How cyber safe can smart cities be?

When you imagine a smart city, one could be mistaken for picturing flying cars, inner city levels that stretch far below the surface and towering skyscrapers lining the streets in densely populated areas. Sure, sci-fi films like Blade Runner or Star Wars might be fantasy, but in general, the power of technological advancements was showcased, and many real modern cities are trying to display the same. In fact, several cities are making significant efforts to transform themselves into “smart cities”, adopting a range of technologies such as red-light cameras, driverless mass transit, and sensor-controlled utilities.

While this is just the tip of the iceberg in terms of capabilities and potential advancements, given the current state of technology, it would be wise to exercise caution as to how quickly these adoptions are made, especially for three critical reasons: safety, security, and privacy. 

In the world of high tech, the term “smart” is regularly used, often casually and without given much thought. Mobile devices are now referred to as smartphones, but in reality, they cover much more than this. Capabilities include, making calls, photography, web browsing, emails, navigation, streaming, messaging, banking and much more. However, they’re only as useful or “smart” as the humans that design them or use them, which means the associated intelligence will greatly vary.

Over time, we have also begun to inhabit smart homes, purchase smart appliances, and drive cars with smart functionalities but we do so without truly considering how intelligent they truly are. Of course, at times, this can be more of a hinderance than helpful. An example recently witnessed involved my minivan which had a sensor issue in its sliding doors during a recent holiday, leading to a constant alarm sounding off indicating the door was open, even though it was in fact securely closed. When these defects become more of an issue it does make you yearn for a simpler, “dumber” car at times.

This is just one instance involving a “smart” device. Yet, if we extend this concept to devices that have “smart” capabilities in other aspects of urban life, including transportation, governance, public safety, emergency services, infrastructure, entertainment, and the local economy, the potential for things to askew or fall victim to being hacked or compromised dramatically increases.

If these systems that are “cyber” dependent become exploited, the potential outcomes could be detrimental. Imagine the mayhem should malicious hackers gain control of the traffic grid or the airport controls or even the water supply, all of which could put an entire population in jeopardy.

This has led to some within the industry to use a different term to “smart cities”, the most notable being the UK’s National Cyber Security Centre which recently used “connected places” in a whitepaper that discusses how to secure such environments. They deliberately avoided the implication of the existence of intelligence.  

By the NCSC’s definition, connected places are a community that integrates “information and communication technologies and IoT [Internet of Things] devices to collect and analyse data to deliver new services to the built environment, and enhance the quality of living for citizens.”

This is certainly idyllic and the enticing prospect of enhancing the quality of life for residents should be the objective but understand the risks associated. Recently, crippling ransomware attacks on Baltimore and Atlanta, two major American cities had multiple connected city systems that were brought to a standstill after hackers exploited a vulnerability. In Poland, over 20 trains were disrupted after criminals using unsophisticated techniques to trigger the emergency top functions. In the UK, Greater London Metropolitan Police had information relating to over 47,000 officers stolen after hackers breached the IT systems of a third-party. These attacks should act as reminder of the outcome should security not be taken seriously with connected systems.

Whether they are “connected places” or “smart cities”, the goal must be to create these environments as a utopia rather than a dystopian nightmare that we are all too familiar with (thanks Ridley Scott and Stephen King). To achieve this, developers must prioritise the safety and security of the millions of connections within the perimeter of the city without crossing the line and turning it into a Big Brother surveillance hub.

Governments around the world are acting on these concerns for the future of smart cities, and a joint effort among security agencies in the United States, the UK, Australia, and New Zealand led to the creation of a whitepaper titled “Cybersecurity Best Practises for Smart Cities.” The report highlights the attractiveness of smart cities as prime targets for malicious cyber actors because of the “data being collected, stored and processed, which can include significant amounts of sensitive information from governments, businesses, and private citizens.”

It’s inevitable that we are heading towards more connected communities and smart cities – many IoT devices have already become synonymous with our everyday lives to bring many benefits, convenience, and cost-saving, so why shouldn’t this evolution continue throughout the cities we reside in.

Ultimately, it’s about providing a better service to residents, so long as security is front of mind because many IoT connected devices are not built with security in mind. Recommendations on how to minimise risk levels include applying the principle of least privilege which limits access to systems and data only to those who need to carry out their role. Furthermore, ensure multi-factor authentication is enabled wherever possible and follow a zero-trust approach, whereby there is “no implicit trust granted to assets or user accounts based solely on their physical or network location … [or] on asset ownership (enterprise or personally owned).”

Technology will never be 100% secure so never rush into deployment or implementation. Instead, do so incrementally or in phases to reduce the chances of complexity or major disruptions. Time will always be needed for a city to adjust as well as its residents to become comfortable with the new “smart” services.