Editor's Note: The following is a guest post from Neil Correa, security strategist at Micro Focus.
By 2023, governments will likely spend up to $189 billion globally on smart city initiatives. The benefits of smart city initiatives include addressing population growth in urban areas, reducing resource depletion, cost savings, climate change, more accurate services to citizens and organizations, and more efficient transportation — all of which far outweigh the cons or risks of a connected city.
However, securing and protecting critical infrastructure, applications, identities and sensitive data must be factored in to planning from the ground up. While smart city use cases may be new, the cyber risks are not. But before we can dive into the potential risks and solutions of deploying a fully smart city, it is important to recognize the role of IoT within the smart city.
Understanding IoT within the smart city
Connected sensors enable the collection of data and the centralized monitoring and management of devices, such as a streetlight bulb that needs to be replaced, or collecting surveillance camera footage from nearby stores during a robbery investigation of a particular location.
Each deployed device contains many sensors; each sensor can operate in a silo, or share system and power resources on the network with all sensors deployed on the same physical device. This network-enabled sensor has the ability to interact with its environment, collect data, share updates and changes with other sensors track individuals, and detect or alert on activities in the area (think: autonomous vehicles).
While this technology can be incredibly beneficial, as in the case of enabling advanced technologies such as autonomous vehicles, or assisting in suspect identification on surveillance camera footage, there are inherent risks associated with an entire city relying on the technology.
What’s the risk?
It is critical to maintain the confidentiality of the data collected, such as personal information, surveillance footage, medical details, vehicle routes and financial information. A single security vulnerability in one sensor could result in the compromise of all sensors and data on the device or the entire network segment where the sensor resides.
A prime example of an IoT vulnerability is the Mirai botnet — one of the largest IoT botnets to date — which is responsible for compromising over 500,000 IoT devices around the world by using them as a launchpad for a distributed denial of service (DDOS) attack. Comparable to hardware and software applications today, cities around the world are purchasing and deploying similar IoT technology. Vulnerabilities found in one city have a high chance of being present in many other cities, increasing the chances of global attacks.
Just because these risks exist, doesn’t mean they are inevitable. But in understanding the vulnerabilities, cities can work to resolve them before they ever become an issue.
What can be done?
Sensors are being created or adjusted to meet the needs of smart cities and, as such, there are some cyber hygiene steps that can be taken to secure sensors and data prior to deployment in devices:
Define Security Requirements: This must be a collaboration between municipalities, security vendors, sensor manufacturers, industry experts and standards organizations. Standards organizations including National Institute of Standards and Technology (NIST), the Department of Homeland Security, IEEE Smart Cities Committee and the IoT Security Foundation are working on building out IoT guidelines for smart cities.
Software Security: The applications running on the sensor must include secure coding and frequent testing for weaknesses and vulnerabilities.
Entity Management: Connected cars, personal apps and IoT devices each represent an individual or an entity. Ensuring the secure development of the apps and/or sensors as well as monitoring their activities is necessary to protecting the privacy of individuals and their data.
Data Analysis: A primary driver for building smarter cities is to provide better services to citizens. Services such as transportation, policing, infrastructure, and healthcare can be improved with the correlation of datasets and the continuous collection and updating of data in real-time.
Meeting compliance
Collecting multiple sets of data with varying levels of sensitivity, to be centralized and analyzed, creates a gold mine for bad actors to target.
Imagine that the data being targeted is personal health information for all of the citizens within a municipality, that was collected from hospital devices, imaging systems, clinics and testing laboratories. Maybe it’s a subset of citizens who are undergoing cancer treatments. Or, maybe the data is related to minors. If compromised, this data could be leveraged for blackmail, patient identity theft, healthcare fraud, treatment delays, misdiagnosis, or any other malicious intent.
From a privacy compliance standpoint, regulations today apply to the personal information that is collected by smart cities, which include fines and violations for organizations not in compliance.
The future may see amendments to existing laws, or the creation of customized regulations specifically for smart cities. In the meantime, a few best practices to avoiding compliance issues include:
-
Implement a data governance framework to immediately classify (based on sensitivity and compliance controls) and secure sensitive data, that will will apply relevant policies to reduce the risk of data theft/compromise. With data categorization being performed up front, the data will have a reduced likelihood of misuse/misplacement and non-compliance.
-
Apply security controls to sensitive data such as encryption or pseudonymization to secure data throughout its lifecycle.
-
Define and implement policies/standards to manage devices collecting, storing, and using sensitive data.
-
Develop incident/crisis management plans and test them regularly through tabletop exercises, DR testing, etc.
Smart cities are the future, however ensuring the safety of their citizens, data and access to services should be considered up front — not after the fact. Thankfully, there are specific steps cities can take to ensure that the technology implemented adheres to a strict set of security standards.