Smart cities, the hailed culmination of the mass IoT revolution for the everyday use, are slowly beginning to take shape in countries across the world. With some cities going piece-meal, like Zurich in Switzerland implementing a Smart City Strategy that covers key areas like Smart Parking and plans for things likes Smart Street Lighting; to whole cities in Saudi Arabia, like the much published $500 billion NEOM, which is 33 times the size of New York, will be built from the ground up and see AI manage everything from power, water, waste, transport, health care, and security.
Yet, a city where everything is so interconnected, can present several issues should security be breached. Anything from the water being stopped to the lights of whole public areas being switched off could in theory be implemented should malicious actors gain entry to the systems. Therefore, scenarios like this, in a smart city like those being developed in Saudi Arabia, present more than an issue of a company and its data being compromised, but citizen safety.
“The integration of IoT into smart cities does raise some security concerns,” Kevin Curran, IEEE Senior Member and Professor of Cybersecurity at Ulster University tells IoT Insider. “Securing an interconnected ecosystem of IoT devices, platforms and networks is complex due to the high number of devices, and the fact that each one comes with potential vulnerabilities. The diversity of technologies and protocols used by these devices further complicates the implementation of standardised security measures.”
So what should those planning these smart city rollouts be looking at as a way to ensure the security of these cities?
Security issues of smart cities
“Security challenges in smart cities are far more complex than those faced by individual IoT devices or isolated smart buildings. This is due to the larger scale as well as the complexity and integration of services,” explains Curran. “Smart cities have a broader attack surface, heightened privacy concerns and increased reliance on critical infrastructure.”
Although security efforts are starting to converge with IoT, with UK, EU and the US implementing some form of legislation regarding standards, it is an industry where it has previously been less than prioritised. Concepts like secure-by-design and zero trust are starting to become part of the broader IoT lexicon, yet there is a lack of harmonisation in security from company to company. This is what Curran believes could pose an issue. “As smart cities expand, security measures need to be scalable to match this growth, yet this is a complex task due to the lack of universal security standards and the intricate web of stakeholders involved.”
Equally, because a smart city will be run on devices of different capabilities, advanced security features needed to strengthen its security in a unified way may be not possible for those IoT devices of limited processing power.
Yet, these ‘weak links’, although more limited in their function, still pose issues as they can open up attacks to the wider network. “High levels of interconnectivity mean that a breach in one area can impact many others, and the governance of security measures involves numerous stakeholders,” asserts Curran. “Furthermore, the convergence of physical and cybersecurity presents unique risks – and maintaining long-term security across a diverse network of technologies is challenging.” This, along with interoperability of devices to ensure seamless communication leaves gaps to be exploited.
This, along with Advanced Persistent Threats – which exploit the complexity and scale of interconnected smart city networks, where numerous IoT devices with limited security capabilities increase the risk of undetected infiltration – and the emergence of quantum computing, which can crack traditional computing’s algorithms – means the spectrum of security considerations for smart cities are vast.
Managing a smart city
Yet, remedies to tackle these security threats are available, but planning a strategy before implementation is key to not only avoiding any avoidable breaches, but keeping public perception of the smart city and sustaining its growth in its early stages.
Previous examples of a smart city losing positive public perception – like Masdar City in Abu Dhabi – show what happens when people lose faith in the idea; funding drops and so does the number of people wanting to live there. Although faith can be restored, it shows how getting it right from the offset can put planners of these smart cities on a better footing.
Like a city, which is managed by a central figure (like a mayor), but has different council members that manage individual smaller boroughs that together make up a wider area, a blending of both central and decentralised implementation of a smart city can tackle some security issues.
“A hybrid model that leverages both centralised and decentralised security elements would be best,” explains Curran. “Centralised management provides a comprehensive overview and facilitates uniform policy enforcement, simplifying updates and responses to widespread issues. On the other hand, decentralised management will deliver resilience against system-wide breaches and enable localised, immediate incident responses.”
This hybrid approach allows for scalability and flexibility, accommodating the growth and diversity of smart city technologies. It also ensures redundancy, where if one layer is compromised, others can continue to function. This balances the control and comprehensive monitoring capabilities of centralisation with the quick, autonomous responses and resilience of decentralisation.
The approach that allows both centralised and localised can enable Edge computing to be implemented on a wide scale, which can aid in distributed IoT security. This ensures that security does not heavily impact bandwidth and data efficiency, without impacting the effectiveness of threat response.
“Security solutions must scale effectively in line with the expansion of IoT networks and protect locally stored data on a multitude of devices,” argues Curran. “Additionally, compliance with regional data protection regulations becomes more complex as data is processed in various locations. Smart cities must, therefore, refine their security strategies to account for these changes.”
This regional or specific data protection regulations are vital considerations when including things like healthcare, which although maybe connected to the smart city on a wider level, demands a higher level of data security and compliance on its internal machinations than other elements of the smart city.
What should the future security of smart cities look like?
Luckily for the concept of smart cities, that dawned before our current era of technology, advancements in things like AI can also be increasingly utilised to manage the complex security needs these massive interconnected domains require.
Continuous risk assessment, enhanced through the use of AI for threat detection, will becoming pivotal to staying ahead of new vulnerabilities, for instance. Equally, as Curran explains, however, AI could be used by malicious actors to automate attacks or create more advanced malware that could outpace current security measures.
But by focusing on security from the ground up in IoT systems, with “a robust security approach that includes strong encryption, regular security audits, continuous monitoring, incident response planning and the protection of user privacy” places you in a position to be both proactive and reactive to threats that penetrate.
“In terms of preparation, smart city developers should create adaptive cybersecurity frameworks, form partnerships for shared security intelligence, invest in skilled cybersecurity professionals and create incident response strategies. They will also need to ensure continuous threat monitoring and enforce data governance to protect the information collected. Encouraging IoT manufacturers to prioritise security in their device designs will also be essential,” Curran explains.
As well as network-level protections, like firewalls and VPNs to secure communication channels, and segmenting the network to contain breaches, Curran Lastly suggests making sure software and firmware up to date.
Concluding, Curran gave advice on perhaps the least known, but potentially most devastating, threat to smart city security: “As quantum computing emerges, it could break our current cryptographic methods. To keep large-scale IoT rollouts secure, quantum-resistant cryptography will be essential. Investing in quantum-resistant cryptography now would be a very smart move.”
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.