencies and improve the quality of life for citizens around the world, solving challenges such as public transport, traffic congestion, air quality and waste and energy management.
They illustrate how smart initiatives and public realm technology have huge potential, but to secure that prize local authorities must act now to get the cyber security and resilience of the underlying infrastructure right.