Whether citizens realise it or not, most cities are on the cusp of becoming smart cities through the use of connected information systems that have the ability to ‘learn’, interact and scale across multiple domains and critical services. These include healthcare, transportation, public safety, supply chains, water and energy/grid. Add another layer to this with the rapid growth of the Internet of Things (IoT), and it’s clear that many communities will have smart capabilities in the next few years.
With the rise of smart cities, however, comes the associated danger of bad actors seizing control of critical systems through IoT or other vulnerabilities. The cities of tomorrow are here today and hacking isn’t a futuristic, science fiction idea, it’s a reality that governments and its citizens need to consider as part of their day-to-day living. Just over two years ago hackers seized control of the power systems in several cities in Estonia, knocking out the electricity for over 100,000 residents. Compounding the problem was that the hackers were able to remotely trip circuit breakers forcing power plant workers to visit substations and manually flip a switch to restore energy services.
It’s with the rise of IoT that we will see cities move from simple interconnection to being ‘smart’. Gartner estimates that by 2020, there will be in excess of 20 billion internet connected devices around the globe, and that number will only grow. Where the danger lies is in the nature of IoT devices, which are defined by function and connectivity, not security. IoT devices are designed to be inexpensive, ubiquitous, fast and highly connected, but little thought has gone into making them ‘security aware’, to monitor and detect for threats from bad actors.
So where is the problem? With the rise of smart cities, IoT devices are being used as sensors for traffic monitoring, to keep track of pedestrian numbers, air quality, urban congestion and flag when public garbage bins are reaching capacity. Street lamps are linked into the public information system to turn themselves on when pedestrians are around. Traffic lights report back on road congestion, and the list goes on. Put simply, if there’s a function that can be made smarter, then it probably will be.
As we’ve discovered, however, these sensors are designed to be cheap, fast and interconnected. Not secure. So a traffic system could have a critical integration point to a power system. A garbage monitor could provide a sensor pathway into water treatment, while air quality monitors could eventually provide an insecure path back into a city’s core ERP and financials. Gaps in security could allow hackers to take control of financials, effectively shutting down the city because workers can’t be paid and taxes can’t be remitted.
Good security means good practices
The way to monitor and defend against risks and threats is to apply good security practices to IoT. Just because an air quality sensor isn’t a core system, doesn’t mean that it is exempt from the very information security practices that keep a city’s ERP, financials and disaster recovery safe.
Where progress needs to be made is in adapting current effective security protocols and practices at scale to federate to the massively growing world of IoT. This means examining where security blind spots could be, designing smart cities by function, monitoring functional relationships between IoT sensors, moving to IoT specific device and data authentication, access, authorisation relationships and detecting for and responding to behavioural anomalies across sensors from core information systems in a centrally controlled manner… the IoT ‘map of the earth’.
Legislation is also an important tool in protecting cities against IoT vulnerabilities. Recent laws proposed in the United States have called for baseline IoT security for equipment being sold to the US federal government. These laws would stipulate that there are no hard-coded universal passwords, and that IoT devices are standardised to meet certain security requirements such as being patch capable against flaws discovered in the future.
In Australia, where the Australian Government has declared that the nation should become a leader in smart cities via its 2016 Smart Cities program, laws about the security aspects of IoT haven’t been contemplated. The closest Australia has come is with a study from the Office of the Australian Information Commissioner looking at the privacy aspects of IoT devices, which was conducted during 2016.
This review of privacy could provide the basis for IoT laws governing security, however that remains something that hasn’t yet been proposed domestically. In essence, Australia is slip-streaming global moves on IoT security, and hoping that moves like the proposed legislation in the US will also provide protection for devices being sold and installed in the domestic market.
Looking for the upside
It’s not all doom and gloom when it comes to smart cities and IoT. Security aside – and we can’t forget security is a major issue – smart cities have the potential to radically improve the quality of life of its citizens. This could come through the better and timelier provision of current and new connected living services and more efficient provision of government and private sector services.
The IoT could, for example, be a literal life-saver when it comes to natural disasters in Australia and around the globe. Sensors installed in communities could pinpoint areas that are no-go zones, conduct audits of the movement of traffic and streamline evacuations, as well as identify areas of damage due to wind, water or fire as well as geolocation of citizens in need of emergency rescue.
What’s clear is that the door has opened onto smart cities and IoT. The proliferation of IoT devices and their interconnection with city systems means that, with little planning, communities will become smart by default.
The key to making this transition work is twofold. First and top of mind, security considerations needs to be addressed. This is something that can happen using existing security best-practice and protocols. It’s not necessary to reinvent the wheel when it comes to IoT security. Instead, what needs to happen is that security must become part of the design of smart cities, and security needs to be an ongoing life cycle of IoT, not something that is a ‘one hit wonder’.
The second aspect and equally important of becoming a smart city is data integrity. Sensors generate masses of data, and smart cities need to have technology and processes put in place to analyse data in the context of smart city critical function, in order to directly align to the connected lives of its citizens and determine in real time if there are indications of compromise and/or risk.
With those two aspects in place, smart cities are achievable, quality life enhancing, safe and cyber secure.
Peter Tran is GM and Sr. Director of Worldwide Advance Cyber Defence Practice, RSA.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter.