Technologists are facing significant pressure to transform urban areas into smart cities due to the World Bank’s estimation that 70% of the population will be residing in cities by 2050. Businesses are concerned with this increase in urbanization as it creates major challenges for city infrastructure and management technology. Piyush Pandey, the US cyber data market leader at business consultancy Deloitte, asserts that these diverse and interconnected technologies must be secured, especially as they will increasingly be exposed to the public. It is clear that security is not limited to applying the traditional firewall or physical security at the device level, but must be considered in a holistic fashion.
To underscore the importance of securing smart ecosystems, Pandey points out that cities are collecting more than 500 million events daily from a plethora of systems, including smart electric meters, street lights, transportation monitors, and emergency management systems. The convergence of IT, OT, the Internet of Things, and automation means that cities will see increased efficiency, but this will also elevate their vulnerability to security threats.
Pandey and his colleagues at Deloitte have identified three significant risk drivers: convergence, interoperability, and integration. These factors contribute to the challenge of securing smart city ecosystems. The convergence of cyber and physical systems allows each domain to affect the other, increasing the attack surface. The interoperability of different devices, including old and new systems, can place legacy systems at risk. The tight integration of devices across systems means that a single attack can quickly impact other systems, leading to a cascading impact.
Smart city security experts from UC Berkeley’s Center for Long Term Cybersecurity have conducted a survey, identifying three vulnerable and impactful systems: emergency alerts, street video surveillance, and smart traffic lights. Rowland Herbert-Faulkner, a graduate researcher at UC Berkeley, highlights the risks posed by a lack of built-in product security. The interconnected nature of these systems means that old devices can be exploited, and the threat landscape becomes increasingly broader and more dangerous.
While progress has been made in securing smart city ecosystems, many devices vary in purpose and protocols, making it a complex challenge. Most devices can’t effectively run security agents because the added security would hinder their performance. Tom Pace, CEO of XIoT security firm NetRise, suggests that standardizing operating systems and processor architecture across device manufacturers would aid in tackling this issue. However, he acknowledges that this is a long-term problem that will require significant time and effort to solve.
In addition to the technological aspects of the problem, Herbert-Faulkner points out the significant lack of cybersecurity expertise that still needs to be developed to effectively secure smart cities. He emphasizes the critical need to improve the cybersecurity posture for smart cities, particularly as many local government agencies have been affected by ransomware attacks. Due to this impact, cyber insurers have become more stringent in issuing policies to cities. Bringing local government personnel up to speed in terms of basic cyber hygiene will be critical in mitigating these risks.
Overall, the effort to secure smart city ecosystems is a complex and multifaceted challenge. Efforts to improve security will require not only technological expertise but also a commitment to long-term initiatives focused on standardizing security measures and educating local government personnel on basic cybersecurity practices.